The Kazeon appliance cannot scan direct-attached storage by the way. It's an out-of-band appliance and doesn't need any agent software on servers or desktops accessing networked file storage. Appliance nodes can be clustered to scale up. The first full file estate scan is lengthy as everything is looked at. Subsequent ones are much faster as only new files are checked, just like an incremental back-up. The scan interval is adjustable so that you can adjust your own window of exposure. The scan SW can scan NetApp snapshots. Although it can scan Decru encrypted files it can't scan other encrypted files.

One of my takes on this is that the Kazeon appliance can be used to scan a file estate in order to identify files that can be moved to secondary storage. After all, the information Server scans files and assigns metadata tags to them. These tags can then be used to see if storage policies apply to files marked with particular tags, such as 'contains VISA card number'.

So they could be used to indicate files that can be migrated to secondary (meaning cheaper) storage.


Decru's DataFort appliances encrypt data going to storage on disk or tape. Chris Gale, Decru country manager for N Europe said, in effect, the only surefire way to protect data at rest from theft and inadvertent disclosure is to encrypt it and look after the keys properly. We can't argue with that.

He said that general perimeter security - firewalls and the like - is ineffective. Many data breaches happen because bad people get through the perimeter or are already inside. My take on this is that what is needed is an inner perimeter for sensitive data and a ring of Decru appliances provides it with all the data inside the ring encrypted.

Having the encryption executed on a wire-speed appliance prevents application latency when encryption is done on the host. Having a networked appliance approach is better than an encrypting device - tape or disk drive - because you get better key management across the enterprise. Encrypted data is stored in so-called cryptainers on disk, and these are transparent to applications.

DataForts can be clustered for resiliency and connected across WAN links. You can replicate, for example, encrypted data across a WAN for business continuity and have a DataFort at the other end of the link decrypt data if needed. DataForts encrypt data or not according to the data's destination: directories for files; LUNs for blocks. Decru is not application- or user-aware except in the indirect sense that applications use specific LUNs or directories.

Like Kazeon, Decru is stumped with direct-access storage and can't cope. My take on this is that, if you are going to store sensitive data on your local hard drive and your PC/laptop does not have bullet-proof security preventing unauthorised access then you really shouldn't store the sensitive data on it. Unprotected direct access storage is inherently insecure.

Data management services

What NetApp is doing here is offering extra data management services on top of its file and block storage. These services are encryption, and indexing and classification, and these are offered by appliances in the network between NetApp's storage (or other suppliers' storage) and the accessing servers.

Other data management services, such as data protecting snapshots, and NFS/CIFS access services, are carried out by NetApp products directly, in FAS storage controllers for example, by ONTAP, NetApp's operating system. The appliance-based approach to data management services provides for heterogeneous storage array supply. The storage controller approach generally does not. The combination of the two approaches enables NetApp to offer better data protection and security facilities to its customers.

Part 1 of this feature