This article can also be found in the Premium Editorial Download "Storage magazine: Storage products of the year 2003."
Download it now to read this article plus other related content.
But one competitor, Vormetric, has grave doubts about the wisdom of encrypting data at the block rather than at the file level. "With a SAN, you have limited context about the source of read and write requests," says Phil Grasso, Vormetric founder and VP. "That makes it nearly impossible to implement access control because the context has already been stripped." Also, without a file system, you can't granularly encrypt files; you must encrypt entire volumes instead.
One logical place to use block level data is with removable media, such as tape, Grasso says. "Block level encryption protects removable media just fine, because I can't trick you into decrypting it for me." Both NeoScale and Decru offer versions of their encryption appliances optimized for tape.
Decru director of marketing Michele Borovac admits that "there are definite advantages to encrypting at the file level," and integrate directly with NFS and CIFS environments.
But not everyone has the luxury of operating over a file system--many database administrators forsake file systems in order to eek more performance
Analyst Arun Taneja of the Taneja Group has another concern about block data encryption appliances: data traveling across the fabric in the clear. Granted, data only travels between the host and the appliance, but "if I had a crooked mind, I would attack the data not after the FC switch, but before."
If the switch and host are in the same rack, you're probably fine, Taneja says. If however they are separated by several kilometers, "you are certainly very exposed."
This was first published in January 2004