This article can also be found in the Premium Editorial Download "Storage magazine: Storage products of the year 2003."
Download it now to read this article plus other related content.
Consider a situation where an enterprise had several applications generating critical data that required encryption. The data that had to be integrated came from different applications. If different applications running on different operating systems handled encryption differently, it's likely that data would have to be decrypted before it could be integrated, causing extra overhead and a security risk.
But whether you opt for storage-centric or application-centric approach, you'll have to accept one central fact: All storage encryption products today are highly proprietary. While most use standard encryption algorithms such as the FIPS-approved 256-bit Advanced Encryption Standard as the starting point, they take different approaches to things such as authenticating users and storage devices and clustering. That means storage encryption appliances don't interoperate.
"Encryption appliances right now are point solutions ... once you've selected one, you're pretty much stuck with that approach," says Enterprise Storage Group's Marrone-Hurley. That's because in industries such as healthcare and financial services, organizations are required to retain patient and customer records data for years or even decades. Such organizations must be able to store encryption keys securely for years and find them when they need them. While Neoscale and Decru appliances encrypt tape-bound data, storage managers should think twice before using encryption, particularly for protecting
According to W. Curtis Preston, founder of The Storage Group, if encryption appliance vendors were to fail and stop providing support, users with large amounts of archival data on tape could be confronted with the large job of trying to decrypt it. Therefore, Preston says, encryption is a better fit for backup applications involving tape because recovery would be easier.
In either case, says Preston, users considering encryption for tape should ensure the appliance they choose does compression as well as encryption.
"What if [the encryption appliance] were to go away?" says Kevin Granhold, manager of network services at the University of Texas Health Science Center in Houston, which has installed a NeoScale CryptoStorFC to protect patient data stored on a Compaq EMA 12000 SAN.
"Given that the appliance is proprietary and available from only one vendor, we had to make sure that we could make copies of the keys and store them in a secure location," he says.
Adding new features
In response to these concerns, storage encryption vendors have been beefing up their systems' key management capabilities. Last spring, Decru added what it calls "lifetime key management" features to its DataFort appliances. They include clustering and automated key backup, which ensures that keys are always stored in two different appliances. In the event that both appliances are destroyed, Decru also makes a software recovery tool that can be used to decrypt data stored on FC SANs, NAS or tape devices. NeoScale supports similar features.
Such failsafe features have convinced storage managers like United's Pilafas to overlook the proprietary nature of encryption appliances. "I'm not a big fan of proprietary appliances, especially appliances that sit in-band," he says. "They have to make a real good argument. In this case, they did."
Even if a case can be made for storage encryption in your organization, it's important to keep one thing in mind: Encryption should be thought of as just a piece of the storage security puzzle, not as a silver bullet. Besides using encryption to beef up the privacy of data at rest on networked storage devices and in transit, storage managers should also work to develop a coherent set of storage security policies, make sure strong authentication and authorization exists between SAN and NAS fabric elements and create mechanisms for auditing fabric changes.
This was first published in January 2004