I saw the following article come across Twitter today.
In it, Robin Harris describes the issues around data recovery and secure erasure specific to SSD disks. In layman’s terms, since SSDs do all sorts of fancy things with writes to increase longevity and performance, disk erasure is nearly impossible using normal methods, and forensic or malicious data recovery is quite easy. So if you have sensitive data being stored on SSDs, that data is at risk of being read by someone, some day, in the future. It seems that pretty much the only way to mitigate this risk is to use encryption at some level outside the SSD disk itself.
Did you know that EMC Symmetrix VMAX offers data-at-rest encryption that is completely transparent to hosts and applications, and has no performance impact? With Symmetrix D@RE, each individual disk is encrypted with a unique key, managed by a built-in RSA key manager, so disks are unreadable if removed from the array. Since the data is encrypted as the VMAX is writing to the physical disk, attempting to read data off an individual disk without the key is pointless, even for SSD disks.
The beauty of this feature is that it’s set-it-and-forget it. No management needed, it’s enabled during installation and that’s it. All disks are encrypted, all the time.
- Ready to decomm an old array and return it, trade it, or sell it? Destroy the keys and the data is gone. No need for an expensive Data Erasure professional services engagement.
- Failed disk replaced by your vendor? No need for special arrangements with your vendor to keep those disks onsite, or certify erasure of a disk every time one is replaced. The key stays with the array and the data on that disk is unreadable.
If you have to comply with PCI and/or other compliance rules that require secure erasure of disks, you should consider putting that data on a VMAX with data-at-rest encryption.
Now, What if you have an existing EMC storage system and the same need to encrypt data? You can encrypt at the volume level with PowerPath Encryption. PowerPath encrypts the data at the host with a unique key managed by an RSA Key Manager. And it works with the non-EMC arrays that PowerPath supports as well.
Under normal circumstances, PowerPath Encryption does have some level of performance impact to the host however HBA vendors, such as Emulex, are now offering HBAs with encryption offload that works with PowerPath. If you combine PowerPath Encryption with Emulex Encryption HBAs, you get in-flight AND at-rest encryption with near-zero performance impact.
- Do you replicate your sensitive data to a 3rd party remote datacenter for business continuity? PowerPath Encryption prevents unauthorized access to the data because no host can read it without the proper key.