Problem solve Get help with specific problems with your technologies, process and projects.

How to secure primary storage for life outside the data center

While tape encryption is standard fare at customer sites, there's another inroad to storage security: primary storage encryption. Find out why primary storage is at risk even though it spends most of its life inside a secure data center.

Storage security is typically one of those practices that value-added resellers (VARs) struggle with in their discussions with customers. The obvious use case is to secure tape media that leaves a customer's facility. Oftentimes, the data is encrypted either on the tape drive or by an appliance. But tape encryption is standard fare and nothing new for customers. You're unlikely to impress with that. Primary storage, on the other hand, is a different story. It's a much more interesting proposition -- both for customers and for storage integrators.

Your customers might not even be fully cognizant of the threat to primary storage. Of course, it doesn't leave a customer facility in the normal course of operations, and most customers have physical access controls to protect against staff or contractor threats while in the data center. But make no mistake, hard disk storage does leave the data center and, like with tape media, it needs to be secured via encryption.

For data on primary storage to be useful, for the most part, the whole storage array has to be together. And it's very unlikely that someone will steal a full array from a customer's data center. But there are two scenarios in which primary storage leaves the data center fully assembled: during a data center move or following the decommissioning of a primary storage array, when it's sold on an online auction site or otherwise disposed of.

Your customers need to understand that formatting the drives (for the purpose of erasing them) prior to disposal is not enough. Data can be recovered off of formatted drives. Alternately, your customer could choose to physically destroy the drives, but doing so obviously means they won't be able to sell them as used equipment.

That's where encryption comes in. Encryption essentially secures the data by rearranging it on the drives so that a key is required to access and understand that data.

With primary storage encryption, the data is encrypted all the time, but the keys to access are inside the data center so the users of that data have transparent access to it even though it's encrypted. Once a user is authenticated into the network, he doesn't need to keep entering the key to gain access to the data on that network.

When the storage leaves the data center, the keys should stay in the data center. They shouldn't go with the storage. As a result, the data on the storage will be totally unreadable and safe to be moved, disposed of or resold.

Offering your customers storage encryption as means to secure data against unauthorized theft is typically a non-starter. But offering storage security as a means to safely move, decommission or resell existing storage shows that you have that kind of planning in mind, making you better-qualified to earn their future business.

About the author

George Crump is president and founder of Storage Switzerland, an IT analyst firm focused on the storage and virtualization segments. With 25 years of experience designing storage solutions for data centers across the United States, he has seen the birth of such technologies as RAID, NAS and SAN. Prior to founding Storage Switzerland, George was chief technology officer at one of the nation's largest storage integrators, where he was in charge of technology testing, integration and product selection. Find Storage Switzerland's disclosure statement here.

Dig Deeper on Storage Backup and Disaster Recovery Services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.