× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



These days the encryption is done by the devices themselves so CPU and throughput aren't even affected at all. From the announcements of one of the current FlashSystem models:

"FlashCore Modules integrate IBM MicroLatency® technology, advanced flash management, and reliability into a 2.5-inch SFF NVMe with built-in performance-neutral hardware compression and encryption."

You might think "Yes I've encrypted credit cards and SSNs and anything else that I think needs to be encrypted." But I'm betting there is still a fabulous amount of information on your system that a crook might find useful.

Encryption on the SAN is a one time charge and does the entire system every day forward. Why take the chance that you've actually gotten EVERY valuable bit of data encrypted?

- L



On 4/14/2021 4:01 PM, Jim Oberholtzer wrote:
Yes. Using both SAN encryption and OS encryption does not make much sense. The SAN just encrypts encrypted data. Waste of cpu.

Now using SAN encryption with enforced SSH/SSL communications, that makes more sense to keep data in transit and at rest protected. The third layer becomes hardening the server so only authorized users can gain access to the objects in question, which implies solid object level authorization.

Jim Oberholtzer
Agile Technology Architects



On Apr 14, 2021, at 2:41 PM, Peter Dow <petercdow@xxxxxxxxx> wrote:

Hi Larry,

If you encrypt through the database, isn't the data also encrypted at rest? If someone stole the disk, they still wouldn't be able to read the encrypted data, right?

--
*Peter Dow* /
Dow Software Services, Inc.
909 793-9050
petercdow@xxxxxxxxx <mailto:petercdow@xxxxxxxxx>
pdow@xxxxxxxxxxxxxx <mailto:pdow@xxxxxxxxxxxxxx> /

On 4/14/2021 8:29 AM, Larry "DrFranken" Bolhuis wrote:
Even if the disks are encrypted at rest, administrators on the server very likely has access to see the data on the disks or in the database through the operating system.

Think about it this way: The two encryption options solve different problems.

Encryption at rest solves the problem of someone stealing the disk or the SAN. Physical possession does not enable access to the data. However once unlocked the disks provide the data to the O/S UN-encrypted. No data is protected from prying eyes who have access to the O/S.

Encryption through the database solves the problem of users and administrators on the system from accessing data they are not allowed to see, even if they have special authorities such as *SAVSYS or *ALLOBJ.

In many environments it's not which to pick it's both!

- DrF

On 4/13/2021 6:52 PM, Laurence Chiu wrote:
We are about to implement SAN based encryption on our FS5030 SAN.

A comment was made by one of our security team who said while disk
encryption solves the problem of safe disk destruction it does not solve
access to data at rest if you have access to the LUN like a disk
administrator.

So OS level encryption is preferable.

I don't understand that. If data is encrypted and keys are managed locally
or via SKLM what tools would an administrator have to be able to view the
data? They might be able to delete the LUN but that hardly is access.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.