Atempo's SCM, launched Monday, provides digital signatures, reporting and key management, as well as encryption and hash algorithms bundled into the TimeNavigator backup product. The software, contained in agents placed on the application server, encrypts data at the source and sends it securely over the wire.
Veritas Software Corp.'s NetBackup product also offers an encryption option, as do a multitude of smaller companies. What Atempo says is different about its product is that it includes several more security functions, including compression, digital signatures and reporting features.
That's what set TimeNavigator apart for Maurice Auger, manager of operations for backup and archiving outsourcing firm Data Base File Tech Group (DBTF), and an early beta tester of TimeNavigator SCM.Auger said he would be using the SCM features to create a new service through the company's InfoSure offerings. Currently, Auger said, DBTF performs backups for more than 60 companies, for about 3 terabytes overall. Auger said his company will be testing the product over the next month "to see if we need to implement separate security backup servers, how to implement it and if our customers understand what we're selling." Auger said he expects to go with the product when all is said and done because of the ability to classify data within it. "It's up to our customers which services they use," Auger said. "With the SCM product, we can select who uses that feature and how they use it." "Right now, they're kind of the only game in town in terms of seeing a broader picture of security within a backup product," said Taneja, founder and analyst with the Taneja Group. "Eventually, though, everyone will probably have features like this."
But running security functions on the application server still carries a problem: performance impact.
"The fact that it does compression at the data source is a new feature for backup software as well," said an industry expert familiar with the data security space. "But it's not necessarily better in terms of performance. The concern is that you're moving all this back to the client and overloading it."
It's a problem Auger acknowledged. "It's one of the things we're going to be looking at in our beta testing." However, he said, the cost of performance impacts would simply be passed along to customers as part of the security backup service and would not be the top priority in his testing."I don't think software-based encryption is necessarily bad," despite the fact that it's "capable of destroying performance and it can make backup windows longer," Arun Taneja countered. "But if your application servers have spare cycles and it's implemented properly, something like this can be very effective."
Taneja pointed out that putting security at the application layer actually offers one advantage, security-wise, over hardware appliances. "An appliance sits next to a switch on the network," Taneja said. "Data passing between the application server and the switch is exposed. If the encryption and security is applied at the source, it's never exposed over the wire."
Another advantage of a software-based product is cost. An entry-level configuration package of 10 secure agents, one Time Navigator server with the Security and Compliance Manager, and one tape drive connection starts at $9,000. By comparison, an entry-level Decru Inc. DataFort appliance for encrypting backup tapes runs about $25,000.
Ultimately, analysts say, the biggest reason to embrace software-based security is because it's better than no security at all. In a recent GlassHouse Technologies Inc. survey, 54% of the more than 300 respondents have no documented procedures for protecting stored data, and 70% of executives rated their company's data storage security as only fair or poor.
According to Michael Karp, senior analyst with Enterprise Management Associates, products like Atempo's could go a long way toward improving that. "It's not clear to me that people are really going to buy point security solutions," Karp said. "They're going to be more interested in a solution well integrated with their general backup and archiving strategies."
Furthermore, it's not the last users will hear from Atempo in the security space, according to Steve Terlizzi, vice president of global marketing. Terlizzi said Atempo plans to pursue offloading encryption processes from the server CPU onto a separate "encryption board" in the server hardware, relieving some of the software's performance impact. Terlizzi declined to comment on a time frame for this announcement.
"They have to solve the issue of performance in order for their solution to be complete," Taneja said. "Today, it's only appropriate for customers who don't consider performance a big issue."