Everything is getting encrypted, or it is heading that way. That's the feeling you get after talking to Henk Jan Spanjaard, Decru's boss in Europe (MD EMEA). He also thinks device-level encryption is inflexible for enterprises but good for notebooks. Techworld talked to Henk about encryption and Decru.
He looked happy - and why not? Every reported instance from the US of potential identity theft due to lost or stolen tapes and lap tops just means there is less marketing he has to do. Soon, too, publicly reporting such data loss may be a legal requirement on European companies too. Oh, happy days for Decru, and for owner Network Appliance.
Decru is a separately-managed subsidiary of Network Appliance. Interestingly the CIA appears to have been involved in its inception. One Venture Capital backer was Incutel which is associated with the CIA (also here).
TW: What information in an enterprise should be encrypted?
HJS: It depends upon the enterprise. Banks might encrypt the account details of important customers, or they might encrypt such details for all customers, or they might encrypt all data that goes off site. That's both across a network and by physically-carried media. Basically it's information that could damage or embarrass you if revealed.
TW: Wouldn't it be simpler to encrypt everything and rely on applications and users having the keys to justify access?
HJS: That's what we typically do. Most customers actually do this.
Henk explained that customers will often start with one or two point encryption locations in their networked infrastructure and then gradually increase the encryption sphere so that it encompasses more and more of their data.
Decru provides encrypting appliances that sit between application servers and storage devices.
TW: Doesn't it make more sense to have encryption at the drive level?
HJS: Device-level encryption is too inflexible. Suppose your encrypting disk drive or tape drive crashes? You have to do a full fork lift upgrade. You are also locked into the encrypting device supplier.
Tape drive encryption also has an enormous performance impact. Our Decru appliance has specialised hardware. Tape vendors use off-the-shelf hardware standard software. Encrypting disk drives will also have a performance impact and their encryption is probably very simplistic. I don't believe it's at the Decru level.
There's no free lunch in encryption, there's always a hit somewhere. Seagate disk-level encryption is okay for a single person or a notebook but in an enterprise it has to be wirespeed.
TW: Isn't having encryption appliances a stop-gap solution to the insecure data problem with the long-term solution being encryption embedded within the storage infrastructure elements?
HJS: Yes, that's right and it's why we have clustered systems. There can be local clusters or remote clusters with keys copied between them. What becomes really important is to have an open key management system. We're the only supplier with this. We used to have our proprietary LKM (Lifetime Key Management) key management system. Now we have Open LKM. Suppliers who have joined include Symantec and FileNet.
HJS: Not yet. I wouldn't be surprised though.
TW: What about encryption in drive array controllers?
HJS: No, it's very inflexible. It would be loaded into firmware and it restricts choice in the future. It's better on a separate point of intelligence.
TW: What about the coming EU regulations would mandate that businesses will have to reveal data loss episodes as they do in the USA now.
HJS: I think it's wonderful for me on a personal level. The US has done it by state and is now rolling it out at federal level. If I am a customer of a bank and it loses my credit card details I want to hear about it. You do in the US. You don't in Europe.
TW: Are European companies more willing to talk about encryption now?
HJS: It's to do with US legislation and events. We sell to a lot of banks. US banks have branches in Europe and they roll encryption out here. European banks follow suit. Oil companies typically encrypt their seismic data. Car manufacturers encrypt their designs. They see it in the US and want to follow in Europe.
We're about 18 months behind the USA. The UK is a big market for Decru.
TW: Do you compete much with DIS UK?
HJS: I don't see them, not at our level.
Henk wouldn't budge from the proposition that Decru appliances, clustered or not, are the best way to add encryption to an infrastructure. He said that encrypting disk drives is useful for laptop computers but encrypting tape drives and encrypting hard drives are not a good idea for enterprise systems.
Encrypting disk drives has a performance hit as well. Just as encrypting drives is viewed by him as inflexible and wrong the idea of encrypting drive array controllers is also inflexible, locking you into the drive array supplier.
His pitch seems to be that, if you are going to encrypt your infrastructure, you need encrypting appliances linked together and embedded in the networks between servers and storage. The best such appliances, Decru declares, are Decru DataForts. QEDecru.