Scrambling the Bits on Disk
Unlike in-flight encryption, where bits are scrambled as they travel over networks, data-at-rest encryption occurs as data gets stored on disk -which happens to be where data spends most of the time.
In years past this had been accomplished on intelligent shared storage arrays that have encryption built in, albeit at a higher cost, or through deliberate installation of self-encrypted drives inside your servers. DataCore offers a far more appealing alternative. Use simpler, lower cost hardware and encrypt them all using an in-band software layer – an intrinsic function of the DataCore™ Software-defined storage (SDS) solution. Encryption is just one of several invaluable data services available from the scalable platform.
Strong 256-Bit Advanced Block-Level Encryption
DataCore employs XTS-AES 256 bit cryptographic encoding recognized globally as a proven deterrent against decryption by even the best-equipped adversaries. The process also ensures that different disk blocks with identical data are encrypted differently.
Several editions of the DataCore product offer the encryption service on nodes running Windows Server 2016. The software calls Microsoft’s Cryptography API: Next Generation (CNG) for performance-optimized encoding and decoding using built-in AES NI instruction sets in the base server platform. Although an unauthorized person or program may find a way to read the bits on an encrypted virtual disk, they cannot do anything useful with the jumbled contents without the secure encryption/decryption keys needed to unveil the plain text.
Note: The Windows Server 2016 requirement is only for the instance of the operating system where the DataCore software encryption code runs. The client (host) consumer of encrypted virtual disks may be running previous versions of Window Server, Linux, HP-UX, AIX and Solaris host. Again, they only see the unencrypted images.
“As with any security project, acquiring technology is not the only step to properly protecting your data. Part of this process should include an evaluation of the current processes and security controls in place, such as physical access controls, environmental controls, and administrative controls. While there is no single set of requirements that applies to all organizations, this Guide can provide some baseline considerations.”
– SNIA Storage Security Industry Forum
The heightened urgency for the safekeeping of sensitive information requires extraordinary measures from IT, but they need not be so painful or expensive. Data-at-rest encryption from DataCore SDS products provides a convenient and generalized method for guarding confidential data on your disk drives anytime they are out of your control.
By implementing the strong cryptographic encoding at the storage virtualization layer, you can apply it universally across different models and brands of storage devices already in use as well as those in your immediate future. Yet, applications, file systems and databases remain unchanged. Taken together with complementary in-flight encryption and perimeter defenses puts you in a much better position to keep bad guys away.