OK, encrypt your disks after you've done everything else

The other day I wrote a blog entry that said encrypt your tapes but not your disks.  My fundamental premise was that encrypting data at rest in your disk drives only protects from the thing that will never happen: someone walking out with an entire disk array under their arm.  Single disk drives yanked out of the array (more likely) were not going to be any use to anyone even if you didn’t encrypt them.

Turns out I was wrrrmph.

Turns out that the most sensitive data is probably very recoverable from a RAID-ed disk drive.  A whole lot of 1K database rows can be stored in a 64K block of data stored on an individual disk drive in a parity-protected disk array.  (See the comments from my previous post for details.)  And it turns out that you can’t degauss hard drives and return them, so there’s also the exposure of what happens when you return a disk drive to the manufacturer.

I was wrong about the risk, but I still think there are bigger fish to fry in the datacenter.  Sticking with just my world, we’ve got companies that:

  1. Don’t copy their backups (they keep only one copy of every disk or tape they make)
  2. Don’t send their backups offsite
  3. Wait a week or two before sending their backups offsite
  4. Don’t back up their laptops
  5. Back up their remote offices using tapes that aren’t copied and/or aren’t ever sent anywhere

If you’ve got data that isn’t being backed up and isn’t being stored in a different location than it was backed up, you will lose data.  This isn’t a “maybe some guy might steal a disk drive and if he does he might be able to read some data on it.”  Every company in the world has lost a disk drive somewhere in their environment.  I’m a very small company and I lost four this year alone.

The number one reason people telling me they’re on the list above is money.  So my point is that if you’re spending money on encrypting your disks, but you’re not backing your stuff up in the first place — you’ve got your priorities all wrong.

I have the same opinion when I see people spending money make their backup server highly available, but they don’t have money to make a second copy of their backups.  Who cares if your backup server goes down for an hour?  It’s a big deal, but the only app that’s down is backup — not production.  But the chances of you losing data because you had a failed tape and no copies is much higher.  Save the money on the HA software for the backup server and spend it on something that actually makes your backups better.

I also think you can minimize this risk by doing a few things, all of which are cheaper than full disk encryption:

  1. Strong physical security in the data center.  Plenty of good things you can do.
  2. Video surveillance in the data center
  3. Identify really sensitive data and encrypt it in the application
  4. Strong physical security (locks) on the disk arrays themselves.  Prevent someone from grabbing a disk drive.
  5. Monitoring on same.  If a disk drive is taken, you should be immediately notified.

Like I said, there are lots of things you can do (and should do) that don’t cost near as much as full disk encryption and most of which you should be doing anyway.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

2 thoughts on “OK, encrypt your disks after you've done everything else

  1. Colin Yemm says:

    Adding on to this, most storage vendors have a “return failed equipment” clause in their support contracts – when a drive fails, it goes back to the vendor (failure analysis = good; refurbishment = not so much ;-). The organization I am contracted to right now, this is not a big deal for the production data – it’s all encrypted at the file system level. System data, not so much, but not a problem as that is local and not SAN storage. The dedup appliances are another matter entirely ;-). Apparently the ability to retain failed disks from the dedup appliance must be purchased as part of the support contract – and we don’t know yet if putting the disks through a scrub before returning them is an option.

Comments are closed.