Has anyone implemented encryption in VSP or in SAN Fabric? What is the requirement? and what is the advantage of both?
-> I can mark everyone's answer as helpful,
Is a restriction in jive Community Software you can only Mark TWO answer as Helpful and only ONE as Correct.
I opened here a similarly Thread. and I'm working on different solution by diverse Customer.
Brocade Encryption & Thales Encryption with HDS
In fact, there are different methodologies of Encryption
the one is a simple Port Encryption, most complexes is Data-In-Flight and Data-at-Rest.
Thanks Antonio Bongiorno. How does port encryption works.
Going through this blog in brocade.
What is the difference between Data-At-Rest com... | Brocade Communities
This Threads as you can see is from 2010.
Port Encryption / Data -in-Flight is available and supported of 16G DCX-8510 and 6510 Plattform, which was not available in 2010
I believe, but I'm not 100% sure, NEW FOS 7.3 is planned to support Port Encryption for 6510 and 6520.
I'll provide to get more info.
Thanks Antonio Bongiorno, will wait for your response.
in few words, if you are looking for simplified Encryption methodology that not required additional Encryption's equipments, you should focused on on Data-in-Flight Encryption.
Is ready supported on Condor3 ASIC 6510, 6520 and DCX-8510 Series.
forgot to mention, in the meintime please have a look into a Brocade SAN Design Best Practices, this guide handle some with Data-In-Flight.
Remember that it is only Condor3 to Condor3 traffic. Traffic from/to HBA and Array/Tape is not encrypted. I think the Brocade Fabric Adapter will start to support this soon but I'm not 100% sure. It still leaves switch-port to array/tape
What sort of requirement do you have ? What sort of environment/OS and apps. are running. I implemented BES with Thales + HDS AMS series. I have my own reasons to believe that it was pretty tough design to implement and yet not stable due to multiple reasons for a long time. We also had compatibility issues with vxfs and AIX RAC servers resulting in data corruption. Infact we had to replace almost 3 BES switches during a span of 6 months , we r still looking for the root cause.I must say Brocade gave us great support during these times and somehow I felt, they were also discovering the BES
But finally after 2 years of Implementing it, when i look back, i think it was one of the toughest project I worked on and truly satisfying from a technical perspective.
-->>Infact we had to replace almost 3 BES switches during a span of 6 months ,....
indeed, replacement 3x BES and in short time of 6 Months is surely not a joke.
Can my ask what kind of problem you meet with the BES ?
Hello Kamalarajan S.
It depends what you want to achieve to make the best judgement call on which encryption method you want/need. If your requirement is to have encryption at rest the USP-V/VSP can do that for you. If you require in-flight plus at-rest encryption it depends where you want this, end-to-end from HBA to the array, only on ISL's, does it need to be hardware managed or can OS/Application based solutions provide an alternative?
My preference has always been to only encrypt that what needs to be encrypted. This means mostly that only parts of the data that contain sensitive information requires encryption. This can be arranged by databases and/or applications. This allows for the best granularity and it leaves hardware options like compression open for use. If you decide to encrypt entire filesystems than any hardware based appliances like Riverbed or SAN based compression methods like on the Brocade 7800 are useless.
Again, it takes some investigation to find out what the options are from a business requirement and only then you're able to make a good decision on which platform you might want to implement that.
Erwin van Londen
-->>If you decide to encrypt entire filesystems than any hardware based appliances like Riverbed or SAN based compression methods like on the Brocade 7800 are useless.
I don't know Riverbed,, but the 7800.
I totally agree with you that make no sense to use the 7800 for Encryption, however this Plattform is primary not designed to satisfy and not intended to use for such a Environments.
The "compression" encryption features on the 7800 from my point of view have nothing to do with the classic "Data Encryption"
Selective encryption is not a scalable solution in terms of manageability.
If I had 1 PB on a VSP to worry about then I guess I would use VSP based encryption and encrypt everything, secure the keys and forget about it.
Just my two cents.
Personally, and I really mean personally, I think the entire encryption burden is being pushed onto the storage and networking practises because the applications and databases have an overall lack of manageability of this business requirement even though it belongs there. It therefore lacks scalability on this level so too many companies take the easy way out and do a hammer like scenario and encrypt everything.
Its the same with DR scenarios whereby a feasible replication design is skipped and entire datasets are copied. This pulls a major burden on connectivity, bandwidth and other resources with accompanying dollar amounts.
As you can see from lots of studies performed by @David Merrill its often the procurement phase that is indicative of investment however with a little additional investment to investigate in the companies' data the OPEX over numerous years drops significantly. Anyway, I also agree that if you have limited resources in people, money, time etc.. its often very tempting to just flick on the "do it all" button and move on. Its not often the best scenario however...
Thank you all for the suggestions.
My requirement is as follows.
1. Application - SAP
2. Host - AIX and HPUX
3. Storage - VSP
4. Dedicated Pool in Storage for the above said hosts/applications
5. Number of above said Hosts - 84
My question is If i get a VSP encryption license, how that will work. Whether works on capacity based or can I encrypt based on Pools.
Since the number of hosts is 84, what all required for enabling port based encryption (may be end-end). Which will be more secure and cost effective. The reason is after implementing I will not be managing the infra, so this should not be too complex also for the next guy who comes in to handle.
Well I would say, ask for host based encryption, that would work much better if this is not a dedicated environment for these 84 Hosts. Also is the encryption requirement for on-fly or @rest ? If it is @rest, then VSP encryption is best suited.
I know Oracle has inbuilt encryption which worked great for the environment and we never had any issues , but as I said, you need to check for more on the requirement ( @rest or in-flight)
I think VSP encryption license is per capacity but I suggest asking HDS more about it, because I read "Each Virtual Storage
Platform is capable of supporting up to 32 encryption keys per platform. This allows for encryption to be used
as an access control mechanism within the storage system and for different classifications of data to be stored on the same storage system", so i think there would be a way to encrypt only certain data.
From what I know , the encryption is done at the controller level, no major reconfiguration to the fabric or hosts required.
I would suggest go for host based encryption or if@rest go for VSP based, but in-flight might little complicated because it is not transparent in the truest sense ..
I can mark everyone's answer as helpful, but it doesn't allow me Donna Garber please help.
Retrieving data ...