End-to-End Data Encryption with Data Reduction from Thales & Pure Storage

At the 2019 RSA Conference, Pure Storage and Thales introduced Vormetric Transparent Encryption for Efficient Storage – the IT and security industries’ first end-to-end data encryption framework that realizes storage array data reduction.


Update: Pure Storage® has ended support for EncryptReduce capability

This new capability removes the compromise between encryption and storage efficiency, providing the granular access controls security professionals have come to expect from Thales combined with the industry-leading data reduction technologies from Pure Storage.

Historically host data encryption and array data reduction are like oil and water – they simply don’t mix.

Data Security: Low Adoption Amidst Increasing Requirements

The volume of data that is classified as sensitive and may require security consideration has been increasing due to new and updated privacy regulations like PCI-DSS, GDPR, HIPAA, and FedRAMP (to list a few). Yet IDC research published in the 2019 Thales Data Threat Report-Global Edition states that 60% of organizations have incurred at least one data breach and 30% experienced their most recent breach within the past 12 months.

Cost and complexity are two of the most cited reasons why organizations limit the volume of data they can secure. With Pure Storage recognized as a leader in both operational simplicity and data reduction, and our previous joint centralized key management integration, Thales selected Pure as the initial partner to deliver data reduction integrated with Vormetric Transparent Encryption.

Storage Costs of Encrypted Data

Storage costs are never as simple as the advertised metrics of $ per GB and I/O per GB. Storage professionals (typically defined by those who have suffered the loss of data at some point in their career) understand that deployment considerations like data protection and storage efficiencies combine in configurations that impact the actual or effective cost of storage capacity and performance.

Encrypting data to meet compliance requirements and protect your business, increases the cost of storage. Let’s start at the storage layer with data-at-rest encryption (D@RE) – which is an additional charge with most storage platforms – be it via software or self-encrypting drives (SEDs). D@RE protects unencrypted data from being read in the event of physical access (theft, inappropriate retirement, etc) by storing it in an encrypted format on persistent media (HDD, SSD, etc).

D@RE may sound more appropriate for laptops than enterprise storage but when you consider the density of modern storage platforms like the FlashArray //X, which can store 3PBs in 6 RU, you can appreciate the importance of securing the contents of the physical media.

Organizations or departments with stricter security guidelines may require application and end-user data to be encrypted as it is written, protecting it from unauthorized access in the event the host or server is breached. Securing data as it originates on the host is referred to as Transparent Encryption (TE) as the encryption is not visible to the application or user.

Transparent encryption come with a trade-off – its use negates data reduction technologies like compression and deduplication, resulting in storage capacity requirements increasing as much as 5X compared to storing unencrypted data.

Vormetric Transparent Encryption (VTE), takes transparent encryption further by not only encrypting transparently, but also adding granular access control and privileged user access policies as well as detailed audit logs.  However, Vormetric Transparent Encryption can overcome the data reduction or security compromise with Pure!

Have It All: End-to-End Data Encryption with Data Reduction

The results of the Pure and Thales joint integration are nothing short of stellar. Vormetric Transparent Encryption can overcome the data reduction or security compromise with Pure Storage.

Below you can see the results from one of the tests. The data set in use is the publicly available Enron email corpus, which is 5.3 GBs in size.

We chose to use a public data set for transparency so others can reproduce the test in their own environment.

The data was stored in the following formats and data reduction was recorded:

  • Data was stored unencrypted. Data reduction of 4.8 to 1. That’s a 79.1% reduction in storage capacity;
  • Data stored on a Vormetric Transparent Encryption guarded volume with integration disabled. Data was unable to be reduced; and,
  • Data stored on a Vormetric Transparent Encryption guarded volume with integration enabled. Data reduction ratio of 4.8 to 1 – which is the same result as with the unencrypted copy.As you can see from the results, the Thales and Pure Storage engineering teams have each delivered true innovation at a cross section of technologies that was previously thought unachievable. It is now possible to ensure data is secure from end-to-end, reduce capacity, and ,ultimately, provide customers with the ability to further reduce risk and satisfy compliance requirements.

Vormetric Transparent Encryption, takes transparent encryption further by not only encrypting transparently and preserving storage capacity, but also including granular access control and privileged user access policies as well as detailed audit logs.

Let’s Get Nerdy: A Technical Primer on Vormetric Transparent Encryption for Efficient Storage

The integration of Vormetric Transparent Encryption for Efficient Storage with the Pure Storage FlashArray is rather elegant. Below is an overview of how the solution functions followed by the version 1.0 beta requirements.

  1. The Vormetric File System agent is installed on a LINUX host
  2. The host checks out an encryption key from the Vormetric Data Security Manager (DSM)
  3. The FlashArray registers as a KMIP client with the DSM and checks out the host encryption key
  4. The host writes encrypted data to the FlashArray
  5. The FlashArray decrypts the data using the host key, reduces it, and re-encrypts it with the FlashArray key before writing it to flash.The un-encryption of data with the host key is an added step introduced with the integration.
  6. When the host reads the data, the FlashArray decrypts the data using the FlashArray key and re-encrypts with the host key prior to sending the data to the host. The re-encryption of data is an added step introduced with the integration.

I would be remiss not to call out the secure design of the FlashArray, for more information see the security and compliance overview which can provide you with details on the design and includes security standards and certifications (i.e. FIPS 140-2, CCO, etc).

Let’s Wrap Up This Post

I’d like to give a big shout out to the PM and ENG teams at Thales and Pure Storage for their amazing work. Version 1.0 is currently in beta and discussions around what follows have already begun. For more information please contact your Thales or Pure Storage account team to schedule a briefing.

— Cheers

v