Encryption key management worries loom

Encrypted storage will require storage admins to think through key management

1 2 3 4 Page 3
Page 3 of 4

Some key management systems also store the keys in hardware-based secure modules rather than in software.

Encryption in practice

Scott Chandler is on the cutting-edge of the storage encryption trend, but being a pioneer isn't too painful.

Chandler is a systems engineer at Adheris Inc., a Burlington, Mass. firm that delivers customized reminders to help ensure patients take their medication properly and properly manage their diseases. He is using a Spectra T120 tape library from Spectra Logic Corp. to encrypt data backups to ensure Adheris meets the patient privacy requirements of HIPAA (the Health Insurance Portability and Accountability Act.)

As for the keys which manage the encryption and decryption of the data, "there really isn't a lot to manage," says Chandler. "Once encryption was set up on the library, we exported copies of the key which are stored in secure locations and may be accessed in the event of a disaster."

Until recently, says Moulds, many organizations stored keys "on bits of paper locked away in a safe" and updated and changed encryption keys on servers manually. This becomes more and more expensive the more widely a company uses encryption, and makes it far more difficult to prove that the proper changes were made and that keys were destroyed at the end of their useful lives. In some cases, says Moulds, the reduction in manual effort can justify the cost of an enterprise-wide key management system.

Some vendors get around the need to exchange or manage keys by storing encrypted keys on the tape drive itself. Seagate's FDE technology stores the encryption key on the hard drive, which it says also eliminates the need to "escrow" the key in a safe location. Sun stores keys within its Key Management Station, a secure and dedicated workstation.

Given the number of highly publicized cases where backup tapes have been lost or stolen, tape is a logical first choice to deploy encryption. The challenge comes, says Moulds, "when you recover (the data.) How do you figure out which key goes with which tape?" nCipher sells it's keyAuthority Management Server along with IBM's Encryption Key Manager because the IBM software "does a good job of associating keys with tape, but it's not a good system for managing the keys themselves," Moulds says.

One of the challenges of key management is linking the keys with the identities of the users who are eligible for access for them, says Greg Schulz, founder and senior analyst at The StorageIO Group, Stillwater, MN. industry analyst and consulting firm.

1 2 3 4 Page 3
Page 3 of 4
Shop Tech Products at Amazon