Fortunately, encryption is supported in just about every OS. Unfortunately, it is still not widely deployed because implementation across different operating systems and storage architectures can be an administrative nightmare, entailing the coordination of developers, security and storage administrators, and end-users across all systems. A new security appliance from Decru provides a shortcut. The DecruDataFort protects both file-based and block-based storage networks with reliable data encryption, and it does so in a way that's transparent to both applications and users. The DataFort eliminates the need to adjust for different OSes and applications, and it offers a uniform, centralized security-administration environment. Add to that granular configuration options, and you have an encryption system that can be installed and managed with little effort and offers tools to easily close or open the security gates as needed. For our review, Decru sent a DataFort E440 that encrypts data stored on Ethernet networks such as NAS (network attached storage) appliances or Linux, Unix, and Windows file shares. A different model, the DataFortFC440, provides similar functionality for Fibre-Channel-based storage networks. Along with the DataFort E440, Decru also sent us a Windows 2000 server, configured as PDC (primary domain controller), which played the double role of file server and management station for the DataFort.

Triple DES
The E440 is a 1U, rack-mountable unit enclosed in a tamper-resistant chassis that includes sensors to detect intrusion attempts; forcing the case open will render the unit inoperable, although each redundant power-supply unit can be removed without affecting operations. Decru provides its own hardened OS that supports 3DES (triple data encryption standard) or AES (advanced encryption standard) encryption with 128- or 256-bit keys. The E440 acts as a storage proxy that sits between clients and servers, connected via Gigabit Ethernet or standard Ethernet, intercepting and encrypting or decrypting data on the fly. To improve performance, encryption and decryption of data exchanged between servers and clients in the storage network is handled by a dedicated processor. After setting the IP configuration via serial connection or from the unit control panel, the E440 can be managed from a Windows PC via secure browser connection. Appropriately, the DataFort requires smart cards to authenticate administrative access to the E440 and to the management station, which provides much greater security than simply typing user ID and password. Moreover, removing the smart card from the E440's built-in reader prevents configuration changes while still allowing users' access to their shares. Similarly, removing the smart card from the management station reader prevents logging in to the E440 management software. Therefore, any change to the security settings of the system requires two distinct authentication keys. Security auditors will love it. Understandably, an important configuration step is creating smart cards for operators and administrators. Decru facilitates that process with an easy-to-follow, step-by-step wizard that will also create a configuration database (including users, administrators, encryption keys, and network domains, IP addresses, etc.) and a set of recovery cards to be used, for instance, to rebuild a corrupted configuration file or to replace a lost or damaged card. After setting the configuration the next logical steps are to add the domain controllers, users, and shares to be managed by the E440. From the management station we pointed our browser to the DataFort and logged in (using the admin smart card), gaining access to the terse menu of the DataFort administration GUI. Adding a new file server or NAS appliance to the DataFort's domain is a simple matter of choosing the menu option and typing in the name of the server, but before adding users and shares you'll need to do some planning. The DataFort supports transparent user access via standard Unix or Windows ACLs, or you can create dedicated user IDs and passwords. The second approach involves more work, but has the advantage of separating system and security administration duties. Assigning an existing network share to the DataFort for encryption is a quick point-and-click process, in which you simply select the server, select the share, and activate encryption. From then on, any files created or modified in that share will be seamlessly encrypted.

Because the DataFort does not automatically encrypt old files on a secured share, pre-existing files will remain in clear text until users update them. Decru suggests an effective, if onerous, solution: creating a new share, activating the encryption for that share from the management console, then moving or copying the content from the old shared folder into the new share, a process that will also encrypt those files. If you have hundreds of shares, this could involve significant downtime and exposure to trivial errors. We would like to see an automated, background process for encrypting existing files in future versions. To add the new share, once our DataFort was configured, we moved to a client PC, logged in to the domain, and clicked "My network places" from the Windows desktop. It's important to understand that, although the physical location of each share is unchanged, users will see encrypted shares as hosted on the DataFort rather than on the original server or appliance. In our case the UNC (Universal Naming Convention) string to access the share changed from \\server\sharename to \\DataFort\sharename. We chose "Add network place," typed in the UNC to access the new shares, and were able to edit existing files and create new ones without any problem. To simulate an intruder, we opened a share using the \\server\sharename path, in fact bypassing the DataFort. We opened a text file using Notepad only to display a meaningless sequence of characters: the DataFort encryption was truly protecting our data from prying eyes. In this case, our simulated intruder was able to see the actual filenames, but for added protection the DataFort can be configured to encrypt the name of the files in a protected folder in addition to their content. The DecruDataFort E440 won't make your networked storage more impervious to break-ins. But its fast encryption engine will effectively mask your sensitive business data with a nonsensical jumble that will defeat intrusions when they occur.


The DecruDataFort E440 won't make your networked storage more impervious to break-ins. But its fast encryption engine will effectively mask your sensitive business data with a nonsensical jumble that will defeat intrusions when they occur.