Disk encryption: not just for paranoids


This article can also be found in the Premium Editorial Download "Storage magazine: Storage products of the year 2003."

Download it now to read this article plus other related content.

Different ways to encrypt data

Requires Free Membership to View

There are many ways to encrypt data for privacy protection as it moves over a storage network and as it sits on a storage device. Here's a rundown of the different approaches:
Application-based encryption. Various applications permit encryption of the data they create or process. Most automated backup applications allow administrators to opt to encrypt data as it's moved off of primary storage, passed through a network and stored on tape or other backup devices. A drawback is that because this type of encryption is usually implemented in software, performance can be slow. Also, if you're running many different types of applications, each may encrypt data and manage encryption keys differently, making administration difficult. As a result, many organizations pass on this encryption option. Mark Bradley, Computer Associates' technology strategist, estimates that only 15% of its BrightStor backup software customers use encryption.
Application-aware encryption. A few encryption products offer some level of integration with the application. These products such as CoreGuard from Vormetric Inc. allow administrators to create policies to encrypt specific files--or even data--associated with specific types of transactions. Downsides include potential degraded server performance. Also, many of these products are available for only certain servers or operating systems.
Inline encryption appliances. These products from vendors such as NeoScale Systems and Decru Inc. offload encryption chores from the application server, moving them to a dedicated hardware appliance that sits in the storage fabric. This approach usually avoids the performance problems associated with software-enabled encryption. The downsides: not all of these devices support all types of storage--network-attached storage, a storage area network and tape--and all are highly proprietary.

Encryption's downside
Before deciding to encrypt, storage managers will have to decide whether degraded performance and interoperability snags are a price worth paying for increased peace of mind. Storage encryption products--mostly from a group of relatively young companies--work in a variety of different ways, and some impact SAN throughput more than others.

And while most storage encryption products make some use of cryptography standards, in most other respects they are highly proprietary and don't interoperate. That means once you select a storage encryption product, it's going to be difficult to switch.

Some storage managers think shoring up SAN security through encryption is worth the trade-offs. United Airlines' Loyalty Services Group in Shaumberg, IL, which runs the company's Web-based booking system, recently decided to deploy an encryption appliance from NeoScale Systems Inc. as part of a project to replace the DAS used to store customer credit card information.

The CryptoStor FC appliance sits directly on the Fibre Channel (FC) wire between the switch and storage devices and encrypts all data as it moves onto disk. The appliance offloads all encryption processing from the application server, and like other storage encryption appliances, it authenticates users attempting to access protected storage and allows administrators to create rules governing which data blocks are encrypted and which ones are not.

United opted for encryption, says Gary Pilafas, senior storage and systems architect, in large part because of expectations that regulators will require the company to prove it's done everything possible to keep customer information private.

"When they come to us and ask what we've put in place to protect customers, we can show them," he says.

So far, Pilafas says the CryptoStor appliance hasn't reduced the performance of his SAN. Because the appliance is transparent to other devices in the SAN fabric and it implements encryption algorithms in hardware, NeoScale claims it's able to perform at nearly 2Gb/s line speeds.

Some storage encryption tools, however, have a larger impact on SAN performance. While appliances such as those from NeoScale and Decru Inc. handle encryption in the hardware and claim nearline-speed performance, others such as the Assurancy SecureData from Kasten Chase and the CoreGuard from Vormetric Inc. require hardware or software agents running on servers in addition to the hardware appliance. This approach generally involves a performance hit. Kasten Chase estimates a 10% impact on SAN Fibre performance. But there's an upside to this approach: It can be more easily scalable.

Performance concerns have kept some organizations away from storage encryption. At Deloitte Consulting, IT managers have considered encrypting storage. With its many clients throughout privacy-conscious Europe, Deloitte could use encryption to reassure regulators, says CTO Eric Eriksen.

"But each time we've looked at it, we've become concerned with the performance issue. The only way to resolve that would be to test some appliances, which we haven't done yet, he says."

In the meantime, Deloitte has used encryption features built into applications such as e-mail to protect some data while in transit.

This was first published in January 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: