Recently launched appliances to protect data, such as the Decru DataFort and similar NeoScale box, use an approach in which data is encrypted as it is written to NAS, or SAN, or tape storage. This puts an appliance in the data path between networked storage and accessing servers and aims to protect shared data. It doesn't protect server-specific data files on locally-connected disk. An alternative approach aims to protect all stored data, whether it be on SAN, NAS or DAS. It is called encrypting files 'at rest', rather than while they are on the move between servers and networked storage devices.

This approach starts off from the premise that O/S access controls are not enough and is characterised by Vormetric and its CoreGuard 2.0 product. This company believes that peripheral security controls such as VPN and Firewalls are not enough. The need to network chains of businesses, trading partners and customers is making network peripheries porous. That means companies need to combine encryption of stored data with finer granularity access controls.

So, Vormetric believes that you need encryption and access control combined but you can't cripple the server with encryption/decryption cycles, well, not too much anyway.

CoreGuard 2.0 supports Windows 2000, Linux and Solaris servers. HP-UX and AIX ones are out in the cold. There are two parts to the product. First is a PEM, or Policy Enforcement Module, which is called an 'extremely thin software module' that is located between server applications and the file system. It traps and handles all file system access requests from applications. Next is a Security Server appliance (SSA) which carries out encryption/decryption for networked storage devices and holds the access control logic which is used by the PEM to allow/disallow access to stored data. One SSA can support a large number of PEMs and is networked to the servers and their networked storage devices.

So far so good. The appliance can encrypt/decrypt data on server-attached disks but the general and practical rule is that servers encrypt/decrypt their own directly-attached disk data and suffer the performance hit. That is one cost of this approach and is intrinsic to the concept. If direct-attach disk data is to be encrypted then the local server has to do it and there will be a performance hit.

PEM and SSA talk via direct and high speed links. The meta data for a file - name, folder, etc. - is made available, meaning visible, to administrators so they can backup files and do other admin tasks on them. But, and this is unique to Vormetric, the file's data contents are encrypted and can't be seen. For administrators it means that entire files don't have to de-crypted and then encrypted again as they set backups and restores in motion.

This is in contrast to the general case when admin staff have, say, Unix superuser privilige and can see and do anything. CoreGuard allows the main administrator to have layers of gradually reducing access, indeed to define access by file operation type, application type and other parameters to provide a much finer-grained access control than basic operating system controls. Rogue lower-level administrators are better controlled in this environment.

The disadvantage of this is that data security administration itself becomes much more complex. There are more access control level permutations to play with, especially in larger enterprises with thousands of staff, tens of administrators and hundreds of thousands of files. In these days of Sarbane-Oxley, and looming monitoring of sensitive data storage access logs, this is unavoidable. Unless you offload all sensitive data from direct-attach disks, a server and appliance-based encryption and access package is necessary.

A detailed comparison would be needed to compare access granularity between CoreGuard and DataFort and see which is the finer. Certainly DataFort can't have file metadata unencrypted and data encrypted. It's an all or nothing encryption approach at the file level. However, DataFort can compress and de-compress data destined for tape drives. The CoreGuard product does not do this.