SAN Security/encryption

i would look into third party appliances as CX400 does not have encryption capabilities. If you have Cisco MDS, there are encryption modules for that. There are stand alone inline appliances as NetApp's DataFort. Host based encryption is available as well but not as attractive as fabric based solution.

http://www.netapp.com/us/products/storage-security-systems/datafort/

Sorry I was ment to say it is a CX400

I'm sorry, but I have to mention this:



If your SAN is stolen, your Storage Array is still at your site, so data is not lost. You can either direct attach hosts to your array or buy new switches and hook up all servers to the array again

haha ..you just could not resist ..could you ?

Is the data stored encrypted or only being transported encrypted ?

data at rest

Sorry, ment to say that if my storage arrays or my server is stolen.
The data will be at rest. TBH I am looking for the least costly solution here.

I'm evil !

Brocade had encryption modules for DCX or separate boxes that encrypt en dycrypt FC data in flight to / from the LUN's

The problem with this scenario is that whatever method is used to encrypt the data, host based or fabric based, the system that holds the encryption keys would also be stolen along with the storage array. It is much easier to gain root access to a switch or server once it has been physically stolen than to attempt to decrypt the data.

This all goes back to one of the key security statements regarding data center security:

"Once someone has physical access to your systems, they own your system"

I have the same compliance requirements for data at rest. When we first looked into this we only had the appliance option. It's now been a couple of year and we are looking into this again as the maintenance cost is to high for the appliance. We are looking at CISCO or Emulex HBA encryption. Emulex will soon be in beta for a new 8Gb encryption HBA.

Even though we are looking for a hardware based encryption I think application based is the more secure route to go. Gaining access to a server shouldn't be the only requirement to get at the data. As we upgrade our applications we are looking at application or even Oracle encryption.

If you are concerned about the physical security of your server, SAN and array you should look at adding an RSA like server into the mix. Put the RSA server at another location or some other part of the building.

OK, Thanks for the suggestions.

Just thought there might have been some EMC utility or some free 3rd party utility to have Hardware based encryption on the DPE's and DPA's.

There is lots of stuff out there for Laptops in case they get lifted to prevent data access. Hmmm is it even worth doing a simple Microsoft EFS? Probably not.

I suppose one just has to make sure I have very strong password for the Navisphere Manager as one could log in and assign my LUNs to another server and get access to my data.... Thats about it I suppose other than buying some RSA/Cisco appliances. I cant do that due to budget constraints.

a cheaper option would be to buy PowerPath encryption license.

http://www.emc.com/products/detail/software/powerpath-encryption-rsa.htm

But that will have the same weakness as any other solution. If I steal the server and the storage array, and the server is running PowerPath encryption, I can still access the encrypted data as long as I can log on to the server. Breaking a servers local accounts database is not too difficult.

Encrypting the local drives on the server would help as long as key was required to boot the server. That would limit the ability of a thief to crack a server to get to the data on the storage array.