This article can also be found in the Premium Editorial Download "Storage magazine: New rules change data retention game."
Download it now to read this article plus other related content.
With new and stricter privacy laws, encryption is playing an increasingly important role in securing storage. When evaluating encryption for NAS, two types of encryption should be considered. If deemed necessary, IPsec encryption is typically employed to obscure the communication between clients and the NAS. The overhead of encryption traffic has caused NAS vendors to offer IPsec accelerator cards, while any of the available IPsec accelerator cards for Windows Server, such as those from Cavium Networks, can be used for WSS.
The second type of encryption is the encryption of the data on the storage itself. This is typically accomplished by deploying an encryption appliance in front of the NAS that encrypts files entering the NAS and decrypts files originating from the NAS. The primary players in this field are Decru's DataFort (Decru is now a NetApp company) and NeoScale Systems Inc.'s CryptoStor. Decru and NeoScale are available as clustered solutions and, besides high performance and scalability, these products work at the protocol level, which makes them usable for both file-based (NAS) and block-based (iSCSI) storage access.
Alternatively, you can use a software-based encryption product that runs on NAS clients, such as Vormetric Inc.'s CoreGuard. The benefit of a client-based encryption product is its ability to encrypt data from the client to the NAS without requiring additional encryption for the network connection itself. On the
"Although we have standardized on NeoScale CryptoStor for network-based encryption, we default more to host-based encryption using Vormetric CoreGuard as it secures the full path from the client to the NAS," explains EDS' Bowers.
Audit trails and security logs
Security logs are the facility through which security devices communicate security events. But security logs can be large and overwhelming, so they're often ignored. At a minimum, proper logging should be enabled on devices to allow detailed analysis if needed. Better yet, security logs should be analyzed and scrutinized periodically, semi- or fully automatically, leveraging reporting and alerting capabilities of security devices or through dedicated security incident and event management (SIEM) tools that aggregate logs from multiple devices.
This was first published in September 2007