We help IT Professionals succeed at work.

NetApp disk encryption

Got a request from one client to provide a disk encryption on NetApp.  I see this (link below) with Data ONTAP 8.0.1 they will be offering full disk encryption to prevent unauthorized access to data at rest.
http://www.ntapgeek.com/2011/03/netapp-storage-encryption-available.html

Anyone familiar how it works?  Is it built-in hardware right on the NetApp storage or controls from the host server connected to the NetApp?  Does it cause a lot of performance hit?

Any info?  Thanks.
Comment
Watch Question

Software and Hardware Engineer
Commented:
Its near useless, seriously.

On the bright side, it is hardware/transparent at the drive level; unlike the ATA Password solution (which simply password-protects the drive firmware and can be bypassed by replacing the drive electronics board with one from another in the same batch with no password or a known password) it is true hardware encryption, using a FIPS certified hardware module and a strong key stored external to the solution in a keyserver.

On the down side, it is *purely* a drive-at-rest solution. If the array is already powered on, all that data is unprotected. Only against attacks where the drive is physically removed from the netapp (or the entire array is taken offsite) is it secure.  It also requires you to have a keyserver to service the key requests when netapp starts (so, if that fails, your netapp drives must NOT be powered down or you can't spin them up again).

I suspect that what you actually want is host-os based crypto (such as offered by many OFE solutions such as bitlocker) but in the netapp world, that is to be avoided sadly - it makes dedupe and file-level restores near impossible and interferes (usually fatally) with snapdrive based backup solutions.

Author

Commented:
Thanks for the info!  I also heard NSE (NetApp Storage Encryption) was scheduled to be available by Quarter 2, 2012, but the requirements have changed.  At this time, it will be available at that time, but only on dedicated Filer Heads using only NSE Disks.  Did you hear that?
NetApp is working to get NSE available in hybrid systems using both NSE and normal non-encrypted drives.  This may not be out until DOT 8.2.

Author

Commented:
Actually what we are looking for is at 'rest' options.  Why NetApp NSE is fully cooked.  If you know other solutions please advice.

Thanks.
Dave HoweSoftware and Hardware Engineer
Commented:
NSE will only be available on specialized NSE disks (as of the current assertion, anyhow, but I can't see how they can retroactively add hardware encryption to drives that don't have the hardware for it; if it is done on the shelf then either you would need to retrofit the shelves with encryption chips per drive, or do it in software (when its not hardware encryption any more, and you would probably lose FIPS certification).

It *is* expected that you can retrofit your heads by upgrade, but it is undecided if or how you can mix and match between non-NSE and NSE drives, or heads supporting them.

I will note that for most commercial netapp setups, data is *never ever* "at rest" in the meaning of that term in this context; in order for it to be "at rest" the drives must be spun down AND have the power removed from their controllers (which usually means physical removal of the drive from the bay, or powering off the entire shelf)
Dave HoweSoftware and Hardware Engineer

Commented:
To be fair, though, in most cases you can deal with the issue as being a physical security one; if nobody can physically access the racks, then the data on them is safe. You can then concentrate on encrypting and validating the links between your live data array and any backup arrays, and quite definitely any backup media used to move older snapshots off expensive spindle storage and onto cheaper tape or optical media.

Author

Commented:
Thanks a lot Dave.  We are now looking into other encryption (at rest).  Can recommend anything?
Dave HoweSoftware and Hardware Engineer
Commented:
 Sadly, no. If what you want is checkbox compliance, then it will work beautifully - your data almost certainly will never be "at rest" by the nature of SAN storage, but the protection will be there and you can tick that box.

  The problem with encryption is largely that it makes the data unpredictable and removes patterns - which is fine, really, and what you want in a security solution, but what it breaks is the ability of netapp to deduplicate the data (as identical data will not be STORED identically at the level netapp can see it) and to do backups that can be mounted independently and/or files extracted (again, because the data and file structures are hidden from the netapp filer)

  In real terms though, I would spend more time protecting your data links (with site to site encryption) and backup media (with backup solutions that encrypt the data during the backup process as that will have more practical value. Its a lot like Bitlocker protection for webservers - a great idea, but one that eats CPU for no practical benefit, as the decryption happens transparently, so your average attacker (who uses a compromise to gain access to the webserver) will not know or care that the data is encrypted when "at rest" because for him, it is never "at rest".

  Or if you are on windows and can spare the cpu - make the processes that access data separate from those that store it, deliberately limit the breadth of the channel between them (so that an attacker must query one value at a time, not take a "dump" of the entire set) and use an account specific encryption method such as EFS - which wont' be deduped, but then, that data should be unique anyhow, and can be backed up/restored as a single file unit by netapp (which is all you really want from the SAN solution)

Author

Commented:
Thanks for all the info.  I will close and assign points very soon.

Thanks.