Customer problem
Resources
As an organization’s data assets continue to grow at an increasing rate, they often expand beyond a single physical location or site, increasing the vulnerability of data to unauthorized access. Ever-growing requirements to protect this information have accelerated the trend toward establishing replicate data centers, offsite data repositories, and offsite backup facilities, further increasing the number of points where an organization’s information may be compromised.
The expansion of corporate data to multiple locations exposes several weaknesses in distributed storage networks:
- The growing volume of corporate information makes it difficult to apply selective encryption of specific database records, specific files, specific types of email, etc. Applying point encryption solutions to specific locations is error-prone and subject to judgments about the relative value of individual data stores.
- A commonly overlooked aspect of the transmission of data between geographically dispersed locations is the number of points at which malicious intruders can access data during transmission.
- Traditional disk array or storage appliance-based data replication mechanisms do not provide an efficient method of encrypting data in transit across standard communications networks to remote sites, especially over high bandwidth, metro-area optical networks.
- Security at remote sites may not be equivalent to that at primary data centers. Well-protected data at corporate sites is often subject to less rigorous control at secondary sites. If a third-party organization is used to host a replicate site, data is exposed to those personnel outside the immediate or direct control of the enterprise IT organization.
SecureDR solution overview
CipherMax offers an enterprise-class solution for secure data replication that protects corporate data at both local and remote sites as part of a multi-layered, secure storage environment. CipherMax’s scalable, affordable, reliable encryption systems serve as a critical part of a layered security approach by securing remote locations without adding complexity or negatively impacting performance.
CipherMax systems encrypt all data as it is written from application servers to storage arrays, protecting local disks and storage media from compromise. As storage arrays replicate selected volumes to one or more remote sites, the encrypted data is moved over the network without requiring any additional security devices, protecting the replicated data in flight or at rest.
Solution highlights
- Accommodates integration into a heterogeneous configuration of hosts and targets irrespective of operating systems, storage vendor architectures, or host applications.
- Provides flexibility in the assignment of encryption keys. Each storage volume may be assigned a unique encryption key. Volumes may be grouped by business unit ownership or business function and assigned a common encryption key.
- Encryption keys can be imported from the primary to remote sites. Replicate data becomes accessible to authorized and authenticated servers/hosts at remote sites as defined by security policies.
Security at remote locations
At a remote site, the encrypted and replicated data is sent directly to a storage array and thus protected from compromise. To access the data, the CipherMax system at the remote location is used to provide security keys, and the data is accessible at line speed.
The data at the remote DR site can be protected from access simply by not enabling encryption service into the remote CipherMax systems for the specified target. In fact, there is no requirement to have a CipherMax system at the remote site if there are no plans to allow remote servers to access remote replicate volumes in cleartext form. Alternatively, by simply adding a CipherMax enabled system at the remote site, the encryption keys can be imported from the primary to the remote site, and the remote replicate data becomes accessible to authorized and authenticated servers/hosts at the remote site based on security policy definition.