Storage Media Encryption

Cisco Storage Media Encryption (SME) protects data at rest on heterogeneous tape drives and virtual tape libraries (VTLs) in a SAN environment using secure IEEE-standard Advanced Encryption Standard (AES) algorithms.

Cisco SME hardware and software are fully integrated with the Cisco MDS 9000 Family. Encryption is performed as a transparent Fibre Channel fabric service, which greatly simplifies deployment and management of sensitive data on SAN attached storage devices. Unlike competitive offerings, Cisco SME requires no downtime to deploy. Cisco SME is built on Federal Information Processing Standards (FIPS) system architecture and offers secure, comprehensive key management, with support for offline media recovery (Figure 1).

Figure 1. Cisco Storage Media Encryption

Features and Benefits

Cisco SME provides a complete, integrated solution for encryption of data at rest on heterogeneous tape drives and VTLs. Storage in any virtual SAN (VSAN) can make full use of Cisco SME, providing exceptional flexibility for provisioning this transparent fabric service. Cisco SME requires no SAN reconfiguration or rewiring, eliminating downtime for deployment.

Cisco SME employs clustering technology to enhance reliability and availability, enable automated load balancing and failover capabilities, and simplify provisioning. To simplify management, this encryption service is provisioned as a single, logical SAN fabric feature rather than as individual switches or modules.

Secure lifecycle key management is included, with essential features such as key archival, shredding, automatic key replication across data centers, high-availability deployments and export and import for single- and multiple-site environments. Cisco SME provisioning and key management are both integrated into Cisco Fabric Manager; no additional software is required for management.

The Cisco SME includes the following features:

• Rapid, scalable deployment: Cisco SME performance can easily be scaled up by adding more Cisco MDS 9000 Family switches or modules. The innovative Fibre Channel redirect capabilities in the Cisco MDS 9000 SAN-OS and NX-OS Software enable traffic from any switch port to be encrypted without SAN reconfiguration or rewiring.

• High availability: Cisco SME services employ clustering technology to create a highly available solution. The cryptographic cluster formed enhances reliability and availability, enables automated load-balancing and failover capabilities, and simplifies provisioning as a single SAN fabric service rather than as individual switches or modules. Additionally, Cisco Key Management Center (KMC) supports 1+1 high-availability deployments.

• Secure solution: Cisco SME uses strong, IEEE-compliant AES 256 encryption algorithms to protect data at rest. Advanced Cisco MDS 9000 SAN-OS and NX-OS Software security features, such as Secure Shell (SSH), SSL, RADIUS, and Fibre Channel Security Protocol (FC-SP) provide the foundation for a secure FIPS architecture.

• Comprehensive lifecycle key management: The Cisco KMC provides dedicated key management for Cisco SME, with support for single- and multiple-site deployments, including automatic key replication across data centers and high-availability deployments. Cisco KMC provides essential features such as key archival, secure export and import and translation for distribution, and key shredding. Enterprisewide lifecycle key management is also available using industry-leading software integrated through an open API included with Cisco SME.

• Integrated management: Cisco SME is configured and provisioned using the Cisco DWDM-X2-60.61= Family command-line interface (CLI) or Cisco Fabric Manager; no new management software is needed. In addition to consistent management interfaces, Cisco SME supports role-based access control (RBAC) and RADIUS and TACACS+ servers for unified credentials management.