Two of the earliest methods of encryption to come to market are encryption appliances and encryption included in backup software. For a review of those two product categories, please see our Buying Guides entitled "Hardware-based encryption (appliance) product specifications" and "Purchasing backup software-based encryption".
More recently, customers have been moving away from managing encryption in backup software because hardware offers better performance and less complexity. "The market for 'bump in the wire' hardware appliances has remained pretty steady, but it hasn't taken off either," said Russ Fellows, managing partner at Greenwood Village, Colo.-based Evaluator Group Inc. "Encryption at the endpoint will probably continue to gain share."
The following products perform encryption at endpoints such as disk/tape drives and storage-area network (SAN)/network-based devices, and manage encryption keys.
ENDPOINT ENCRYPTION PRODUCTS
Fujitsu Full Disk Encryption (FDE)
Fujitsu's Full-Disk Encryption (FDE) is performed in hardware at the disk drive level, without dependencies on operating systems for security of encryption keys and access credentials. Fujitsu claims FDE drives suffer no performance impact from performing encryption. The products are based on a partnership with Wave Systems Corp.
Seagate Technology Inc. Seagate Secure technology
Seagate Secure disk drives use a chip to encrypt data inside the drive enclosure. Seagate Secure can also be used to pair a drive with a workstation, and enables "invisible" secure partitions on drives. McAfee Inc.'s ePolicy Orchestrator security management software can manage the drives from a central corporate location, and offers authentication features for unlocking the encrypted drives, including support for biometrics and security tokens. Dell Inc. ships Seagate's Momentus line of desktop-class self-encrypting drives in its Latitude laptops, Precision Mobile Workstations and OptiPlex desktops.
Proprietary tape formats: IBM TS1120, TS1130 tape drives; Sun Microsystems Inc. (soon to be Oracle Corp.) StorageTek T10000 tape drive
IBM and Sun are the two titans left standing in a declining mainframe / high-end proprietary tape market, and have been engaged in an arms race over the last few years with similar high-capacity, high-performance, self-encrypting tape drives.
IBM includes an encryption license with its drives, while Sun charges a separate fee. Hewlett-Packard (HP) Co. said last year it would ship DAT 320 drives with built-in encryption in 2009.
Various vendors, including Dell, HP, IBM, Overland Storage Inc., Quantum Corp., Spectra Logic Corp. and Tandberg Data: LTO-4 / Ultrium tape drives
Linear Tape-Open (LTO) has become the standard tape format in the enterprise storage market today, edging out earlier formats like DLT.
The fourth revision of the LTO spec contains AES-256 encryption in drive firmware, and the feature is made available by all vendors that offer LTO-4. While all the drives can perform encryption, they require the use of a separate key management application.
SAN/NETWORK-BASED ENCRYPTION PRODUCTS
Brocade Communications Systems Inc. Encryption Switch
Brocade's Encryption Switch is a 32-port, 8 Gbps Fibre Channel switch. The FS8-18 Encryption Blade is a 16-port blade that plugs into Brocade's DCX Backbone switches. Brocade claims that both the switch and the blade can scale up to 96 Gbps of encryption processing power. The Brocade Encryption Switch is resold by NetApp Inc.
CipherMax Inc. CM100T tape appliance, CM180D/CM250/CM500 disk appliances
The company formerly known as Maxxan Systems Inc., an intelligent switch provider, re-emerged as storage security player CipherMax in 2007. Since then it's been marketing the CM100 series, 1U Fibre Channel switches that CipherMax claims can support up to four full-bandwidth disk array target ports and hundreds of encryption streams. All products feature the company's SANCruiser fabric management software, as well as KeyCruiser, which creates a central key repository for all devices in the environment and allows keys to be backed up and archived offsite.
Cisco Systems Inc./ RSA, the security division of EMC: MDS 9500, MDS 9200 blades and switch modules with RSA Key Manager
Cisco/RSA users can add encryption at the SAN director switch either as a blade for the MDS 9500 and MDS 9200 series chassis, or as a switch module for the MDS 9200. Because the MDS 9500 automatically load balances and clusters blades as they're added, adding encryption to the director requires no recabling or rewiring of the SAN. The switches can perform inline encryption for disk arrays and disk-based backup products like virtual tape libraries (VTLs). Hewlett-Packard resells its own version of the Cisco switch, dubbed the Cisco 9222i MultiService Fabric Switch.
SAN hardware vendors are increasingly looking to get a piece of the data security action, too. Below is a list of vendors that support disk-based encryption within enterprise arrays today.
|EMC Corp./RSA||Symmetrix and Clariion disk arrays with PowerPath multipathing software|
|Fujitsu||Eternus 4000 and 8000 series|
|Hitachi Data Systems||Universal Storage Platform|
|IBM||DS5000 and DS8000 series|
|LSI Corp.||Engenio 7900 SAN|
Exar Corp./Hifn Inc. Express DR 250/255 and 1600 cards
Prior to its acquisition by Exar earlier this year, Hifn developed a set of chip boards that will perform data deduplication, compression and encryption processing with the goal of eliminating some of the performance issues associated with software-based approaches. The first series, the Express DR 250 and 255, are slower than the 1600 series just introduced, which Hifn claims can perform at up to 1,800 MBps. Hifn is looking to sell the cards through storage hardware OEMs, but also offers its own primary storage deduplication software for Windows systems called BitWackr, which integrates with the DR cards.
KEY MANAGEMENT PRODUCTS
Encryption encodes data with long strings of characters that are decoded with matching encryption keys. Key management is the process of storing, protecting, backing up and keeping track of keys. Without keys, encrypted data becomes inaccessible and effectively destroyed. Key management can be a dauntingly complex process, according to the Evaluator Group's Fellows, and that complexity is part of the reason encryption has yet to see more widespread adoption in the storage market.
Currently, key management products can be split into two general categories: appliances and software-only. "Generally, I like appliances," Fellows said. "Software allows for a lot of configuration and tweaking, but it's not quite as simple to set up and get running as an appliance."
|Software Key Managers|
|EMC Corp./RSA||Key Manager|
|IBM||Tivoli Key Lifecycle Manager|
|Vormetric||Key Security Expert|
|Appliance Key Managers|
|EMC Corp./RSA||Key Manager|
|HP||StorageWorks Secure Key Manager|
|NetApp Inc. / Decru||Lifetime Key Management|
|Quantum Corp.||Scalar Key Manager Appliance|
|Sun Microsystems Inc.||StorageTek Crypto Key Management Station|
|Thales Group||Encryption Manager for Storage|
Analysts agree that the biggest factor currently holding key management back is the lack of standards in the industry to make multiple key management products interoperable. For more insights on that issue, download our podcast on key management with Enterprise Strategy Group principal analyst Jon Oltsik.
This was first published in August 2009