This article can also be found in the Premium Editorial Download "Storage magazine: Storage products of the year 2003."
Download it now to read this article plus other related content.
|Different ways to encrypt data|
Before deciding to encrypt, storage managers will have to decide whether degraded performance and interoperability snags are a price worth paying for increased peace of mind. Storage encryption products--mostly from a group of relatively young companies--work in a variety of different ways, and some impact SAN throughput more than others.
And while most storage encryption products make some use of cryptography standards, in most other respects they are highly proprietary and don't interoperate. That means once you select a storage encryption product, it's going to be difficult to switch.
Some storage managers think shoring up SAN security through encryption is worth the trade-offs. United Airlines' Loyalty Services Group in Shaumberg, IL, which runs the company's Web-based booking system, recently decided to deploy an encryption appliance from NeoScale Systems Inc. as part of a project to replace the DAS used to store customer credit card information.
The CryptoStor FC appliance sits directly on the Fibre Channel (FC) wire between the switch and storage devices and encrypts all data as it moves onto disk. The appliance offloads all encryption processing from the application server, and like other storage encryption appliances, it authenticates users attempting to access protected storage and allows administrators to create rules governing which data blocks are encrypted and which ones are not.
United opted for encryption, says Gary Pilafas, senior storage and systems architect, in large part because of expectations that regulators will require the company to prove it's done everything possible to keep customer information private.
"When they come to us and ask what we've put in place to protect customers, we can show them," he says.
So far, Pilafas says the CryptoStor appliance hasn't reduced the performance of his SAN. Because the appliance is transparent to other devices in the SAN fabric and it implements encryption algorithms in hardware, NeoScale claims it's able to perform at nearly 2Gb/s line speeds.
Some storage encryption tools, however, have a larger impact on SAN performance. While appliances such as those from NeoScale and Decru Inc. handle encryption in the hardware and claim nearline-speed performance, others such as the Assurancy SecureData from Kasten Chase and the CoreGuard from Vormetric Inc. require hardware or software agents running on servers in addition to the hardware appliance. This approach generally involves a performance hit. Kasten Chase estimates a 10% impact on SAN Fibre performance. But there's an upside to this approach: It can be more easily scalable.
Performance concerns have kept some organizations away from storage encryption. At Deloitte Consulting, IT managers have considered encrypting storage. With its many clients throughout privacy-conscious Europe, Deloitte could use encryption to reassure regulators, says CTO Eric Eriksen.
"But each time we've looked at it, we've become concerned with the performance issue. The only way to resolve that would be to test some appliances, which we haven't done yet, he says."
In the meantime, Deloitte has used encryption features built into applications such as e-mail to protect some data while in transit.
This was first published in January 2004