philb19
asked on
Data at rest encryption on a storage array in a secure Data center
Hi - I'm just wondering on what is the consensus on SAN storage encryption.
We do not have any overarching Regulations - no PCI DSS or Health data.
We do have a data classification model. There is no PII on our storage however.
Storage is in a secure data center. My question is whats the point really in encryption If someone hacks a credential that can access the storage then what use is the encryption?
I know its useful in disposal and for backups off site. Im just wondering if I'm missing the point.
Thanks
When a disk fails your hardware maintainer swaps it out what happens to the old one? The data may be sliced up by RAID but those slices are often 128K or bigger so may contain whole emails, spreadsheets etc. Encryption via self encrypting disks, on the array or via the SAN switch means that those failed or pre-failure disks can't be read.
ASKER
Hmm ok thanks wotth considering. We havent had a failed disk in 5 years though. Also we have a disposal policy. So we would im sure accept the risk on that one.
You should always encrypt data at rest. In addition to the bad disk mentioned by Andy, there have been at least 5 robberies of secure colocation data centers. Here are some older stories about a couple of them https://www.datacenterknowledge.com/archives/2007/12/08/oceans-11-data-center-robbery-in-london
You should first start developing an enterprise encryption policy to comply with it. Compliance is the need and ability to maintain the environment concerning regulations that are mandated to a specific company or government organization. I would consider a step-by-step approach to protect the sensitive data in your environment.
Encryption can be implemented at different points:
The primary protection of data at rest is encryption, which helps ensure confidentiality; beware Encryption can impact performance.
Protecting Data at Rest:
- Understand where your business is being conducted.
- Know what rules apply to your organization.
- Know what you need to encrypt.
- Understand data format.
- Locate data at rest.
Encryption can be implemented at different points:
- Data in motion (DIM): IPSec can be used via VPN; SSL and TLS can be used across the web.
- Data at rest (DAR): Disk encryption or encryption managed by a storage system.
- Data in use (DIU): Information rights management (IRM) and digital rights management (DRM). IRM is meant more specifically for documents.
The primary protection of data at rest is encryption, which helps ensure confidentiality; beware Encryption can impact performance.
Protecting Data at Rest:
- Whole instance encryption: Used to encrypt everything associated with a virtual machine, such as its volumes, disk IO, and snapshots.
- Volume encryption: Used to encrypt a volume on a hard drive. The entire disk is not encrypted, only the volume portion. Full disk encryption should be used to protect the entire hard drive.
simple answer : data at rest encrytion at the volume or filesystem level has little to no incidence on remote hacks. the attacker might no even notice the drive is encrypted.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.