By Josh Ament, Staff Engineer, NetApp, and Juan Mojica, Product Manager, NetApp


Ensuring data security is one of the biggest challenges for enterprise IT security teams, and choosing the right key management and encryption tools is one of the most important steps for protecting an organization’s valuable data. Unfortunately, very few solutions offer the functionality needed to protect the organization from accidental or intentional data breaches in a hybrid cloud environment.


Security Key Management Solutions
A security key is a variable used by cryptographic algorithms to specify the transformation of plain text into an encrypted format. The key is also needed to decrypt the data back into plain text. Keys can secure your data – but cryptography is only as effective as the keys being used. There are two choices for managing security keys.


External key management solutions protect your data when storage devices or entire storage systems can be physically accessed by an intruder, are lost, or stolen. This type of key management is primarily used by governments, service providers, and financial, legal, and healthcare organizations.


Some of the features and advantages of external key management solutions include:

  • Centralized, consistent key management across physical and virtual data centers, disaster recovery sites, and cloud infrastructures, including both physical and virtual configurations.
  • The ability to easily meet compliance mandates, including the U.S. Federal Information Processing Standard (FIPS 140-2) that mandates verifiable audit trails for all key management actions, and administrator notification if attempts to breach occur.
  • The separation of duties, which gives extra protection against conflict of interest, fraud, abuse, and errors. It also helps in the detection of control failures.


Internal or onboard key management systems protect against unauthorized access to physical storage devices-but not entire storage systems. With internal key management systems, the keys are embedded and stored within the product itself. If you choose to use an internal key management system, you should consider that keys, and therefore your data, will be accessible if the entire storage system is stolen.

Advantages of onboard key management solution include:

  • Management simplicity. One command generates all required keys for the NetApp Storage Encryption (NSE) drives.
  • Cost effective. Onboard solutions are usually included with the physical storage device with no additional costs or license fees.


Choosing the Right Encryption Point for Your Business Needs
Data encryption occurs across four main points in the network: the client/host, network, storage node, and media (storage devices). Choosing the right encryption point(s) should be based on your specific use cases. When considering the four main encryption points, it is important to note that you gain more manageability and storage efficiency as you move the encryption point closer to the storage devices data at rest, and more encryption granularity as you move the encryption point towards the host.


NetApp Security Solutions.jpg
NetApp Security Solutions
In partnership with other industry leaders, NetApp delivers a portfolio of solutions that help support a multipronged approach to data security, including:

  • NetAppĀ® Storage Encryption (NSE) provides transparent data-at-rest hardware-based encryption without diminishing NetApp storage efficiency capabilities such as deduplication and compression.
  • Encryption Key Management (EKM) provides Key Management Interoperability Protocol (KMIP)-compliant centralized management of all your encryption keys.


How NetApp Solutions Work
NetApp’s storage systems interoperate with approved third-party KMIP compliant external key mangers as well as offer an onboard key manager capability. NSE within the ONTAP storage operating system creates the authentication key (AK) required to lock the data on the drive. The external or onboard key manager is used to store and provide the AK when requested by the ONTAP for the drives. After the AK is provided, it is used to unlock the drive allowing reads and writes to go through.


The NetApp Data Fabric Vision

All of these encryption features are part of the NetApp Data Fabric vision, providing IT teams with the ability to create consistent policies for managing data across multiple data locations-from high performance, on-premises flash storage, to pay-as-you-go cloud storage services. With an ability to transport, manage, and secure data across multiple clouds, a Data Fabric enables the creation of consistent protection mechanisms no matter where your data resides.


For More Information
Data security will continue to be a daunting challenge for IT teams going forward. To learn how NetApp encryption and key management solutions can help improve data security for your enterprise, please visit the Encryption Key Management page on

NetApp Staff