Storage network security options expand

By Lisa Coleman

Keeping data secure is a top priority for IT managers these days, and typical network security measures may not be enough.

Data stored on storage area networks (SANs) and network-attached storage (NAS) infrastructures needs ironclad protection from anyone who should not have access to it. New appliances are addressing these storage security requirements.

In the past, storage security has been synonymous with network security, but current network security measures fail to protect data, according to analysts.

Typically, networks are secured via intrusion detection systems and other access controls, but with most security violations coming from within the enterprise, these security measures do not work, says Michael Peterson, president of Strategic Research Corp., a Santa Barbara, CA, firm that specializes in data-center infrastructure analysis.

"Network security is like a two-legged stool: It fails all the time," says Peterson. "That's because 85% of security violations are internal. The third leg of the stool is storage security."

Peterson classifies storage security into three areas: encryption, management consoles, and "forensic" security. (Forensic technologies provide audit trails of storage changes and can profile and correct security violations.)

Today, a few companies are making storage security appliances using encryption technologies, as well as management tools.

Kasten Chase, which acquired encryption technology firm Karthika Technologies earlier this year, released its Assurency Secure Networked Storage Appliance for authenticating products that attach to a SAN. While Kasten Chase is highlighting the advantages of authentication, it is also offering data encryption technology.

The 2U appliance sits outside of the SAN fabric and uses a software agent to communicate with switches, host bus adapters (HBAs), and other SAN components.

The agent is a stripped-down version of the public-key infrastructure (PKI) protocol, which has been used in the past for authentication.

The agent uses its APIs to hook into a switch API to determine if the two devices should communicate with each other. In essence, the devices exchange digital certificates that the security appliance issues, manages, and validates for authentication of devices in the SAN. Once authentication has occurred, the two devices can communicate and transport data.

Traditional PKIs are difficult to implement and are both expensive and cumbersome, explains Hari Venkatacharya, senior vice president of secure networked storage at Kasten Chase. As such, the company uses a stripped-down version of the PKI protocol to simplify it.

"Our architecture authenticates devices, not people, and that's an important departure from how the PKI has been used so far," says Venkatacharya.

After authentication, data encryption occurs within the host via a PCI card so that data is never unprotected as it travels to and from the SAN. Selective encryption is also possible.

Kasten Chase's appliance is currently available for use with Linux and Solaris platforms.

Early next year, the company expects to release a version of its appliance that will work in NAS environments.

Redwood City, CA-based Decru is shipping its DataFort appliances for NAS and SAN encryption and authentication. DataFort E440 for NAS sits outside the NAS network between clients and NAS servers.

Files are sent through the appliance, encrypted, and then stored encrypted. Clients are authenticated before data can be accessed.

The NAS security device has been tested for interoperability with NAS servers from BlueArc, EMC, IBM, Network Appliance, and Quantum, as well as other servers.

DataFort FC440 for SANs also sits outside the network and authenticates devices and then encrypts data.

The appliances, which connect to Fibre Channel switches, are synchronized and can be clustered (up to 16 nodes) for load balancing and fail-over.

The SAN security device has been tested for interoperability with disk arrays from EMC, Hewlett-Packard, IBM, and Sun, and with a variety of switches and HBAs.

Encryption is performed via hardware using the Decru storage encryption processor (SEP) chip, which performs full-duplex, multi-gigabit speed encryption. No software is loaded onto hosts, clients, or servers.

"The key to performance is that the SEP is custom hardware that does encryption very fast," says Dan Avida, CEO of Decru. "We use standard encryption algorithms that are optimized for storage, which means we don't slow down random access to data."

Another vendor preparing to ship a storage security product is NeoScale Systems. Its CryptoStor for Tape appliance is designed for policy-based encryption and authentication for networked, remote, and direct-attached tape and virtual tape systems. It operates as an inline appliance and integrates with backup appliances to offer data throughput in excess of 500Mbps, according to company officials.

CryptoStor for Tape is a 1U rack-mountable appliance that can be placed in front of tape subsystems with either 2Gbps Fibre Channel or SCSI LVD ports. It automates secure tape cataloging and features a Web GUI wizard for installation, management, and policies; dynamic encryption options for unique, pooled, or shared media; and secure key and policy escrow with Smartcard and USB smart token support. Shipments are expected by year-end.

Separately, San Jose, CA-based Vormetric received $10 million in its second round of venture capital funding for its data security encryption product, which the company expects to announce early next year.

Click here to enlarge image


This article was originally published on November 01, 2002