Dec 17, 2013


Trend 9: Encryption of data at rest becomes table stakes

Recently, I had a discussion with a customer about capacity-on-demand who said he had a rolling lease program where he continually refreshed his storage every three years. When I asked him what he did to ensure that his data was shredded when he rolled his storage off lease, he gave me a blank stare. Either he was not aware of what was being done or he trusted his lease provider to see that none of his company’s data was left on the storage at the end of the lease. The same response came from a customer who was using cloud storage to supplement his seasonal requirements. There should be some record to show that the data was shredded to satisfy the compliance people.


The easiest way to shred storage media is crypto shredding, deleting the encryption key. Other methods of shredding the data involve overwriting the data with random patterns according to US standard DOD 5220.22-M which can takes hours depending on the capacity of the media, degaussing of magnetic media which also renders the media unusable for magnetic recording, or physical destruction.

Strong encryption of data with randomly generated keys not only ensures your data is protected at rest, but also ensures that data is protected after the media is retired. It also enables the disk to be used in the aftermarket without fear of exposing your data. Media vendors will also appreciate the ability to retrieve disks for failure analysis should that be required. In the past failed disk would be destroyed by the customer to avoid exposing their data, making it difficult to analyze the failure.

The use of encryption of storage in the past was limited to select application data due to the impact that software encryption had on performance and cost. Another concern was the lack of key management standards. Today we have hardware encryption chips, which eliminate the performance and cost concerns around encryption, and we have the Key Management Interoperability Protocol (KMIP) standard for key management. These concerns are now a thing of the past and there is no longer any reason not to encrypt data.

Hitachi Data System provides Data at Rest Encryption on its family of block storage devices including VSP, HUS VM, and soon in HUS 150. The encryption is done with hardware in the back end directors and encrypts any device attached to this director, including Flash drives. Self-encrypting disks, SED, are available from media vendors, but encrypting in the disk limits configuration flexibility and I am not aware of any flash drives that do self-encryption.

If you are storing data in the cloud or offloading that to a third party, you should ensure that the outside vendor is not only encrypting your data at rest but also crypto shredding the data when it is moved or deleted and providing a log of changes in encryption and key management. Otherwise, your data’s privacy is at risk and you have no way to satisfy compliance audits.


Hitachi Data Systems uses strong encryption which is provided by AES 256 in XTS mode. AES 256 stands for Advanced Encryption Standard with a 256 bit key. XTS mode is an encryption algorithm for disks, which includes the cryptographic key, the data itself, the sector number where the data is stored, and the block number within the sector. Encryption and key management events are logged. If external key management via KMIP is selected, a Hardware Security Module (HSM) is required. This is a secure crypto processor with the main purpose of managing cryptographic keys and accelerated cryptographic operations using such keys. The modules typically offer protection features like strong authentication and physical tamper resistance. SafeNet and Thales are examples of HSM products. An overview of HSM appliances can be found here.

Encryption of data at rest should be table stakes for storage vendors. The encryption chips are available, the key management standard is available, and HSM vendors are available to support external key management. This will ensure that the privacy of your data is intact even after you retire the media it resides on. The costs are minimal and there is no longer any excuse for not protecting your data with strong encryption.  If you use managed services or store your data in the cloud, check to see that the data is encrypted at rest and is crypto shredded when it is moved or deleted. A log should be available to show encryption and key management events that apply to your data for audit purposes.

See full list of my top ten trends for 2014 here.