Encrypting data on storage devices is an interesting idea. Typically, an application on a server will encrypt data before it is written to disk or tape. The data then has to be decrypted when it is read from the storage media before it can be accessed by an application or user. Server-based encryption ensures that sensitive data is protected against prying eyes. The downside is that server CPU cycles are used and file read/write time is longer.
This means that such encryption is only used where the data absolutely has to be stored securely. There are occasions where it would be very useful to have data stored securely but not at the expense of slow data access speeds. Storage encryption devices are appearing, amongst which is the newly-announced DataFort Security Appliance from Decru.
NeoScale Systems has recently launched its CryptoStor for Tape, an appliance that can authenticate, encrypt and compress data on tape libraries and virtual tape systems. NeoScale's CryptoStor FC supplies wire-speed encryption for Fibre Channel-attached devices.
Decru is a San Francisco-based start-up company, founded in 2001, that has devised a wire-speed Secure Encryption Processor, built using proprietary ASICs. The DataFort acts as a proxy and sits in front of storage devices on a network and encrypts the storage data streaming through it to be written to the storage media. It decrypts the data as it is supplied by the storage media in response to a read request. There is less than 200 microseconds added to the read or write time for a database record or other file transaction. The device operates in full duplex mode.
Decru has extra functionality for writing to tape devices. The Decru unit will compress data destined for tape and then encrypt it, as you can't compress encrypted data. Naturally, the data is decrypted and then decompressed in a tape restore operation. The support of tapes means that encrypted data on tape can be more safely carried between sites or sent to customers or partners. The NeoScale device also compresses and decompresses data for tape and is transparent to backup software.
The Datafort FC520 for SANs is a 2U rack unit, fully fault-tolerant and can be supplied in a cluster configuration for around £50,000. It uses 2Gbit/s Fibre Channel to link to storage devices and also to servers, or 1 Gbit/s Ethernet can be used for the server links. The military-grade encryption is FIPS-compliant (FIPS 140-2 Level 3) and combines 256-bit AES encryption keys, and multi-level authentication, as well as secure logging and access controls. CIFS and NFS support means that either Windows or Unix servers can use the device. There is support for Microsoft's Active Directory and LDAP.
The CryptoStor FC is FIPS 140-2 Level 2 compliant and uses triple-DES or AES encryption at the block level. Like the DataFort it has redundant fans and power supplies and support for clustered fail-over pairs.
The DataFort offers centralised access control and authentication processes for DAS, NAS and SAN environments. Having consolidated storage in either a NAS or SAN then it makes sense to centrally control access rather than have each server's users separately controlled, which is both laborious and potentially error-prone. The DataFort appliance carries out all authentications and manages all the access control lists (ACLs). This means that accessing servers must have ACLs and authentication keys or else their access attempt is denied. The approach both simplifies management and increases access security. All accesses are logged.
Unix system managers receive the same granular access controls as Windows system managers are used to. Access rights can be based upon user accounts, IP addresses, ranges and groups. Logical security vaults, called Cryptainers, can be set up on the storage media. These can have their own access controls for greater access control granularity and are encrypted with their own individual key. There can be more than one Cryptainer on a disk. Each one is manifested as an NFS export, or CIFS share in a file server NAS environment, or a separate LUN in a SAN environment. Administrators can decide what data is stored in each Cryptainer and control access individually to each one. In this way administrators can define different levels of security for different types of data, for example, product development code, financial records and customer records.
The DataFort E510 secures NAS storage. Both it and the FC520 are iSCSI-capable but actual support for iSCSI is unlikely to be announced until mid-2004.
Applications include the storage of sensitive government data, health records, commercially sensitive data and hosting operations where different customers' data is stored on just one shared set of disks or tape. The first European installation is with AGSM, an Italian telco working on an Italian E-government project in Verona.
These storage encryption appliances are storage firewalls. By combining central and highly granular access controls with wire speed encryption, such security appliances increase the security of data stored inside a general firewall and VPN perimeter. Some 50-80 percent of security breaches are internal according to the FBI and industry researchers. Affordable and transparent storage security appliances like these should help to lower that percentage significantly.