This article can also be found in the Premium Editorial Download "Storage magazine: Boosting data storage array performance."
Download it now to read this article plus other related content.
COST: Starts at $15,000 for one security server and one Policy Enforcement Module (agent)
PLATFORM: Windows, Solaris, AIX, Linux (32- and 64-bit), HP-UX
Vormetric's coreguard consists of a security server and one Policy Enforcement Module (agent), and is an extremely flexible system for determining what data is encrypted and which users have access to that data. According to Vormetric, some customers use the system for access control and policy management without enabling the encryption. The system supports a wide range of operating systems, including Windows XP/2000/2003, Red Hat and SUSE Linux, AIX, Solaris 8/9 and HP-UX. Installing the driver is easy, and the impact on server utilization runs from 5% for low loads to nearly 20% under heavy loads.
Setting up the appliance is straightforward: There's a console-based setup utility for network configuration and browser-based administration software for the rest of the configuration. (Unfortunately, the browserbased administration software doesn't work with Firefox.) In addition to a dedicated management Ethernet port and a heartbeat port for failover, CoreGuard has two gigabit Ethernet ports and two gigabit interface converter (GBIC) ports for fiber or copper gigabit Ethernet.
CoreGuard offers a strong feature set for auditing and monitoring data access, as well as tracking user IDs and applications used to access data. It can limit access to files to particular applications, for instance, making a text file accessible through WordPad but not Word. It can protect system files in specific folders (.DLL files in the Windows/System32 folder, for example). Vormetric recommends clustering appliances in a geographically distributed architecture. The system supports auto-replication between appliances. Administrators can set up an offline mode that prompts for passwords and allows access when an appliance is offline or unavailable over a WAN.
The appliance can control which directory an application runs from, so an application with the same name won't run if spyware or a Trojan is installed. A host integrity feature allows administrators to restrict applications on a server to signed applications so other applications won't be permitted to run. When you set up a folder, the folder should be empty because anything in it will be automatically encrypted.
With a starting price of $15,000 for one security server and one Policy Enforcement Module, the CoreGuard system is an extremely flexible encryption and access control system. Its performance is the lowest (server utilization is highest), although in our tests the server was still able to maintain maximum throughput over a 2Gb/sec FC adapter. However, it offers great access control, support for a wide variety of server operating systems and features that might make it a fit for some organizations that don't need encryption, but want greater access control.
This was first published in January 2006