Whether you're mandated by law to encrypt your data, or whether you're just overly cautious, there are a lot of ways to secure "data at rest."If you want to encrypt data that lives on a Fibre Channel (FC) array, at least two vendors--Decru, with its Data Fort storage security appliance, and NeoScale, with CryptoStor FC--have inline encryption appliances that live directly in the fabric.
But one competitor, Vormetric, has grave doubts about the wisdom of encrypting data at the block rather than at the file level. "With a SAN, you have limited context about the source of read and write requests," says Phil Grasso, Vormetric founder and VP. "That makes it nearly impossible to implement access control because the context has already been stripped." Also, without a file system, you can't granularly encrypt files; you must encrypt entire volumes instead.
One logical place to use block level data is with removable media, such as tape, Grasso says. "Block level encryption protects removable media just fine, because I can't trick you into decrypting it for me." Both NeoScale and Decru offer versions of their encryption appliances optimized for tape.
Decru director of marketing Michele Borovac admits that "there are definite advantages to encrypting at the file level," and integrate directly with NFS and CIFS environments.
But not everyone has the luxury of operating over a file system--many database administrators forsake file systems in order to eek more performance out of their systems. In those environments, therefore, inline block encryptors are a necessity.
Analyst Arun Taneja of the Taneja Group has another concern about block data encryption appliances: data traveling across the fabric in the clear. Granted, data only travels between the host and the appliance, but "if I had a crooked mind, I would attack the data not after the FC switch, but before."
If the switch and host are in the same rack, you're probably fine, Taneja says. If however they are separated by several kilometers, "you are certainly very exposed."