By Heidi Biggar
Kasten Chase, a vendor of data encryption appliances for the storage market, recently extended the support of its Assurency SecureData appliance to content-addressable storage (CAS)-based data archives, citing potential security risks with this architecture.
Support for CAS is enabled via a server encryption driver (SED) option, which runs on the appliance and integrates with EMC’s Centera API. Although Kasten Chase intends to develop SEDs for other CAS platforms-including IBM’s DR450-initial support is for Centera only.
Kasten Chase is a member of the EMC Centera Partner Program. The Assurency SecureData appliance is not EMC-certified.
“It is our intention to support other CAS systems,” says Robert Drennan, product manager, Assurency SecureData, at Kasten Chase. “However, [EMC and IBM] are the crucial players in this market.”
CAS systems are also available from a variety of other vendors, such as Archivas, Hewlett-Packard, and Permabit. Other makers of storage security appliances include Decru, NeoScale, and Vormetric.
Of the available storage security appliances, Decru’s DataFort and Vormetric’s CoreGuard could also potentially be used to secure CAS data, according to Decru and Vormetric officials. However, NeoScale’s CryptoStor SAN VPN appliance works exclusively in a Fibre Channel SAN environment.
Neither Decru nor Vormetric has targeted the CAS market, reporting little interest in this type of support from their customer bases to date. Instead, both companies remain focused on shared storage (i.e., SAN or NAS) environments. Kasten Chase previously focused exclusively on backup security (tape and disk).
Decru’s appliance reportedly works with any CAS system that has an NFS or CIFS interface. This compares to Kasten Chase’s SED, which integrates directly with Centera’s API.
Explains Kasten Chase’s Drennan: “The problem is that CIFS and NFS do not provide a rich enough interface for applications to take advantage of what a CAS system can offer [e.g., its query capabilities]. Also, many applications [e.g., databases, e-mail, etc.] are not designed to write their data as files to an NFS or CIFS system. For this reason, EMC and IBM offer APIs for their CAS systems.”
All this security activity begs the question: How secure is CAS storage and is it any more or less secure than other storage platforms? According to Jon Oltsik, security analyst for the Enterprise Strategy Group (ESG), while the security risks of various environments differ, there is a need for security in most environments.
“Any data that is accessible is at risk if people who aren’t authorized get access to it,” Oltsik explains. “When tape cartridges are being moved, anyone can grab them. When data is online on disk-SAN, NAS, or CAS-it is a little more secure but there is still risk.”
Kasten Chase officials contend that, despite native security features such as hashing and authentication in CAS systems, data is still at risk because of the sheer volume of data being stored on these devices (in plain text) for extended periods of time.
“It’s not so much that data is leaving the data center [as it is with tape], but that there is so much more of it that has to be managed and held for longer periods of time,” says Drennan.
EMC officials say that although data is written to the Centera platform in plain text, the system’s content-derived naming technique, which generates unique content addresses for each object stored, provides a level of native security. “The content-derived name bears no resemblance whatsoever to the files it contains so [unauthorized users] wouldn’t even know what to look for,” explains Roy Sanford, vice president of content-addressable storage at EMC.
Sanford says the greater threat lies not with data stored on the devices but with data that is in transit to the device-and this applies to SAN and NAS environments as well. “If someone can ‘sniff’ packets as they go over the network, then [he/she] can steal your data-and that holds true for data on volumes in a RAID, NAS, or CAS environment.”
Sanford says that the topic of security is raised about equally in discussions about CAS, NAS, and SAN storage. “We hear about security in the context of CAS about as often as we hear about it with Clariion or Symmetrix arrays, which is [probably] as often as IBM hears about it with Shark or the DR450, or Network Appliance hears about with their filers.”
Some analysts expect storage security features, including the encryption services provided by Kasten Chase and others, to end up in the network on switches or in the storage devices themselves. “Ultimately, I think being in the data path is where security makes most sense,” says Phil Goodwin, president of the Diogenes Analytical Laboratories consulting firm.
Kasten Chase’s SecureData appliance encrypts all data-excluding the metadata that is left in clear text-that goes through the application server.
The CAS SED is priced at $1,950 per server.