Beyond NonStop Encryption

In the world of NonStop, we may take for granted as truth that high availability matters. But so does scalability—and that includes the ability to scale protection of data at-rest beyond NonStop to include the broader enterprise storage ecosystem where data may be in motion and in use. Because if data isn’t protected and trusted, does it matter if it’s always available to your applications? Probably not.

The reality is, your sensitive, mission-critical data not only sits at-rest in NonStop, but may be accessed, used or stored throughout interrelated applications and systems where value is added or can be taken away if that data is compromised. How do you know if data was kept safe while outside of the NonStop environment? What if it was compromised and returns in an untrusted state? Effectively, the information’s value needs to be protected both inside and outside of NonStop as it is used and transformed in order to maintain complete information lifecycle integrity.

Today, the server itself is no longer a reliable border control, as sensitive data moves throughout its lifecycle. Whether at-rest in archives, nearline storage, or somewhere in-between with applications, it’s critical to take a holistic approach to how that data is governed. Minimizing risk exposure from data misuse or attack means closing gaps in protection and control. No system administrator wants to tell an auditor that their NonStop data was encrypted and presumably safe from a security breach, but something strange happened on its way to and from another system, application or archive. And with today’s hybrid infrastructure, there’s even more risk exposure if relying on cloud applications and storage that IT teams must address by considering information risks beyond purely NonStop.

So, How Do I Get There?
There is good news. For years NonStop users have trusted and relied upon HPE Enterprise Secure Key Manager (ESKM) to centrally control encryption by interfacing with NonStop Cluster I/O Modules (CLIMs) to enable volume level encryption. Based on a centralized approach to automate key management, HPE ESKM helps simplify security policy and auditing by protecting encrypted data at-rest on NonStop systems, while encryption keys are separated, centrally-located and kept safe within the HPE ESKM high-assurance security appliance.

But did you know that the HPE ESKM appliances you may already have in place can also control encryption outside of proprietary NonStop systems? Let’s discuss this aspect a bit further…

HPE ESKM today can simply plug key management into existing NonStop systems, but it was designed for much more, and IT administrators may only be touching the tip of the iceberg, when only managing a single NonStop application. HPE ESKM supports the OASIS Key Management Interoperability Protocol (KMIP) standard, which means it can easily extend encryption key management across many more infrastructure systems that are KMIP-compatible. This consistent management framework supports security officers and compliance teams for enabling enterprise-wide, global, security policy.

Much like a standard way of plugging toasters and lamps into the same type of power socket, HPE ESKM allows storage, servers, hybrid cloud systems, networked devices and more to plug into it for key management by using KMIP as the common key management language. Not only is this a great message to tell the CISO that you can now extend data protection with the same HPE ESKM appliances already running operationally, but the business can quickly realize increased ROI and the consistency of a single pane of glass approach to managing data security risk that meets compliance mandates with an existing solution.

But Hold on a Sec—What if my IT Systems Can’t Support Native Data Encryption?
What good is a centralized key management system without the encryption? KMIP is the “glue” that can enable HPE ESKM to plug into virtually any storage or server system, but it assumes those systems are encryption-ready and can communicate using the same language. Fortunately, HPE maintains the largest IT vendor supported ecosystem of encryption-ready storage and server infrastructure products today.

The same key management that automates security controls for NonStop can now easily be extended for StoreEver tape libraries or 3PAR disk storage, or ProLiant servers, and even Connected MX cloud-based backup at the desktop level. The list goes on. HPE ESKM can help break down silos of encryption and simplify how security is deployed across extended storage and sever estates with a unified approach. However, those systems need to support encryption, such as self-encrypting drives, LTO tape, controller-based encryption, and so on. Or do they?

HPE recently introduced a new HPE ESKM encryption solution with Bloombase called StoreSafe that can transparently encrypt data moving over standard storage network protocols (Fibre Channel, iSCSI, NFS, CIFS, REST, etc.) and using a proxy-based approach, before data is written to storage. By encrypting on the fly using standard network protocols, StoreSafe extends data encryption to IT infrastructure beyond NonStop, even to legacy and proprietary systems that are not capable of native encryption. And by using KMIP, StoreSafe centrally manages its encryption keys using HPE ESKM, separate from the data and encryption runtime, for greater security assurance.

So what are the benefits? When no native encryption capability is present with the IT system, StoreSafe addresses this using an encryption proxy approach. In addition, StoreSafe can support proprietary systems where vendors don’t allow open interoperability. The combination of HPE ESKM plus StoreSafe is similar to NonStop CLIM integration, however with these differences:

  • StoreSafe uses standard storage protocols for encryption interoperability to protect data in-line between applications and target storage systems, while managing keys with HPE ESKM using KMIP
  • Legacy storage systems that don’t already have native encryption capabilities can proxy the encryption with StoreSafe prior to writing the data at-rest, and
  • Proprietary systems that force users into adopting locked-in approaches can be circumvented with StoreSafe and HPE ESKM as a standards-based offering.

Designed for NonStop, built for extensibility
Offering standards-based solutions for NonStop means existing investments in key management using HPE ESKM can now be extended for wider protection of data across IT systems, without compromising a unified approach to security policy enforcement and auditing. NonStop users need to think outside the server box by addressing today’s threats holistically, as information moves throughout the organization and must remain trusted at every step.

Using an existing HPE ESKM deployment to enable encryption across additional storage and servers, and using StoreSafe to address legacy and proprietary IT systems, helps ensure the same controls over NonStop data can now apply universally. IT administrators, already comfortable managing encryption for NonStop, will find that extending HPE ESKM to new encryption applications comes easily with the ability to segregate applications to use specific pools of keys, providing reliable separation as required.

And yet, this is not the end of the story. HPE ESKM key management, while easy to plug in to your storage and server systems, can also operate alongside the HPE SecureData encryption solution for key management at the application layer for a data-centric approach that provides multi-layered protection, no matter if data is in use, in flight or at-rest. The combination of infrastructure, application and data-centric solutions delivers comprehensive protection for the NonStop environment and beyond.

What’s Next?
If you already have HPE ESKM key management deployed with NonStop using Clustered I/O volume-level encryption, you may have what you need to now test encryption across similar HPE and ESKM partner ecosystem storage and server applications. Just be sure to check if they support KMIP interoperability for key management. If you do not have HPE ESKM, your HPE rep can provide a demonstration of NonStop encryption and key management to offer an overview of how easy it is to enable data protection.

Don’t be the next hacker statistic by allowing your trusted NonStop data to become another news headline when IT systems that use that data across the organization remain unprotected and at risk of a data breach. HPE ESKM and the ecosystem of HPE Security – Data Security solutions can help your data at-rest “rest assured” and protected with an extensible approach to protecting sensitive data that maximizes your security investment.

This article first appeared in Jan/Feb 2017 issue of The Connection magazine, for the HPE NonStop audience.

Leave a Reply

Your email address will not be published. Required fields are marked *