But one competitor, Vormetric, has grave doubts about the wisdom of encrypting data at the block rather than at the file level. "With a SAN, you have limited context about the source of read and write requests," says Phil Grasso, Vormetric founder and VP. "That makes it nearly impossible to implement access control because the context has already been stripped." Also, without a file system, you can't granularly encrypt files; you must encrypt entire volumes instead.
One logical place to use block level data is with removable media, such as tape, Grasso says. "Block level encryption protects removable media just fine, because I can't trick you into decrypting it for me." Both NeoScale and Decru offer versions of their encryption appliances optimized for tape.
Decru director of marketing Michele Borovac admits that "there are definite advantages to encrypting at the file level," and integrate directly with NFS and CIFS environments.
But not everyone has the luxury of operating over a file system--many database administrators forsake file systems in order to eek more performance
Requires Free Membership to View
When you register for SearchStorage.com, you’ll also receive targeted emails from my team of award-winning editorial writers. Our goal is to keep you informed on the hottest topics, the latest news and the biggest challenges you face as a storage professional today.
Rich Castagna, Editorial Director
out of their systems. In those environments, therefore, inline block encryptors are a necessity.
Analyst Arun Taneja of the Taneja Group has another concern about block data encryption appliances: data traveling across the fabric in the clear. Granted, data only travels between the host and the appliance, but "if I had a crooked mind, I would attack the data not after the FC switch, but before."
If the switch and host are in the same rack, you're probably fine, Taneja says. If however they are separated by several kilometers, "you are certainly very exposed."
This was first published in January 2004