8 Krypton

Encryption solution question with VMware

Hi Experts, I'm working on a data at rest encryption solution. The environment is ESX hosts, VNX and Cisco switch. Cisco SME has been selected to encrypt data. It's heard SME doesn't support thin provisioning, if that's the case, VP and FAST VP in VNX seems not be able to work. There is also a question of if SME supports VMware SRM and MirrorView. Does any of you have the experience or knowledge of the SME compatibility? Your input is appreciated. Thanks.

Labels (1)
Tags (4)
0 Kudos
9 Replies
8 Krypton

Re: Encryption solution question with VMware

For VNX environment, VNX Host Encryption could be an alternative solution for protecting sensitive data at the host to disk on storage where it resides. 

Benefits and differentiators include:

    • Selective encryption: Customers have the option to encrypt only their most sensitive data, which lowers their total cost of ownership by reducing infrastructure investment and management cycles associated with controlling an entirely encrypted environment.
    • Security: Data is secured at the point of creation and is secure while in transit from the host to disk on the array.
    • Consistency: Consistent encryption technology is applied across multiple operating systems and storage platforms.
    • Scalability: Since implemented on a per-host basis, encryption can be applied to only those hosts needed to secure the most sensitive data first, and then the implementation can be built-out with encryption on additional hosts as security requirements grow.
    • Ease of deployment: Encryption can be added non-disruptively to hosts, applications, replication, and backup infrastructure.
    • Support for high availability: Scalable host-based encryption eliminates the single-point-of-failure limitations of encryption appliances.
0 Kudos
8 Krypton

Re: Encryption solution question with VMware

Thanks for your input, Simon. However, VNX host encryption only supports Windows, AIX, Linux and Solaris. It won't be a good fit for current VMware environement.

0 Kudos
Highlighted
8 Krypton

Re: Encryption solution question with VMware

JY, I dont think this configuration is supported.

http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/5_2/configuration/guides/sme/smediskc...

it confirms,

SME disk does not support thin provisioning of disks.

SME disk does not allow dynamic resizing of LUN.

therefore, I think VP and F_VP is not supported.

for your consideration.

Eddy

8 Krypton

Re: Encryption solution question with VMware

For VMware environment, it is recommended to create encrypted virtual disks within the data center. If the virtual disk was encrypted, then it would be possible to bypass all the other layers of encryption possibilities and still maintain data integrity and encryption throughout the process, no matter where the virtual disk image lands.  While Cisco Storage Media Encryption (SME) is recommended for option of encrypts and decrypts your data coming on and off tape etc.

http://www.cisco.com/en/US/prod/collateral/ps4159/ps6409/ps5990/wp_data-protection.pdf

0 Kudos
8 Krypton

Re: Encryption solution question with VMware

I've done some research and found:

The Cisco MDS 9000 SME solution includes complete key management that works with new and existing SANs to provide key archival and shredding features. It supports storage features such as replication, clones and mirrors, and snapshots. The key manager database can be replicated with Oracle Data Guard when an Oracle database is used for archiving.

It looks like SME may support MirrorView/SRM, however, we cannot find any information on elab website.

0 Kudos
8 Krypton

Re: Encryption solution question with VMware

EMC offers the following solution to address information protectionin the network, through partnership with Cisco: Cisco Storage Media Encryption (SME) or Connectrix® MDS provides encryption of data-at-rest as a service with its switches

with proper key management facilities.

Device level

Encryption at the device level, (array, disk, or tape) is a sufficient method of protecting sensitive data residing on storage media, which is a primary security risk many organizations are seeking to address.

Array-level encryption

There are a number of design points for encryption in the array, that is, at the disk drive or controller level, each discussed briefly, next.  Design considerations for encryption include the interfaces to the array, software support, performance, FIPS validation, key management, and encryption object granularity, to name a few. The intent is to have the encryption implementation transparent to the hosts attached, while protecting the removable media. The connected hosts may not be knowledgeable of the encryption implementation but may be with respect to management and performance. All aspects of the design must be considered.

http://www.emc.com/collateral/hardware/technical-documentation/h8082-building-secure-sans-tb.pdf

0 Kudos
8 Krypton

Re: Encryption solution question with VMware

Simon and JY,

As the configuration is not listed on current ESM, if it would be a part of EMC solution delivered to customer. I highly recommend you go to RPQ first, if this was approved, that would ensure this configuration compatibility and serviceability.

Thanks,

Eddy

0 Kudos
8 Krypton

Re: Encryption solution question with VMware

I agree to submit RPQ for this configuration with Cisco SME.  In the white paper h8082, there are specific use cases for Brocade Encryption Switches with EMC TimeFinder/SRDF/RecoverPoint, but not mentioned for Cisco SME.

0 Kudos
8 Krypton

Re: Encryption solution question with VMware

Hello Experts

As confirmed from Cisco document, SME disk does not allow dynamic resizing of LUN.  Is there any alternative solution for dynamic LUN resize to be supported with SME?

Thanks in advance!

0 Kudos