Datrium Inc. is adding security to its storage with a Blanket Encryption application designed to secure deduplicated...
and compressed data at the host server, in flight across the network and at rest.
The Sunnyvale, Calif., startup began shipping its flagship DVX storage system for VMware virtual machines (VMs) just over a year ago. The Datrium storage software runs on customer-supplied servers, infused with flash cache to accelerate data reads, and the DVX system has disk-based NetShelf appliances for persistent back-end storage.
The Datrium storage software orchestrates data placement between the servers and the NetShelf appliances, and provides features such as always-on inline deduplication and compression to reduce a customer's data footprint.
The new Datrium Blanket Encryption product, which is due to ship in April at a cost of $10,000 per DVX system, takes aim at the growing problem of data breaches. The Datrium storage software can encrypt deduplicated and compressed data at the application server's RAM to ensure data is secure as it moves across the network between host servers and storage.
"We have service providers who can't wait to talk about this with their customers," said Craig Nunes, Datrium's vice president of marketing. "Financial services are very excited about it. Health organizations have got a lot of [Health Insurance Portability and Accountability Act] HIPAA-related requirements. And we expect as we do more business in federal government that they're going to be relieved that we've got this capability covered."
Datrium encryption vs. other options
Nunes said that, unlike self-encrypting drives that must be purchased with storage systems, software-based encryption allows Datrium customers to "just flip a switch and turn on" encryption at any time.
Mike Matchett, a senior analyst and consultant at Taneja Group, said data stays encrypted only where stored locally with many other types of software-defined storage and traditional shared array designs. He said, with those systems, the data is unencrypted when sent across the network. In some cases, the data is re-encrypted in flight, unencrypted at the receiving side and then encrypted again on the data at rest.
Matchett said some systems can send host-encrypted data, but they ruin the deduplication and compression ratios in the remote storage, backup appliances or cloud storage.
Russ Fellows, a senior partner at Evaluator Group Inc., said he knows of no other vendors that offer in-memory, host-based encryption of deduplicated and compressed data from host to storage. He said VMware vSAN is due to offer hypervisor-based encryption, but it is not clear how key management will occur and if there would be opportunities to attack the data prior to vSAN encryption.
Fellows said VMware is one of the few vendors to provide in-memory encryption for data at rest. But the VM encryption in VMware's vSphere 6.5 does not allow VMware's vSAN and other storage systems to deduplicate and compress the data, he said.
"Providing complete security is really hard to do, and very few things actually do it today. I won't say this [Datrium product] is 100% of the way there, but it's a great step," Fellows said. "The people who really get security will get that [Datrium Blanket Encryption] is a big deal. The people that just want a checkbox won't care."
Fellows said one weakness of the Datrium storage product is key management. He said Datrium Blanket Encryption uses its own key manager, as do many storage products that offer encryption. He said a better approach is third-party key managers that support the new OASIS Key Management Interoperability Protocol (KMIP) open standard.
Nunes said Datrium plans to support enterprise key managers, which generally support APIs such OASIS Public-Key Cryptography Standard and KMIP, as well as offering customers the option of Blanket Encryption's built-in key manager.
"We just wanted people to be able to drop this in their environment, turn it on and begin encrypting their data," he said.
Nunes said the Datrium storage product's built-in key management offers support for key rotation policies, a password requirement when powering up from lock-down mode, and secure erase to wipe data from systems.
To minimize the performance impact of Blanket Encryption, Datrium relies on the Advanced Encryption Standard New Instructions (AES-NI) built into the Intel and AMD processors of most enterprise servers purchased since 2012, Nunes said. AES-NI is designed to speed encryption and decryption.
Fellows said he advised customers to use newer servers with Datrium Blanket Encryption. "Assuming your host has lots of cores, and they're newer Intel cores with all these new instruction sets, they can take advantage of those native instructions to optimize those operations. And usually there is extra processor capability available on hosts today," he said.
Matchett said the hardware acceleration provided by the newer Intel chipset will likely result in little or no noticeable impact on performance. He said Datrium Blanket Encryption would appeal to organizations that want security but don't want to bother with encryption key management.
Readers' top encryption products
Pros and cons of end-to-end encryption
Startup Datrium is one company to keep an eye on