Facebook Google Plus Linkedin Twitter

Securing data at rest is no longer optional—but you do have alternatives

IBM Spectrum Virtualize provides the optimal solution for securing data at rest and streamlines the transition to software defined storage


The data security priority

If you want to know where chief information officers (CIOs) and chief information security officers (CISOs) are focusing their attention, just follow the money. A recent survey by ESG Research shows clearly that information security was a top spending priority in early 2015 by a wide margin.1

Security initiatives top the list of IT spending priorities for CIOs and CISOs.

One explanation for this result is the extraordinarily high—and steadily rising—cost of data breaches. Each lost or stolen record now costs an average of USD154, up 12 percent since 2013.2 Because a typical breach can involve thousands or even millions of records, IT decision makers have strong incentives to invest heavily in security.

However, as every IT professional knows, the goal of 100 percent loss prevention is unrealistic. Therefore, the question becomes, how can you protect sensitive customer information and corporate intellectual property when you can’t ensure the physical safety of all your data?

Encryption is the answer. Even if cyberthieves manage to steal encrypted data, they still cannot access the information within the data; all they get is a useless collection of bits and bytes. Encryption is rapidly taking its place alongside other tools such as firewalls and intrusion prevention systems as necessary components of a comprehensive approach to security.


The ABCs of storage encryption

Encryption is the process of encoding data; only someone who possesses the right key can read the data. In the context of the data center, encryption is usually performed when data is written to storage and decrypted when it is read from storage.

This form of encryption is often referred to as data at rest, meaning that the data is encrypted only when it is stored. The data is decrypted when it is read, so applications always have access to the clear data.

Many encryption solutions today are based on the 256-bit standard of the Advanced Encryption Standard (AES-256). How secure is AES-256? If you methodically started to try every possible combination since the time of the dinosaurs, for example, you wouldn’t be anywhere near cracking the code. For all practical purposes, AES-256 is unbreakable.

Symmetric key encryption, commonly used in data security, encrypts and decrypts data with the same private key.


Three options for data security

As you can see, the business case for encryption is strong—and it’s growing stronger. When you decide to implement data-at-rest encryption in your security infrastructure, three basic options are available:

  • Complete hardware replacement
  • Selective hardware replacement
  • IBM encryption

Each of these options is evaluated based on three criteria: security, manageability and affordability.

Complete hardware replacement

Replacing the current storage hardware with self-encrypting drives (SEDs) that provide encryption at the disk or array level is at one end of the scale for evaluating data-at-rest encryption.

Security: Excellent. Hardware-based encryption provides a high level of security because the encryption is embedded in the device itself and applies to all data written to the disk, without exception.

Manageability: Good. A completely new environment is far easier to manage because the new infrastructure is homogeneous and has a single management paradigm.

Affordability: Poor. In many cases, this option is out of the question because of the high cost. Propose obsoleting systems that have years of serviceable life left, and watch your chief financial officer’s eyes glaze over.

Complete hardware replacement does the job, but is too radical for many applications. It’s analogous to tearing down and rebuilding your house just because bad weather is coming. What’s needed is a way to boost security without bringing in the forklifts.

Selective hardware replacement

If replacing all the hardware is too costly, how about replacing some of the hardware? In this approach, storage architects try to walk a fine line by installing SEDs for specific classes of sensitive data; the rest of the data is either unencrypted or software encrypted.

Security: Good. Although storage on SEDs offers good security, the encryption is local to the array and cannot protect data elsewhere in the heterogeneous storage infrastructure. In practice, this solution results in silos of encryption tools that can’t provide uniform, comprehensive security.

Manageability: Poor. Which data goes where? How do you categorize data into sensitive versus nonsensitive data? Storage managers have to keep the different categories straight and ensure the right data goes to the right disk. And that approach takes time away from more strategic activities.

Affordability: Good. IT managers can phase in SEDs as existing systems reach end of life, which offers a more palatable alternative. However, an accurate cost analysis needs to include the additional staff time required to manage this heterogeneous solution, which negates some of the cost advantage.

Selective hardware replacement is better than complete hardware replacement, but it is still suboptimal in all three evaluation categories. It’s far better than doing nothing—just not the best you can do.

IBM Encryption

Frustrated with the trade-offs, many IT executives are asking themselves a simple question: "Isn’t there a solution that optimizes security, manageability and cost?" The answer is an emphatic "Yes"—with IBM encryption.

Security: Excellent. IBM encryption implements a single, vendor-agnostic storage encryption solution.

Manageability: Excellent. IBM encryption is part of IBM® Spectrum Virtualize™ storage virtualization, an IBM Spectrum Storage™ Suite component. This highly scalable offering provides common functionality management and mobility across heterogeneous storage types. It enables IT technicians to manage the storage environment quite efficiently and with essentially zero downtime.

Affordability: Excellent. In the IBM approach, data is encrypted and decrypted upstream from the storage array, so the hardware doesn’t have to be replaced. It’s a simple and cost-effective solution.

IBM Spectrum Virtualize avoids the trade-offs that compromise the first two options. The IBM approach not only provides an optimum way to secure data at rest, it also streamlines the transition to software defined storage (SDS).


The road to software defined storage

The decision to implement encryption doesn’t happen in a vacuum. Any major IT initiative today needs to be considered in the context of data center virtualization—in this case, SDS.

SDS is finally becoming a reality. A recent survey of enterprise IT professionals found that nearly two-thirds either have deployed SDS or are actively planning to do so.3 IBM Spectrum Virtualize software is an SDS offering built on the well-known and field-tested IBM SAN Volume Controller. Unlike tools that encrypt only the data on a single array or are limited to arrays by a single vendor, IBM Spectrum Virtualize can protect data across the entire storage infrastructure, which is optimal for SDS implementations.

The concept of locating encryption functionality in the SDS software layer rather than in the underlying—typically disk—storage systems reflects IBM’s commitment to flexible, vendor-agnostic storage solutions.


Encryption and more

When you opt to deploy IBM Spectrum Virtualize, you get a tremendous storage encryption option—and a whole lot more. IBM Spectrum Virtualize implements key storage functions such as intelligent compression, innovative replication technology, snapshots and mirroring, thin provisioning, data migration and tiering. These IBM Spectrum Virtualize features give you powerful upgrades for storage systems that lack such capabilities.

IBM Spectrum Virtualize is an SDS offering built on IBM SAN Volume Controller.

Beyond securing your valuable data assets, IBM Spectrum Virtualize delivers other tangible business benefits:

  • Improves storage utilization up to 100 percent
  • Supports up to five times as much data in the same physical space
  • Simplifies management of heterogeneous storage systems
  • Enables rapid deployment of new storage technologies for greater return on investment
  • Enhances application availability with virtually zero storage-related downtime

The next steps

IBM offers organizations a choice. They can procure IBM Spectrum Virtualize software as part of IBM SAN Volume Controller, the IBM Storwize® family, IBM FlashSystem™ V9000 and the VersaStack Solution by Cisco and IBM to have their storage, their encryption, their way.

Be sure to check out these other informative resources:

Learn more about IBM Spectrum Storage.

1,3 "2015 IT Spending Intentions Survey," ESG Research Report, February 2015.

2 "2015 Cost of Data Breach Study: Global Analysis," Ponemon Institute, benchmark research sponsored by IBM, May 2015.

© Copyright IBM Corporation 2016. IBM, the IBM logo,, FlashSystem, IBM Spectrum, IBM Spectrum Virtualize, and Storwize are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at

VersaStack is a trademark or registered trademark of Cisco and/or its affiliates in the US and other countries.

The use of the word "partner" does not imply a partnership relationship between IBM and any other company.

This document is current as of the initial date of publication and may be changed at any time. Not all offerings are available in every country in which IBM operates.