Feature

Encryption appliances reviewed

Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: Boosting data storage array performance."

Download it now to read this article plus other related content.

Setting roles and encryption policies
Before setting up security policies, you must decide on the number of separate roles (such as security officer, auditor, backup operator, storage operator and compliance operator) that will have access to the encryption system. The three appliances also require security policies that define what data will be encrypted. This may be as simple as encrypting all of the data in a particular folder or as complex as encrypting all .txt, .xls or .db files used by a particular program and user ID.

Each type of encryption has its pros and cons. The agent-based method used by Kasten Chase and Vormetric is more flexible: Specific files, folders or application data can be encrypted on any storage device, and multiple host bus adapters (HBAs) per server are easily supported. NeoScale's encryption is Fibre Channel (FC)-only and carried out at the block level, so an entire LUN is either encrypted or not. On the other hand, because Kasten Chase and Vormetric rely on agents on each server, agents must be available for the operating system in use; however the agents can degrade server performance by 5% to 10%. The NeoScale device doesn't impact server performance and is operating system agnostic.

All of these products will encrypt only the data that passes through them. If you have an existing file system that needs to be encrypted, you'll need to rewrite everything in it or copy everything from the old unencrypted

Requires Free Membership to View

store to the new encrypted one. The manufacturers recommend that you do this before allowing user access; if users access the system before a volume is fully encrypted, it could result in files that are only partially encrypted because only the changed blocks are encrypted when a file is altered.

Another thing to keep in mind: Once you buy into one of these systems, there's no simple migration to another encryption product. These products are designed using standard encryption algorithms, but the way they're applied is different, so there's no interoperability among various products. To move from one product to another, you have to decrypt everything using the original product, uninstall, install the second product and re-encrypt all the data

In testing each product, we used Iometer to generate traffic between a server and storage using a Hewlett-Packard DL380 dual-Xeon 2.8GHz server with a QLogic QLA2342 HBA and a Nexsan SATABlade storage subsystem, enabled encryption and re-tested to see how much impact encryption had on throughput. Kasten Chase supplied a Dell PowerEdge 2850 singleprocessor 3.2GHz server with its Crypto-Accelerator card installed. In all three cases, throughput was minimally impacted with encryption working, although server utilization was up 5% to 10% with the Kasten Chase and Vormetric products.

This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: