Hard drive encryption on a server is nothing more than useless!

Hard drive encryption (data-at-rest encryption) on a server is less secure as it introduces more potential pitfalls.

Hard drive encryption is nothing but the organized corruption of data. The technology hit the spotlight in 2006 when the infamous VA laptop was stolen which contained personally identifiable information (PII) on millions are servicemen. The publicity of that event alone caused government and commercial companies to scurry to find a reliable hard drive encryption solution. The key term being reliable! Deploying hard drive encryption on mobile devices (the appropriate resources for the technology) is obvious but even then can be a nightmare. Luckily though, mobile devices can typically easily be rebuilt without causing massive damage. However, hard drive encryption on servers is the complete opposite because if a server goes down there's a high possibility profit margins are going down with it!

There are 3 possible outcomes if an encrypted server crashes including failover immediately picks up, restore a backup, or RGE [resume generating event] and therefore not your problem any more.

Option #1:  Hopefully it works and you've successfully dodged a bullet.  But keep in mind, software failover doesn't really exist as you'll be failing over to a different encrypted server.  Let's hope your data failover solution is seamless.  Hardware DAR failover is more reliable as the data isn't changing but simply being re-routed to a different box.  Seems less intrusive but keep in mind a secondary failover encryption appliance is double the cost of the solution.  But I'm guessing if your company has gotten this far they don't mind the additional ~$100,000 for the failover box.  Personally I prefer the hardware DAR solution versus the software DAR solution but your environment and budget will determine which one you like better ;-) .

Option #2:  You might be thinking - "Oh, I can restore from a backup if things go awry!"  So riddle me this, how confident are you with your backup solution?  If you're relying on an encrypted tape backup you might as well post your resume now and get an early start as the RGE is just around the corner. (Sidenote - in my experience the backup strategy is usually maintained by the 'least technical' administrator but yet backups play such a crucial role when 'fit hits the shan' - ironic huh?)

Option #3:  dice, monster, pick your poison!  

My primary argument to server encryption is if the server is that important it should be secured away in the dungeons of a hardened datacenter protected by "Fort Knox-ish" physical security measures.  Servers don't typical fit the mold as easily being 'theft-able' or forgotten at Starbucks or in the cab leaving the airport so why is there such an emphasis on server hard drive encryption? This is ultimately another case of non-technical people making technical decisions.  (A huge pet peeve of mine!)  And let's face it...if you have servers at your datacenter that are inside locked server racks growing legs and walking out - you have much bigger problems to solve.

So I ask you, is there such a thing as encrypting to the point of being detrimental?  

In my next and final blog as a guest, I'll elaborate on what pre-empted this DAR rant - once again HIPAA is creating a mildly unrealistic network hurdle for the industry to interpret and figure out on our own.  

Here's a hilarious DAR encryption audit snippet of a friend when his company was being audited by a well-known third party auditing firm.  

Auditor - "Do you have a DAR encryption solution rolled out on your SQL DB?" 

Security Friend - "Yeah, we decided to use a file encryption on the DB so that when the file isn't in use it is encrypted." 

Auditor - "Perfect.  <Checkmark in the checkbox and next question.>" 

<me at lunch> - "How often is your SQL DB not running?" 

Security Friend - "NEVER!"

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey: The results are in