This blog was originally posted in July 2018 and authored by Priyadarshi Prasad Director Product Management Nutanix. It was updated in October 2020 to reflect product changes and enhancements
Encryption-based security for data storage has been a requirement only for specific industries, often dictated by regulation. E.g. companies working in verticals such as Healthcare, Legal, Financial, and firms supporting Federal or State/Local governments are required to comply with security requirements for Data-at-Rest (DAR) Encryption. Apart from keeping data secure, it provides safe harbor against penalties and notification rules.
It begs the question though - why haven’t other industries looked at Data Encryption seriously. Is security any less important to them? Of course not. Who would want to be a headline in tomorrow’s news just because some sensitive data leaked from their systems?
Unfortunately, like most things, things aren’t as simple as they appear on the surface. Practical considerations often trump the ideal, desired state of IT infrastructure, leaving data security to be a hope & pray strategy.
Let’s look at the typical challenges you might have faced in securing your data in the past:
- Cost: Data Encryption is often accomplished by using Self Encrypting Drives (SEDs). And SEDs can be quite expensive as compared to regular drives. They are also often in short supply with longer procurement times, since most drive manufacturers want to wait for enough demand to be there before putting a batch of SEDs for production. So you put a “more expensive solution” that “delays a project” together, and you can see why Data Encryption can take a back seat in IT conversations.
- Performance: Avoiding SEDs, Data Encryption can be done completely in software, using the same standard and secure AES-256 algorithms that are used with SEDs. Often, due to poor implementations though, the downside is an impact on performance.
- Storage Efficiency: If implemented at a VM/Hypervisor level, Data Encryption often results in all data being encrypted before it hits the storage stack. There is little data reduction (compression, deduplication, zero suppression, etc) that can be done on an encrypted data set. Lack of data reduction then increases the overall solution cost.
- Key Management: Data Encryption solutions require a key management server (KMS). Why? If you think of your data being stored in physical rooms, encryption is akin to putting a lock for each room. After those rooms are locked, you are left with a bunch of keys. A KMS manages such keys.
Often, the KMS service is external to the cluster (where data is stored) - and thereby the name, an External Key Management Service. An External KMS has several advantages:
- Consolidation: External KMS are helpful when managing keys across different infrastructure components, sometimes to meet specific compliance requirements.
- Standardization: Security organizations often standardize their key management requirements on specific external KMS servers.
For many small to medium organizations though, an external KMS has two implications:
- Complexity: When choosing to go with an external KMS, customers realize that this is yet another silo that has to be managed in their datacenters (installed, upgraded, dealing with a net-new vendor). There is little motivation to bring more complexity in their environments.
- Cost: External KMS servers need to be licensed separately, and especially for small to medium deployments, the costs can be non-trivial.
As a company with a security-first mindset, we have been supporting Data Encryption solutions for quite some time. Our traditional approach has been to leverage SEDs plus External Key Manager combination to address the requirement.
What we are taking now is the next step in democratizing security for all our customers. This democratization has two key components at its heart, both of which are focused on providing “Security with Simplicity”.
- Data-at-Rest Encryption done in Acropolis Operating System (AOS), available on commodity hardware.
- Key Management done natively within AOS.
Nutanix Software-based Data at Rest Encryption
Nutanix AOS supports Data-at-Rest (DAR) Encryption done entirely in software. No more paying for expensive SEDs, and no more waiting and delaying your projects. Nutanix AOS uses the same AES-256 encryption standard that is used in SEDs to securely encrypt data. Furthermore, once enabled, DAR Encryption cannot be turned off - it is a one-way street. This guards against accidental data leaks (due to user errors) and helps keep the auditing process extremely simple.
Let’s look at a few characteristics of the Nutanix Encryption solution.
The AOS DAR Encryption is hypervisor agnostic and can be used with your hypervisor of choice (Nutanix AHV, VMware ESXi, or Microsoft Hyper-V).
Take a look at the graphs below.
The graphs above net out the impact of enabling Nutanix Software Encryption. The impact is around 6%, with 100% Random Read workloads. With more realistic workloads, the difference is even lower. In practical deployments, this translates to your Nutanix Controller (CVM) CPU utilization going up by a few percentage points while maintaining your application performance.
Now, considering the fact that Encryption is always inline (once encryption is enabled, all data is always written in an encrypted format), one might wonder why the impact of Encryption is so low. Well, the reason is quite simple - unlike other architectures, the Nutanix Data Path architecture has been designed with a Checksum-first approach (don’t trust hardware, re-check everything in Software). Checksums cannot be turned off. We leveraged the same plumbing to deliver Data Encryption in software. In addition, we also leverage the Intel AES-NI instruction set. The result - Security without Performance Degradation.
Let’s tackle Data Reduction next. Can you take advantage of all Nutanix’s Compression/Deduplication/Erasure Coding/Zero Suppression/Snapshot/Cloning benefits once you enable Encryption? YES.
The AOS Software ensures that all storage efficiency benefits remain available even with Data Encryption. This is true even if you choose to enable Data Reduction as a Post-Process operation. Each Data Reduction transformation has been optimized to work with Encrypted dataset [perhaps topic for another blog if necessary].
This brings us to the last real blocker in democratizing Data Encryption - the Key Management. Just a brief background, strategies for encrypting data use keys as explained above. There are several levels of keys. E.g.:
- Data Encryption Key (DEK) - As the name suggests, this is a key that’s actually used to encrypt data.
- Key Encryption Key (KEK) - This is a key that’s used to encrypt the DEKs noted above. The advantage of having a level of indirection with KEKs is that one can shard, secure, and rotate KEKs at will, and with very little overhead (vs. rotating the DEKs that might mean that the entire existing dataset has to be re-encrypted using new DEKs).
If all this sounds complex, it is. The good news is that Nutanix AOS has simplified all this with a 1-click Nutanix Native Key Management solution. When configuring Encryption, you would just choose the Native KMS as your key manager - that’s it. Nothing to enter, nothing to configure!
The Nutanix KMS provides you options to backup your keys, and rotate your keys (so you can comply with your IT Security policy).
It is important to note that Nutanix Native KMS augments our existing External KMS based key management solution. It provides customers with a choice they have been asking for. We still of course support External Key Managers if you have standardized on them or they are needed for regulatory compliance. Here is a summary of all the options available to our customers:
Perhaps the final piece of the puzzle for certain sectors is FIPS Validated. The cryptographic module used for Data Encryption and for Native KMS are under FIPS validated. You can find them listed here.
That’s it! Data Encryption made simple, space-efficient and performant, so you don’t have to make any compromises while securing your infrastructure.
Peace (of mind).
Disclaimer: This blog may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such site.
2020 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo, and the other Nutanix products and features mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s).