Evaluating data encryption options

By Mark Ferelli

In May, the names and Social Security numbers of 26.5 million US veterans were stolen from a Veterans Affairs’ data analyst when his home computer was snatched during a burglary. Like many banks and other businesses that have sustained data loss amounting to identity theft, the Department of Veterans Affairs is likely to become something of a poster child for the irresponsible handling of data.

Click here to enlarge image

How do you prevent a trusted insider from doing something dangerous, as happened in the Veterans Affairs’ case? It is a problem that makes security officers lose sleep, because people represent one of the most challenging security management problems.

Opinions vary widely as to the best way to address security risks. Education, says one. Better technology, says another.

However, one of the fundamental tools for securing data-encryption-continues to be largely neglected. Rich Mogull, who covers information security analysis for Gartner Research, points out that no encryption solution is light on the budget or free from performance impacts on transactional or operational processes. But the availability, authorized or otherwise, of sensitive data demands a protection solution, hopefully before it is too late.

To adequately and cost-effectively address the security of data “at rest,” organizations must implement and manage a cryptographic strategy in a way that is suited to their infrastructure, their use of remote data handling, and their security policies. One of the key decisions from a technology point of view is whether encryption should be deployed in a software- or hardware-based solution.

Software-based encryption

Historically, software-based encryption has suffered an uneven reputation, mostly because of performance hits and the CPU cycles that it ties up. On the other hand, software-based encryption encrypts data at the source, allowing no window to intercept unencrypted (plain text) data that must otherwise be sent to an appliance for encrypting and key management, then sent to the tape or disk destination.

Gartner’s Mogull points out that there is a performance hit in any encryption strategy and suggests that host-based software encryption is most appropriate in distributed computing environments.

Host-based encryption has a number of other advantages. According to Paul Giardina, vice president of marketing at Protegrity, a provider of data security management solutions in Stamford, CT, “Host-based software encryption delivers enterprise-class data control and enterprise-wide management visibility.” The advantages of putting encryption in the processing environment, according to Giardina, include the following:

Linear scalability: As processing power increases, encryption performance matches the processing load;

Central control and management: Software deployment and upgrades (and subsequent security policy enforcement and changes) simplify management, controlling operational and capital costs;

Freedom from box proliferation: Common encryption and control across a wide range of application environments eliminate the inefficiencies of multiple hardware point products and connectivity bottlenecks.

Matt Starr, CTO at Spectra Logic (which sells tape libraries with embedded encryption) points out the trade-offs of software-based encryption solutions: “With the speed of today’s CPUs, software-based encryption is becoming more viable when the bit count is kept small. The higher the bit count, such as that of AES-256, the more taxing software-based encryption is on the host CPU. But when users lower their bit count to AES-128, they not only lower calculation time, but they also lower their level of protection and security.”

Hardware-based encryption

Whereas the strengths and weaknesses of software-based encryption are reasonably intuitive, security-minded users have different hardware models to investigate. But the algorithms remain the same no matter which strategy makes the best sense.

Spectra Logic’s Starr observes: “The algorithms for software- and hardware-based encryption are identical, whether it’s DES or AES. The difference is where the calculations take place. In software-based encryption, the mathematical portion runs as a parasitic task on top of the host CPU, which takes processor cycles away from other host-based applications. Hardware-based encryption uses dedicated microprocessors that offload all of the [encryption processing.]” (Spectra Logic’s approach to encryption is based on a dedicated processor on a board within the storage hardware.)

An encryption appliance may be the odds-on favorite for users that want encryption, decryption, and key management functions to be created, resident and permanently attached to the platform. Dore Rosenblum, vice president of marketing at NeoScale Systems, explains the advantages of encryption appliances: “Appliances include custom hardware optimized for processing encryption and compression to deliver wire-speed performance. A software solution steals cycles from the server and can result in a 40% or more performance degradation. Appliances are deployed on the storage network and require no changes to the server hardware, operating system, or software, so management iscentralized. Software encryption must be deployed on everyserver, and is dependent on the operating system, software patch levels, and server hardware, somanagement is distributed.”

California Credit Union seems to agree. The credit union, one of the largest in the US with assets topping $1 billion, took the encryption appliance approach with NeoScale’s CryptoStor Tape. Stanley Cadiente, vice president of information technology at CCU, saw the handwriting on the wall. “It was clear from continuing news reports that organizations that do not protect themselves with storage encryption are exposing their organizations to identity theft, legal liability, and compliance issues,” says Cadiente.

His team conducted research on storage security and ultimately selected an appliance-based approach “to secure tape media from malicious or accidental breaches.”

Transparency and ease of integration were key selection criteria for Cadiente’s team. “We chose CryptoStor over alternative solutions because it operates transparently and integrates seamlessly with our existing network infrastructure,” says Cadiente. “NeoScale was the only vendor that provided SCSI connectivity with secure key management between our data center and disaster-recovery site.”

The choice between software- and hardware-based encryption for disk or tape can be made on the basis of distributed versus centralized topology. Those who try to select based on price and performance may have a harder hill to climb, because there is no inexpensive approach to encryption, and performance hits are to be expected.

Those who prefer a software-based approach must commit to maintenance practices, especially in a decentralized environment. The decentralized structure poses its own security vulnerabilities because servers are sometimes misconfigured, or responsible parties do not keep up with the latest security patches.

The issue may well be moot one day. Some believe that data encryption technologies will become a commodity- an embedded security feature of disks, tape drives, and servers. But that day is not here yet. Meanwhile, data security, client and customer privacy, and identity theft still earn headlines as regulators look hungrily for culpability. If the law decides that the “burden of adequate precaution” entails data encryption, then companies that do not encrypt could lose much more than just data.

Mark Ferelli is a freelance writer. He can be contacted at mcferelli@yahoo.com.

Decru launches key-management appliance

By Ann Silverthorn

Addressing demand for scalable key management, Decru recently introduced a new key-management platform, the Lifetime Key Management (LKM) 3.0 Appliance. LKM debuted in mid-2003 as a software solution deployed on Decru’s DataFort storage security appliances. As an appliance, LKM can scale to handle more keys from multiple encryption appliances. (Decru is a Network Appliance company.)

“Previously we used the secure hardware in our DataFort appliances or clusters to provide the security environment for our software-based key management package,” says Kevin Brown, vice president of marketing for Decru. “Now we’re handling larger deployments with hundreds of nodes, and they need a fabric to manage their keys.”

Large enterprises face the challenge of operating proprietary key management systems for many different legacy and newly acquired storage systems. Outsourcing causes a problem also. Banks, in particular, often outsource their printing, billing, and customer call centers. Further, when two companies merge, they have to consolidate disparate types of encrypting methods, sometimes with legal implications, says Brown.

“If a judge tells a company that it has 48 hours to go back 10 years in the archives and pull data, companies have to be able to find the right key to the right data,” says Brown “That’s a big risk, and if you want an idea of the cost of not producing data-go ask Morgan Stanley. It cost them $1.4 billion in the Sunbeam litigation.”

LKM is third-generation key-management software that is installed on a hardened appliance. Each appliance can handle 100 encryption appliances and more than 10 million keys with associated metadata and configuration data. Up to 16 appliances can be clustered to centrally manage up to 1,000 encryption devices. Each LKM appliance includes redundant hard drives, a cryptoprocessor, motherboard, and memory.

The LKM appliance is designed for FIPS 140-2 Level 3 physical security. It controls administrative access by two-factor authentication, role-based access controls, and smart-card quorum requirements for sensitive operations.

The appliance also automates key generation, replication, archiving, recovery, and sharing. It provides centralized key management across all DataFort encryption appliances and supports NAS, DAS, iSCSI SAN, Fibre Channel SAN, and tape environments.

Decru’s LKM appliance will be available in the third quarter. Pricing information was not available at press time.

This article was originally published on July 01, 2006