744 Implementing the IBM Storwize V5000 Gen2 with IBM Spectrum Virtualize V8.1
13.1 Planning for encryption
Data at-rest encryption is a powerful tool that can help organizations protect confidentiality of
sensitive information. However encryption, like any other tool, needs to be used correctly to
fulfill its purpose.
There are multiple drivers for an organization to implement data at-rest encryption. These can
be internal, such as protection of confidential company data, and ease of storage sanitization,
or external, like compliance with legal requirements or contractual obligations.
Therefore, before configuring encryption on the storage, the organization should define its
needs and, if it is decided that data at-rest encryption is a required measure, include it in the
security policy. Without defining the purpose of the particular implementation of data at-rest
encryption, it would be difficult or impossible to choose the best approach to implementing
encryption and verifying if the implementation meets the set goals.
Below is a list of items which may be worth considering during the design of a solution
including data at-rest encryption:
Legal requirements
Contractual obligations
Organization's security policy
Attack vectors
Expected resources of an attacker
Encryption key management
Physical security
There are multiple regulations that mandate data at-rest encryption, from processing of
Sensitive Personal Information to guidelines of the Payment Card Industry. If there are any
regulatory or contractual obligations that govern the data which will be held on the storage
system, they often provide a wide and detailed range of requirements and characteristics that
need to be realized by that system. Apart from mandating data at-rest encryption, these
documents may contain requirements concerning encryption key management.
Another document which should be consulted when planning data at-rest encryption is the
organization’s security policy.
The final outcome of a data at-rest encryption planning session should be replies to three
questions:
1. What are the goals that the organization wants to realize using data at-rest encryption?
2. How will data at-rest encryption be implemented?
3. How can it be demonstrated that the proposed solution realizes the set goals?
13.2 Defining encryption of data at-rest
Encryption is the process of encoding data so that only authorized parties can read it. Secret
keys are used to encode the data according to well-known algorithms.
Encryption of data at-rest as implemented in IBM Spectrum Virtualize is defined by the
following characteristics:
Data at-rest means that the data is encrypted on the end device (drives).
The algorithm that is used is the Advanced Encryption Standard (AES) US government
standard from 2001.
To Next Page
Loading...
Need help?
General