Hi Experts, I'm working on a data at rest encryption solution. The environment is ESX hosts, VNX and Cisco switch. Cisco SME has been selected to encrypt data. It's heard SME doesn't support thin provisioning, if that's the case, VP and FAST VP in VNX seems not be able to work. There is also a question of if SME supports VMware SRM and MirrorView. Does any of you have the experience or knowledge of the SME compatibility? Your input is appreciated. Thanks.
For VNX environment, VNX Host Encryption could be an alternative solution for protecting sensitive data at the host to disk on storage where it resides.
Benefits and differentiators include:
Thanks for your input, Simon. However, VNX host encryption only supports Windows, AIX, Linux and Solaris. It won't be a good fit for current VMware environement.
JY, I dont think this configuration is supported.
SME disk does not support thin provisioning of disks.
SME disk does not allow dynamic resizing of LUN.
therefore, I think VP and F_VP is not supported.
for your consideration.
For VMware environment, it is recommended to create encrypted virtual disks within the data center. If the virtual disk was encrypted, then it would be possible to bypass all the other layers of encryption possibilities and still maintain data integrity and encryption throughout the process, no matter where the virtual disk image lands. While Cisco Storage Media Encryption (SME) is recommended for option of encrypts and decrypts your data coming on and off tape etc.
I've done some research and found:
The Cisco MDS 9000 SME solution includes complete key management that works with new and existing SANs to provide key archival and shredding features. It supports storage features such as replication, clones and mirrors, and snapshots. The key manager database can be replicated with Oracle Data Guard when an Oracle database is used for archiving.
It looks like SME may support MirrorView/SRM, however, we cannot find any information on elab website.
EMC offers the following solution to address information protectionin the network, through partnership with Cisco: Cisco Storage Media Encryption (SME) or Connectrix® MDS provides encryption of data-at-rest as a service with its switches
with proper key management facilities.
Encryption at the device level, (array, disk, or tape) is a sufficient method of protecting sensitive data residing on storage media, which is a primary security risk many organizations are seeking to address.
There are a number of design points for encryption in the array, that is, at the disk drive or controller level, each discussed briefly, next. Design considerations for encryption include the interfaces to the array, software support, performance, FIPS validation, key management, and encryption object granularity, to name a few. The intent is to have the encryption implementation transparent to the hosts attached, while protecting the removable media. The connected hosts may not be knowledgeable of the encryption implementation but may be with respect to management and performance. All aspects of the design must be considered.
Simon and JY,
As the configuration is not listed on current ESM, if it would be a part of EMC solution delivered to customer. I highly recommend you go to RPQ first, if this was approved, that would ensure this configuration compatibility and serviceability.
I agree to submit RPQ for this configuration with Cisco SME. In the white paper h8082, there are specific use cases for Brocade Encryption Switches with EMC TimeFinder/SRDF/RecoverPoint, but not mentioned for Cisco SME.
As confirmed from Cisco document, SME disk does not allow dynamic resizing of LUN. Is there any alternative solution for dynamic LUN resize to be supported with SME?
Thanks in advance!