By Lisa Coleman
IT organizations are redefining data protection to encompass more than just backup, restore, and replication. Today, data protection sometimes means a bullet-proof vest for data on storage arrays, and maybe even tape libraries.
Some companies are adding encryption and authentication devices to their networks to help meet regulatory requirements. Securing data also builds an environment of trust, a much less tangible but increasingly necessary piece of a networked storage infrastructure.
Both issues are fueling sales of security appliances that sit on a storage area network (SAN) or are connected to network-attached storage (NAS) for protecting data "at rest." Most companies protect data-in-transit via 128-bit SSL encryption, but this does not protect data when it reaches its destination on storage subsystems. Protecting data at rest and in transit should not be confused with perimeter security such as intrusion detection systems (IDSs).
"Data protection used to simply mean backup, restore, and archival. Moving forward, the term has to include security of that data, both in flight and at rest," says Arun Taneja, consulting analyst and founder of The Taneja Group.
Protecting data at rest is the focus of a handful of security appliance vendors, including Decru, Kasten Chase, NeoScale, and Vormetric.
Traditional storage network security measures such as zoning and LUN masking do not provide sufficient data protection in some environments, according to analysts. Often, mission-critical data is stored in clear text (that is, unencrypted) on a storage array and, therefore, is vulnerable. To keep data safe, 256-bit encryption provides data security and reassures companies that data is protected.
Security is often implemented at the perimeter via firewalls, etc., but that does not protect data "at rest" on storage subsystems.
It is this reassurance that appealed to online backup-and-recovery service provider SwapDrive, which uses Web-based software for backup/recovery of PCs. Users send data over the Internet to SwapDrive's data center in Virginia (data is mirrored to a site in California).
While SwapDrive uses IDS, firewalls, and SSL encryption for data sent over the Internet, it wanted more security for its data centers. SwapDrive chose Decru's DataFort E510 security appliance and software to protect more than 40TB of data on its EMC Celerra NAS infrastructure. SwapDrive has been using two E510s in a redundant configuration since January. Files are transferred from PCs over the Internet, through the Decru box, and onto the Celerra devices.
"We always felt we had a secure system for the threat of outside hackers because of the IDS and firewalls," says David Steinberg, CEO of SwapDrive. "[Adding security appliances] was more to solve customers' worries about whether they can trust a third party to secure their data." (SwapDrive partners with Internet service providers and managed services organizations, which re-brand its services.)
SwapDrive also chose Decru's security appliances because the authentication and encryption was transparent to end users, who don't have to handle any encryption key management tasks, says Steinberg. Like its competitors, Decru uses AES 256-bit key encryption—the most secure level of encryption.
One of SwapDrive's concerns about using an encryption device was whether it would introduce latency or impact performance, says Steinberg. However, the company has not noticed any performance or latency problems since installing the security appliances, and users have not noticed any change in service.
"Our users have no idea it's there. It's not intrusive, it doesn't slow you down, and you can do things the way you used to," says Steinberg.
Decru recently introduced the E510 for NAS. The DataFort family offers secure access controls, authentication, encryption, and secure logging. The DataFort SAN product works with Fibre Channel networks and supports tape encryption. Decru supports CIFS and NFS and plans to support iSCSI in the near future.
"To really control stored data you have to control the network access points, but you also have to control the data itself," says Kevin Brown, vice president of marketing at Decru. "We do it transparently without changing your infrastructure."
Typical NAS security consists of access controls that can be easily manipulated and are a point of vulnerability. The E510 offers secure access controls and authentication for enforcing all access to NAS and integrates with directory servers such as LDAP, Active Directory, and NIS.
Other security features include secure logging for configuring audit trail logs and lifetime key management for automating encryption key backup, recovery, archiving, and simplifying key management. The E510 is priced at $30,000 with various options for clustering.
Decru recently joined Sun Microsystems' iForce partner program. The company is also working with Network Appliance and MDY Advanced Technologies for securing electronic records management per Department of Defense regulation 5015.2 (see sidebar).
Security for regulation
The Health Science Center of the University of Texas at Houston decided to implement storage-level security to ensure that it was meeting all state and federal government regulatory standards, according to Kevin Granhold, manager of network services.
Granhold had to tackle many issues surrounding his users' data, which included various types of sensitive and confidential data associated with healthcare and research. He also needed to sort out how users interact with data, how it was protected, and who had access to it.
An outside consulting firm was employed to help investigate options for a storage infrastructure and security. The Health Science Center now has a Fibre Channel SAN based on a Hewlett-Packard EMA 12000 array with two NeoScale Systems CryptoStor FC security appliances. The appliances inspect storage traffic, apply data access controls and data encryption at gigabit rates, and centrally manage data privacy policies.
Because the security appliance sits between the operating system and disks, users are not aware that it is encrypting files, and it does not affect their workflow or network performance, says Granhold. "The greatest advantages are ease of implementation, manageability, no performance degradation, and no training for end users," he says.
For Synopsys, a developer of design automation software for semiconductor design, protection of intellectual property was paramount, because the company's customers demand total security for their designs. Synopsys implemented storage-level security primarily to protect intellectual property.
"Synopsys is committed to protecting our customers' intellectual property," says Van Nguyen, director of intellectual property security. In the past, the company used point solutions for all types of security, but that often meant re-plumbing the infrastructure, which impacted production and R&D.
Synopsys chose Vormetric's CoreGuard security system for its multi-terabyte SAN. The company has been using the system in one business unit for six months and plans to deploy CoreGuard in other business units in the future.
CoreGuard consists of a server and a software module. The software is installed on hosts and CoreGuard servers for encryption, access control, and security policy implementation. It can be used in SAN, NAS, or direct-attached storage configurations and includes intrusion detection and prevention systems. The system also provides data access reports.
"We can provide our customers with a monthly report that shows who has access to the data, what was done to it, and if there were any violations we need to review. It gives our customers the trust that we are doing our best to protect the data," says Nguyen.
NetApp teams up for securing records management
By Lisa Coleman
Network Appliance is part of a team that has developed an encrypted records management application (RMA) system certified to the Department of Defense (DoD) 5015.2 standard. The system lets users more easily manage data while meeting data-protection and shredding regulations. DoD 5015.2 is a certification that must be met before the DoD will acquire any records management product.
The system includes MDY's FileSurf records management software, Decru's DataFort storage security appliance, and Network Appliance filers, including NearStore and the fabric-attached storage (FAS) product line. The system is also qualified with software from KVS and Documentum.
In addition to DoD compliance, the three vendors also believe the system will satisfy other regulatory requirements such as Sarbanes-Oxley and HIPAA.
The system uses MDY's FileSurf software for automating physical, electronic, and e-mail record-keeping processes. Decru's DataFort provides encryption on Oracle and Microsoft SQL Server databases running on Network Appliance's FAS or NearStore systems.
Starting price for the bundled system is $60,000, including one Decru DataFort security appliance, a Network Appliance FAS 250 with 1TB, and MDY's FileSurf software.
Network Appliance and a number of other vendors have partnered to develop a bundled system that provides encryption for records management applications.