By Ann Silverthorn
—This week, NeoScale introduced KeyVault, an appliance that adds automation and flexibility for infrastructure changes to the key management technology that's included in the company's CryptoStor encryption appliances. The previous technology allowed users to move keys to allow information sharing, but it could not be done from a centralized location, it wasn't automated, and it wasn't open to third-party keys.
"Encryption without key management means you can't read the data—or you may not be able to read it back quickly—which is a problem in operational environments recovering from disaster," says Barbara Nelson, NeoScale's CEO.
"Key management for storage is different from VPN encryption," says Dore Rosenblum, vice president of marketing at NeoScale. "When you use VPN encryption, the data is encrypted across the WAN, but once it leaves the link the key goes away. In storage key management, an encrypted tape might go off-site for years. If you can't find the key when you need the data on the tape, you have big problems."
Rosenblum adds that key management solutions should allow users to create the keys, distribute them to allow multi-site access, and archive them to allow longer-term access to data. In addition, users should be able to share keys with business partners, as well have the ability to recover and delete the keys. It has to be automated, because with a lot of manual processes the keys might not be where they should be. Rosenblum says key management technology should be open, so users don't have to deploy a separate key-management solution for every type of storage encryption used by a company.
CryptoStor KeyVault offers automated policy-based key sharing as well as an open base, which supports not just NeoScale's encryption appliances but also encrypting tape drives, backup applications, and other types of encryption solutions.
KeyVault consists of hardware and software that allow users to back up keys from one or multiple key domains. NeoScale defines a key domain as a system or set of systems that utilize a consistent set of keys to encrypt or un-encrypt data. Role-based access is assigned in the system, and it sets up levels of controls. The keys are stored on an FIPS 140-2 Level 3 system designed to be tamperproof. For example, if someone tried to probe the system or open the lid, it would disable all of the keys. If the hard drive were stolen from the system, all the keys on it are encrypted.
The appliance maintains an audit log that records how keys are shared and where the keys are stored. It is designed to securely restore keys. KeyVault allows keys to be shared across two data centers, or in the case of a disaster-recovery site access to the keys by the disaster-recovery site can be limited to the event when the data needs to be restored. With business partners, instead of sharing all the keys companies can set a trust relationship so that just a few keys are available to partners either online or offline. For example, many companies have supply chain partners, and this allows them to encrypt tapes and send them to their partners separately from the keys.
The complete KeyVault appliance, including hardware and software, is priced from $25,000.