Setting roles and encryption policies
Before setting up security policies, you must decide on the number of separate roles (such as security officer, auditor, backup operator, storage operator and compliance operator) that will have access to the encryption system. The three appliances also require security policies that define what data will be encrypted. This may be as simple as encrypting all of the data in a particular folder or as complex as encrypting all .txt, .xls or .db files used by a particular program and user ID.
Each type of encryption has its pros and cons. The agent-based method used by Kasten Chase and Vormetric is more flexible: Specific files, folders or application data can be encrypted on any storage device, and multiple host bus adapters (HBAs) per server are easily supported. NeoScale's encryption is Fibre Channel (FC)-only and carried out at the block level, so an entire LUN is either encrypted or not. On the other hand, because Kasten Chase and Vormetric rely on agents on each server, agents must be available for the operating system in use; however the agents can degrade server performance by 5% to 10%. The NeoScale device doesn't impact server performance and is operating system agnostic.
All of these products will encrypt only the data that passes through them. If you have an existing file system that needs to be encrypted, you'll need to rewrite everything in it or copy everything from the old unencrypted store to the new encrypted one. The manufacturers recommend that you do this before allowing user access; if users access the system before a volume is fully encrypted, it could result in files that are only partially encrypted because only the changed blocks are encrypted when a file is altered.
Another thing to keep in mind: Once you buy into one of these systems, there's no simple migration to another encryption product. These products are designed using standard encryption algorithms, but the way they're applied is different, so there's no interoperability among various products. To move from one product to another, you have to decrypt everything using the original product, uninstall, install the second product and re-encrypt all the data
In testing each product, we used Iometer to generate traffic between a server and storage using a Hewlett-Packard DL380 dual-Xeon 2.8GHz server with a QLogic QLA2342 HBA and a Nexsan SATABlade storage subsystem, enabled encryption and re-tested to see how much impact encryption had on throughput. Kasten Chase supplied a Dell PowerEdge 2850 singleprocessor 3.2GHz server with its Crypto-Accelerator card installed. In all three cases, throughput was minimally impacted with encryption working, although server utilization was up 5% to 10% with the Kasten Chase and Vormetric products.
|
 |
|
