HP has announced a hardened and clustered Secure Key Manager (SKM) appliance, but this is no Decru DataFort. Interestingly it has a distant key management API relationship with the DataFort but represents a different class of device.

The DataFort is an in-band appliance that sits in a data network and encrypts/decrypts data passing between hosts and storage devices. HP's SKM is an out-of-band key management system that serves up keys to requesting storage devices that do their own encryption.

According to Bob Wilson, HP's VP for nearline storage, which includes tape products, SKM is a totally-dedicated appliance running on a tight Unix kernel with two mirrored serial-attached SCSI (SAS) disks). These are quite small but fast disks. Encryption keys don't take up much space and hat's all that's stored on the disks, apart from the system software. The cabinet is locked and has a tamper-visible coating that shows if someone has been manhandling it. It comes clusterable so that one machine in an SKM pair can automatically take over if the heartbeat from the other fails to beat.

There can be a remote third machine in the cluster as well to provide aDR capability and the disk contents of an SKM appliance can be backed up to provide security layer number three. Remember, stored encryption keys represent data that you never, ever - ever - want to lose.

How it works is like this: an encrypting LTO4 tape drive gets a piece of media inserted in it. The drive sends the media marker ID string to the SKM. It does a look up and returns a key which is then used for encryption or decryption. There is a protocol used for this transaction and this protocol must become standardised for enterprise-wide security management to be possible.

The idea is that virtually every storage device will have its own encrypting capability. These devices will apply to a key management system for keys to be issued to them. For there to be a market in heterogeneous key management systems, any key management system must be able to talk via a standard protocol to any encrypting device.

I triple E

Blair Semple, a security evangelist at NetApp, ays that IEEE has initiatives, meaning working groups, relating to storage security. These are:-

- IEEE 1619.0 relates to disk security,
- IEEE 1619.1 relates to tape security,
- IEEE 1619.2 relates to securing big blocks on disk,
- IEEE 1619.3 relates to key management.

Sempl says that 1619.3 is much earlier along in the standards process than the disk and tape device focussed standards. NetApp sits on all these committees and submitted the API, jointly with HP, from the Decru DataFort's Lifetime Key Management product, the Open Key API, as technology to be used for the 1619.3 protocol. He said the: "spec is approved and is the foundation for 1619.3."

"We have a number of vendors building Open Key APIs into their product: Symantec; Quantum; and others. Quantum knows it can't generate , store and manage keys (with its own self-built technology)." He intimated that, as HP jointly submitted the Open Key API with NetApp then it wouldn't be too surprising if HP built the Open Key API into its key management product.

HP's Wilson recalls things a little differently: " NetApp submitted Open Key proposals to HP. We gave specific and detailed feedback about what we thought needed to be in the protocol. They (NetApp) submitted it. It's in discussion mode and hasn't been voted on."

"NetApp's protocol was one of many and the one that was furthest along. Our concern is that the protocol should be complete and robust." HP did not want to own the protocol in any way.

Wilson also said hat HP wasn't convinced IEEE was necessarily the right standards body to create an enterprise-wide storage security standard and was evaluating other possible approaches,

NetApp and Decru

Decru's role is changing at NetApp. Semple said: "We're diminishing the use of the name Decru. Integration is mow getting underway. There's already been integration at the field sales level. Decru is mow referred to as the Storage Security business unit (SSBU) and there is a new general manager for it; Tim Russell. He only runs that BU." Previous NetApp people in charge of Decru had other responsibilities as well.

Russell will: "formulate and articulate a storage strategy throughout NetApp. " The company is looking at a holistic approach. Encryption is just one aspect of security with authentication, role-based access and other aspects as well with different companies needing a different mix of specific security products. Semple said: "The appliance model (meaning Decru) is heterogeneous, which is good, but it is becoming (just) part of the security armoury."

Russell has to answer questions such as where does it make sense to secure the data and what to do about key management.

Encrypting NetApp products

It seems apparent that NetApp will add encryption facilities into its drive-array-based products. The Decru DataFort board is a PCI card and it could be slotted into the intelligent controller enclosures that run NetApp's various drive array products. Then ONTAP, NetApp's storage O/S, would need to know whether to encrypt/decrypt array data or not. It would apply to a key management system for keys and, possibly, to Active Directory or an ACL-based system to find out if encryption was necessary for the file or blocks in question.

Unless there is an industry-standard protocol for encrypting devices to talk to key management systems then NetApp could find its storage arrays frozen out of enterprises that use a key management API unsupported by NetApp. Hence NetApp, and other storage vendors, have real strong interest in an open key API standard emerging.

Whether NetApp will sell its own key management system is another question, but, since it submitted the Open Key API to IEEE, the omens look good.

HP's encrypting background

Wilson explained that HP actually has quite a heritage in encryption technology. The story goes like this: once upon a time there as an encryption technology company called Atalla. It built a PIN key for ATMs (automatic teller machines). Tandem found itself selling its Non-Stop systems to companies building ATM networks and saw the Atalla technology was good. So it bought the company and gained an 80 percent share of ATM networks using PIN encryption technology. Tandem was bought by HP and so it now has the Atalla encryption technology heritage.