Decru, the storage encryption company owned by Network Appliance, is using Mu Security's security analysis product to find vulnerabilities in its own security appliances.
If this sounds paranoid, think again, says Jon Oltsik, senior analyst, information security at Enterprise Strategy Group, Milford, MA. "Extending the vulnerability mindset into storage is an important step toward really safeguarding sensitive data," he says. "Encryption technology has a giant target painted on it."
Decru has deployed the Mu-4000 Security Analyzer to "see where hackers might be able to exploit our product," says Kevin Brown, Decru's VP of marketing. "It generates millions of permutations for how hackers might attack us. For example, is our key management system leaking information?"
By using the tool, Decru hopes to catch vulnerabilities earlier in its development cycle and speed up its time to market, says Brown, adding that none of Decru's customers has reported any weakness in the product yet.
Joel Schwalbe, VP of technical services at CNL Financial Group, has been using Decru's product for approximately a year to encrypt all of his company's data going to tape and says they haven't experienced any security issues so far. "We're a small company, so we're relying on Decru to perform this kind of testing for us," he says.
Decru competitors NeoScale Systems and Vormetric say it's important to conduct this kind of testing. Both firms do, but were surprised Decru would want to advertise which products it uses to perform these tests.
"It's like raising a red flag to a bull," says Tom Grubb, VP of marketing at Vormetric.
Dore Rosenblum, NeoScale's VP of marketing, says NeoScale is working with Entrust to authenticate devices touching its product, and with Optica Technologies to integrate its mainframe tape-encryption keys under the NeoScale CryptoStor KeyVault system.
EMC isn't sitting on the bench in this area. It recently acquired Network Intelligence, which maintains logs on all security-related activity on a network. EMC's motives for acquiring Network Intelligence, however, are a bit more transparent than Decru's partnership with Mu Security.
"Security logs eat tons and tons of storage," says Oltsik. "Increasingly, a security requirement is going to lead to a storage data management requirement."