It’s a new year. Why not make a resolution now to encrypt your data at rest?
Just a glance at the news today shows us that data security is top of mind. Global enterprises and government customers rely on NetApp® storage security solutions to protect their data with the strongest security technologies available. Encryption of data at rest has become “table stakes” for modern data management.
NetApp Volume Encryption (NVE) was released over a year ago as part of NetApp ONTAP® 9.1, a free and easy, nondisruptive upgrade for all currently shipping AFF and FAS systems, as well as certain older AFF and FAS systems and our software-defined offering, ONTAP Select.
NVE is a software-based technology for encrypting data at rest one volume at a time. An encryption key that is accessible only to the storage system ensures that volume data cannot be read if the underlying drive is repurposed, returned, misplaced, or stolen. The individual volume-level granularity of NVE opens up the ability to securely crypto-shred individual datasets for targeted data sanitization in service provider or other shared workload environments.
Enabling NVE is a no-regrets move that costs nothing and rarely affects performance. NVE also helps comply with increasing regulations or individual company policies that all data must be encrypted at rest. You can fill in the encryption checkbox by turning on NVE. Encrypt more, worry less!
NVE Is Only Getting Better: The Time to Implement Is Now!
With ONTAP 9.3 (released in November 2017), NVE has been enhanced further to offer both onboard (OKM) and offboard KMIP-based key management solutions as well as support for encrypting existing volumes in place. And in December, we also secured National Institute for Standards and Technology (NIST) FIPS 140-2 level 1 certification for the cryptographic module that powers NVE and OKM in ONTAP.
Over the past year, we’ve seen significant adoption by customers eager to encrypt their data at rest at no additional cost, across a variety of industries including government, financial, healthcare, and retail organizations. Want to join them? Now is a great time to turn on NVE ubiquitously to provide an extra layer of defense for your data at rest.
Instructions for enabling and managing NVE are available in the NetApp ONTAP 9 Documentation Center; see “Encryption of data at rest” in the “Data protection and disaster recovery” section. Given that NVE is free and implementation is nondisruptive, using it may be one of the easiest New Year’s resolutions for you to keep!
Are You Still Using NSE with Hardware-Based Encryption?
NetApp Storage Encryption is a long-term, proven solution for whole-system data-at-rest encryption. NSE is full-disk encryption (FDE) built directly into self-encrypting drives (SEDs) from the disk vendor. NSE has some advantages: It offers simplicity and a slightly higher level of certification with FIPS 140-2 level 2, although both NVE and NSE use the AES 256 specification.
Although NSE will continue to be useful for certain customers, primarily in high-security government environments, it does have significant trade-offs. The primary challenges are that these FDE/SED drives generally are first available at smaller capacities, are later to market than standard non-FDE drives, and command a price premium that increases the cost per gigabyte—in some cases significantly.
NetApp still offers NSE and has no current plans to discontinue these drives. However, we encourage the majority of our customers to use NVE where possible. NVE works with any NetApp solid-state drive (SSD) or HDD supported with NVE-capable AFF and FAS systems, plus ONTAP Select, so you can immediately use encryption without any limitation to drive capacity, delay in drive releases, or increase in cost.
A common question is the performance impact of enabling NVE on a given system, and the equally common answer, “It depends,” is fully accurate but not truly satisfying. The short answer is that performance impacts are negligible for higher-end systems, and typically less than 10% on entry-level or midrange systems or on older systems. Further, these impacts typically are noticeable only when a system is running near its absolute maximum expected performance. If a system is running at a reasonably safe margin from that maximum, any impact from NVE is immaterial and invisible.
If you have specific concerns about performance, you can consult with your partner or NetApp team to assess potential impact. In addition, you can granularly encrypt a single test volume at a time and assess the impact, and even decrypt the volume through a nondisruptive volume move if necessary.
Resolve to Encrypt with NVE
Widespread deployment of NVE ensures that any SSD or HDD in transit, returned to a vendor, lost, or stolen is encrypted and secure against unauthorized data access.
Are you interested in learning even more? Two of our security gurus, Juan Mojica and Mike Scanlin, recently joined the NetApp Tech OnTap® Podcast to discuss the latest in NVE and ONTAP security as a whole. Check out Tech OnTap Episode 120 today—and encrypt a few more volumes while you listen!