Encryption-based security for data storage has been a requirement only for specific industries, often dictated by regulation. E.g. companies working in verticals such as Healthcare, Legal, Financial and firms supporting Federal or State/Local governments are required to comply with security requirements for Data-at-Rest (DAR) Encryption. Apart from keeping data secure, it provides safe harbor against penalties and notification rules.
It begs the question though - why haven’t other industries looked at Data Encryption seriously. Is security any less important to them? Of course not. Who would want to be a headline in tomorrow’s news just because some sensitive data leaked from their systems.
Unfortunately, like most things, things aren’t as simple as they appear on the surface. Practical considerations often trump the ideal, desired state of IT infrastructure, leaving data security to be a hope & pray strategy.
Let’s look at the typical challenges you might have faced in securing your data in the past:
- COST: Data Encryption is often accomplished by using Self Encrypting Drives (SEDs). And SEDs can be quite expensive as compared to the regular drives. They are also often in short supply with longer procurement times, since most drive manufacturers want to wait for enough demand to be there before putting a batch of SEDs for production. So you put a “more expensive solution” that “delays a project” together, and you can see why Data Encryption can take a back seat in IT conversations.
- PERFORMANCE: Avoiding SEDs, Data Encryption can be done completely in software, using the same standard and secure AES-256 algorithms that are used with SEDs. Often, due to poor implementations though, the downside is an impact on performance.
- STORAGE EFFICIENCY: If implemented at a VM/Hypervisor level, Data Encryption often results in all data being encrypted before it hits the storage stack. There is little data reduction (compression, deduplication, zero suppression etc) that can be done on an encrypted data set. Lack of data reduction then increases the overall solution cost.
- KEY MANAGEMENT: Data Encryption solutions require a key management server (KMS). Why? If you think of your data being stored in physical rooms, encryption is akin to putting a lock for each room. After those rooms are locked, you are left with a bunch of keys. A KMS manages such keys.
- Consolidation: External KMS are helpful when managing keys across different infrastructure components, sometimes to meet specific compliance requirements.
- Standardization: Security organizations often standardize their key management requirements on specific external KMS servers.
- Complexity: When choosing to go with an external KMS, customers realize that this is yet another silo that has to be managed in their datacenters (installed, upgraded, dealing with a net new vendor). There is little motivation to bring more complexity in their environments.
- Cost: External KMS servers need to be licensed separately, and especially for small to medium deployments, the costs can be non-trivial.
What we are taking now is the next step in democratizing security for all our customers. This democratization has two key components at its heart, both of which are focused on providing “Security with Simplicity”.
- Data-at-Rest Encryption done in Acropolis Operating System (AOS), available on commodity hardware.
- Key Management done natively within AOS.
Nutanix Software based Data at Rest Encryption
Nutanix AOS supports Data-at-Rest (DAR) Encryption done entirely in software. No more paying for expensive SEDs, and no more waiting and delaying your projects. Nutanix AOS uses the same AES-256 encryption standard that is used in SEDs to securely encrypt data. Furthermore, once enabled, DAR Encryption cannot be turned off - it is a one-way street. This guards against accidental data leaks (due to user errors) and helps keep the auditing process extremely simple.
Let’s look at a few characteristics of the Nutanix Encryption solution.
The AOS DAR Encryption is hypervisor agnostic and can be used with your hypervisor of choice (Nutanix AHV, VMware ESXi or Microsoft Hyper-V).
Take a look at the graphs below.
The graphs above net out the impact of enabling Nutanix Software Encryption. The impact is around 6%, with 100% Random Read workloads. With more realistic workloads, the difference is even lower. In practical deployments, this translates to your Nutanix Controller (CVM) CPU utilization going up by a few percentage points, while maintaining your application performance.
Now, considering the fact that Encryption is always inline (once encryption is enabled, all data is always written in an encrypted format), one might wonder why the impact of Encryption is so low. Well, the reason is quite simple - unlike other architectures, the Nutanix Data Path architecture has been designed with a Checksum-first approach (don’t trust hardware, re-check everything in Software). Checksums cannot be turned off. We leveraged the same plumbing to deliver Data Encryption in software. In addition, we also leverage Intel AES-NI instruction set. Result - Security without Performance Degradation.
Let’s tackle Data Reduction next. Can you take advantage of all Nutanix’s Compression/Deduplication/Erasure Coding/Zero Suppression/Snapshot/Cloning benefits once you enable Encryption? YES.
The AOS Software ensures that all storage efficiency benefits remain available even with Data Encryption. This is true even if you choose to enable Data Reduction as a Post-Process operation. Each Data Reduction transformation has been optimized to work with Encrypted dataset [perhaps topic for another blog if necessary].
This brings us to last real blocker in democratizing Data Encryption - the Key Management. Just a brief background, strategies for encrypting data use keys as explained above. There are several levels of keys. E.g.:
- Data Encryption Key (DEK) - As the name suggests, this is a key that’s actually used to encrypt data.
- Key Encryption Key (KEK) - This is a key that’s used to encrypt the DEKs noted above. The advantage of having a level of indirection with KEKs is that one can shard, secure and rotate KEKs at will, and with very little overhead (vs. rotating the DEKs that might mean that the entire existing dataset has to be re-encrypted using new DEKs).
The Nutanix KMS provides you options to backup your keys, and rotate your keys (so you can comply with your IT Security policy).
It is important to note that Nutanix Native KMS augments our existing External KMS based key management solution. It provides customers with a choice they have been asking for. We still of course support External Key Managers if you have standardized on them or they are needed for regulatory compliance. Here is a summary of all the options available to our customers:
Perhaps the final piece of the puzzle for certain sectors is FIPS certification. The cryptographic module used for Data Encryption and for Native KMS are under FIPS validation. You can find them listed here.
That’s it! Data Encryption made simple, space efficient and performant, so you don’t have to make any compromises while securing your infrastructure.
Peace (of mind).
Disclaimer: This blog may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such site.
2018 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and the other Nutanix products and features mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s).