Cisco® Storage Media Encryption (SME) protects data at rest on heterogeneous tape drives, virtual tape libraries (VTLs), and disk arrays in a SAN environment using highly secure IEEE Advanced Encryption Standard (AES) algorithms.
Cisco SME hardware and software are fully integrated with the Cisco MDS 9000 Family. Encryption is performed as a transparent Fibre Channel fabric service, which greatly simplifies the deployment and management of sensitive data on SAN-attached storage devices. Unlike other approaches, Cisco SME requires no downtime to deploy. Cisco SME is built on a system architecture based on Federal Information Processing Standards (FIPS) and offers highly secure, comprehensive key management, with support for offline media recovery (Figure 1).
Figure 1. Cisco SME System Architecture
Features and Benefits
Cisco SME provides a complete, integrated solution for encryption of data at rest on heterogeneous tape drives, VTLs, and disk arrays. Storage in any virtual SAN (VSAN) can make full use of Cisco SME, providing exceptional flexibility for provisioning this transparent fabric service. Cisco SME requires no SAN reconfiguration or rewiring, eliminating downtime for deployment.
Cisco SME employs clustering technology to enhance reliability and availability, enable automated load balancing and failover capabilities, and simplify provisioning. To simplify management, this encryption service is provisioned as a single, logical SAN fabric feature rather than as individual switches or modules.
Secure lifecycle key management is included, with essential features such as key archival, shredding, automatic key replication across data centers, high-availability deployments, and export and import for single- and multiple-site environments. Provisioning and key management for Cisco SME are both integrated into Cisco Fabric Manager; no additional software is required for management.
Cisco SME includes the following features:
• Rapid, scalable deployment: Cisco SME performance can easily be scaled up by adding more Cisco MDS 9000 switches or modules. The innovative Fibre Channel redirect capabilities in the Cisco MDS 9000 SAN-OS and NX-OS Software enable traffic from any switch port to be encrypted without the need to reconfigure or rewire the SAN.
• High availability: Cisco SME services employ clustering technology to create a highly available solution. The cryptographic cluster enhances reliability and availability, enables automated load balancing and failover capabilities, and simplifies provisioning as a single SAN fabric service rather than as individual switches or modules. Additionally, Cisco Key Management Center (KMC) supports 1+1 high-availability deployments.
• High level of security: Cisco SME uses strong, IEEE-compliant AES 256 encryption algorithms to protect data at rest. Advanced Cisco MDS 9000 SAN-OS and NX-OS Software security features, such as Secure Shell (SSH), SSL, RADIUS, and Fibre Channel Security Protocol (FC-SP) provide the foundation for a secure FIPS architecture.
• Comprehensive lifecycle key management: The Cisco KMC provides dedicated key management for Cisco SME, with support for single- and multiple-site deployments, including automatic key replication across data centers and high-availability deployments. Cisco KMC provides essential features such as key archival, highly secure export and import and translation for distribution, and key shredding. Enterprisewide lifecycle key management is also available using industry-leading software integrated through an open API included with Cisco SME.
• Integrated management: Cisco SME is configured and provisioned using the Cisco MDS 9000 Family command-line interface (CLI) or Cisco Fabric Manager; no new management software is needed. In addition to consistent management interfaces, Cisco SME supports role-based access control (RBAC) and RADIUS and TACACS+ servers for unified credentials management.
Additional features and benefits are presented in Table 1.
Table 1. Additional Features and Benefits
Feature
Benefit
VSAN independence
Traffic on any VSAN can fully utilize Cisco SME encryption capabilities, providing outstanding flexibility for provisioning and load balancing.
Data compression
To increase the utilization of tape media, Cisco SME provides an option to compress tape data before encrypting it.
Compression is not available for SME-Disk.
Smart cards
For increased operational security, smart cards are offered to protect master keys, facilitate master key escrow, and help prevent unauthorized cryptographic cluster formation and key recovery.
Investment protection
In addition to supporting heterogeneous storage devices, the multipurpose hardware used by Cisco SME supports Cisco MDS 9000 Family storage network services and applications, providing solid investment protection.
Disk encryption
Cisco SME supports dual fabric, multipath, replicated volumes, high availability for key management, and clustering.
Product Specifications
Table 2 lists the product specifications for the Cisco SME.
Table 2. Product Specifications
Item
Specification
Product compatibility
Cisco MDS 9500 Series Multilayer Directors and MDS 9200 Series Multilayer Switches
MSM-18/4 and SSN-16 line cards
Software compatibility
For tape drive encryption:
• Cisco MDS 9000 SAN-OS Software 3.3(1c) or later and NX-OS 4.1(3a) or later
• Cisco Fabric Manager 3.3(1c) or later and NX-OS 4.1(3a) or later
For disk array encryption:
• Cisco MDS 9000 NX-OS 5.2(1) or later
• Cisco Data Center Network Manager (DCNM-SAN) 5.2.(1) or later
Protocols
• Simple Network Management Protocol (SNMP) version 3
• SSH version 2
• SSL and HTTPS
• RADIUS and TACACS+ authentication protocols
• RSA
Encryption algorithms
• RSA
• AES-256
Approvals and compliance
• PCI DSS 2.0 standard compliant
System Requirements
Cisco Data Center Network Manager (DCNM) or Fabric Manager Server (FMS) is used to provision and manage encryption keys for Cisco SME. The DCNM/FMS data sheet lists the system requirements.
Summary
Encryption Type
AES 256
Encryption Strength
256-bits
Encryption Targets
All major storage media - tape drives, VTLs and disk arrays
Compression
4-to-1 for Tape
Key Complexity
256 bit length and generated from random number generator (PCS DSS 2.0 compliant)
Key Management
Cisco key Management Center generates, tracks and manages the keys
FIPS
FIPS 140-2 level 2 compliant, Certification will be post-fcs
Host and Application Protection
Host/device authentication
Others
Hardware based encryption, crypto shred for key deletion, role bases access control. Re-Key
Storage features supported
Replication, Mirror
Security
Smartcards for key store and quorum for recovery
High Availability
Clustering architecture supporting load balancing and resiliency for crypto engines, 1+1 CKMC for key management redundancy
Ordering Information
Table 3 lists product ordering information for Cisco SME licenses and components.
Cisco SME also requires Cisco MDS 9000 Family hardware modules or switches that support this feature. The following hardware includes encryption units suitable for Cisco SME:
• DCNM SAN Advanced is required for running Cisco Key Mangement Center (CKMC). A single CKMC can support multi-site deployment. Two instances will provide 1+1 High Availability.
• The web client (supported by DCNM SAN Adanced) provides the SME provisioning wizard. At least a single instance of DCNM SAN Advanced is thus required.
Storage Media Encryption package for one MSM-18/4 in the Cisco MDS 9500 Series
M9500SME1MK9
Storage Media Encryption package for one MSM-18/4 in the Cisco MDS 9200 Series
M9200SME1MK9
Storage Media Encryption package for one service engine on SSN-16 in the Cisco MDS 9500 Series
M95SMESSNK9=
Storage Media Encryption package for one service engine on SSN-16 in the Cisco MDS 9200 Series
M92SMESSNK9=
Storage Media Encryption package for Cisco MDS 9222i MMS fixed slot
M9200SME1FK9
Smart card reader for Cisco SME
DS-SCR-K9=
Smart card for Cisco SME
DS-SC-K9=
Note: Cisco MDS 9000 Series Switches do not need Cisco Fabric Manger Server license packages to provision Cisco SME or to use the associated key management capabilities.
To place an order, visit the Cisco Ordering Home Page. To download software, visit the Cisco Software Center.
Service and Support
Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco Services help you protect your network investment, optimize network operations, and prepare the network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see Cisco Technical Support Services or Cisco Advanced Services.
Using the Cisco Lifecycle Services approach, Cisco and its partners provide a broad portfolio of end-to-end services and support that can help increase your network's business value and return on investment. This approach defines the minimum set of activities needed, by technology and by network complexity, to help you successfully deploy and operate Cisco technologies and optimize their performance throughout the lifecycle of your network.
