02-25-2010 08:21 AM
The difference between data-in-flight and data-at-rest lies in the way the data moves through or is stored on its media. In the case of data-in-flight, data is moving through a communications media such as a copper wire, optical cable or even air (in the case of wireless communications). Data-at-rest refers to data that has been written to a media such as a disk drive, tape cartridge, or CD.
Encrypting data-in-flight involves encrypting the data stream at one point and decrypting it at another point. For example, if you replicate data across two data centers and want to ensure confidentiality of this exchange, you would use data-in-flight encryption to encrypt the data stream as it leaves the primary data center then decrypt it at the other end of the cable at the secondary data center. Since the data exchange is very brief, the keys used to encrypt the frames or packets are no longer needed after the data is decrypted at the other end so they are discarded - no need to manage these keys.
For data-in-flight, the data will likely remain for long periods of time and the keys used to encrypt the data need to be managed for later retrieval of that data. This requires a key management system of some type and usually comes in the form of an appliance but it could also be a software application running on a server for example. The Brocade encryption solution reuqires such a key management system and today we support the NetApp LKM, RSA/EMC RKM, HP SKM, and Thales TEMS key management appliances.
02-25-2010 09:24 AM
In your last paragraph, don't you mean that data encrypted via 'data-at-rest' technology is typically held for long periods of time? Thus the need for a Key Management system for data-at-rest. I did have a question regarding data-in-flight: Is the data-in-flight technology proprietary for a given manufacturer or can you configure secure links between different manufacturers?
02-25-2010 02:13 PM
The definitions of data-at-rest vs. data-in-flight have evolved somewhat in the last few years. As indicated above, "at-rest" has historically referred to data which is sitting on storage media. Examples include being written to physical disks on a storage system or written out to physical tape. However, the definition of storage has really been redefined with the concepts of primary and secondary storage and data is moving much more than it ever has. In addition to physical tape, virtual tape libraries (VTL) have become a popular alternative for backup and archive. Data protection solutions offer customers new ways to replicate and mirror their data for high availability and (relatively) instant disaster recovery.
Furthermore, data written to physical tapes rarely stay on site, but is typically sent off site for long term storage. In the past few years, there have been some very high profile breaches in security where tapes containing confidential information have "fallen off a truck" or have been "misplaced." The data here was not considered "in-flight" but was certainly at risk by simply being "in-motion." Data is as mobile now as it has ever been and is likely to be increasingly so in the future.
Examples of technologies to help secure your data-in-fligh include the use of IPSec or some form of link-encryption between endpoints on an ethernet based storage network. SAN technologies have not historically participated in securing end to end communications, but the T11 spec has provisions for securing end to end FC communcations using FC-SP. Implementation of FC-SP is quite sporadic and will likely vary vendor to vendor.
02-26-2010 09:54 AM
Thank you Mike and Roger.
I think this event is ending today. Do you keep this information for later reference in this community?