Stored data is a huge potential security risk, according to storage specialist Decru, which this week has announced a new family of encryption appliances.

"The statistics say that 50 percent to 80 percent of attacks come from inside, and at any time 98 percent of your data is at rest, yet most systems were developed to protect data while it's on the move," says technical director Steve Willson.

Decru's three DataFort products will however transparently encrypt data on NAS servers, SANs or backup tapes, while offloading all encryption and management tasks from the host servers, he claimed.

The devices use 256-bit AES ciphers, which Willson says are far more powerful than the default encryption used by Microsoft to hide the contents of files. Integrated key management then provides critical extra security controllable by system adminsitrators.

DataFort works by setting up a virtual IP address for secure volumes and encrypting or decrypting their contents as needed. Willson admits that data could still be intercepted while travelling from DataFort to the user, but says this is a lot harder than going straight to the fileserver.

Many organisations have realised that their backup tapes are a vulnerability too, he says, especially if shipped off-site for storage, so the company has produced a tape version of DataFort with data compression built in. "I don't think there's any organisation that can tell you that at any time, they know where all their tapes are. However, if you do a good job of encryption it removes all patterns from the data, which means you can't compress it. So you have to compress in hardware before encryption."

DataFort can encrypt 100MB/sec, it requires no licences and keys are themselves automatically encrypted and sent to a repository. If the keys are deleted, the stored data is effectively electronically shredded, a feature popular with diplomats and the military, Decru says.

It also enforces role separation, with the domain administrator doing client and server management, and a security supervisor controlling access. Administrators can still backup a filer but they cannot read encrypted data.

For NAS, DataFort supports CIFS and NFS, and Willson says that WebDAV will be added during the summer. WebDAV (distributed authoring and versioning) allows file sharing via a folder presented as an HTTPS Web page. It means you use SSL encryption over the network and Decru encryption on disk.