You use encryption to protect data as it moves across your wireless network. You use IP Security to encrypt data coming in through your VPN. Transactions on your Web site are protected via Secure Sockets Layer.
But what's protecting your data as it sits in storage? Or when it moves from one storage medium to another? Or when it moves from a main storage-area network to a remote back-up system?
If the firewall represents perimeter defense, then secure storage represents defense at your enterprise's core, protecting the actual object of any attack. And four vendors - Decru Inc., Kasten Chase Inc., NeoScale Systems Inc. and Vormetric Inc. - have released storage security appliances that attempt to do just that.
Defending at the core offers the advantage of protection against external attacks and internal attacks, which might run the gamut from a disgruntled super-user accessing corporate records, to theft of back-up tapes, to a rogue process accessing unauthorized data because of a programming error.
One factor that makes life complicated for network executives is that they're charged with the conflicting tasks of making data pervasively available while at the same time limiting access only to authorized users.
And these days, data is dispersed throughout the corporation in many ways. Companies have large, centralized SANs. They have smaller SANs, typically using either Fibre Channel or iSCSI as a transport mechanism, distributed about the company and in some cases hundreds or even thousands of miles apart. They have network-attached storage (NAS) devices scattered over the corporate LAN. And many companies still have their data stored on direct-attached storage devices.
However, whatever the storage topology, when stored data is accessible by any unauthorized person or process it is under threat.
The four ages of data
Data exists in one of four states during its life cycle: at rest within some aspect of the storage system; accessed by a user or by some process (a database, for example); in transit on the WAN, LAN or SAN; and under management by a security application. It's necessary to protect the data in each of these states; anything less likely will prove to be no security at all.
The new storage security appliances address three of these data states: at rest, in transit and being managed.
The secure storage appliance cometh
Large software companies such as Computer Associates and IBM/Tivoli have offered security applications for years, and many of their products are running on servers in some of largest corporations in the U.S. Typically these are large software implementations (often a part of an even larger software suite) aimed at guarding against outside attacks and which, correctly or not, are viewed by many as being the "high-priced spread," appropriate for the larger corporation, but not applicable to cost-sensitive small or midsize businesses.
As a result, CA's eTrust Encryption and Tivoli's IntrusionManager, RiskManager and other products often are ignored - perhaps undeservedly - by many companies.
Enter Decru, Kasten Chase, NeoScale Systems and Vormetrics with a new generation of 1U and 2U rack-mounted storage security appliances. They all offer similar features, such as:
-- Appliances that encrypt data using the 256-bit data encryption standard known as Advanced Encryption Standard (AES). AES is approved for securing "sensitive but unclassified material" by U.S. government agencies and is the de facto encryption standard for commercial transactions.
-- Web-based management consoles for ease of management. These are self-
protected against any attack on the management application and provide a secure line to the appliance.
-- Wire speed throughput - they say - indicating they should not be a chokepoint for data traffic while they perform their security functions.
-- Some deploy software agents to servers or storage devices. Many IT managers these days don't like the idea of distributing agents that take time to deploy and take up memory space on their servers. Be advised that the agents for these products are likely to have extremely small memory footprints.
DataFort from start-up Decru attaches to a Fibre Channel SAN switch or, for IP-based storage such as iSCSI or NAS, on the LAN between hosts and storage. Decru offers secure clusters with active-active failover, audit trails and "hardened architecture" for the appliance, and requires use of a smart card for access to the appliance. The company also offers a device focused on tape security.
Kasten Chase, hardly a start-up, has provided data security solutions for a while now. Their Assurancy SecureData protects data on the storage devices and when it traverses the SAN fabric. Data is encrypted on the storage devices. The appliance attaches to the LAN, performing out-of-band authentication over the IP network. Agents for Authentication and key exchange services are loaded on the switches. Scalability and load balancing are supported via clustering.
NeoScale, another start-up, builds the CryptoStor appliance, a secure chassis-box with a "hardened operating system" that supports centralized administration of all storage security functions and management of all remote appliances from a single point. When clustered, the appliance's failover functions ensure continuity of operation is always available. NeoScale provides a second appliance for providing security to secondary storage devices.
Vormetric's CoreGuard Core Security System consists of an appliance and a thin agent deployed to each server. The appliance manages access control between the hosts and the data, connects to the hosts via Ethernet and can support multiple host agents. These agents sit above the kernel and should have no effect on critical operating system functions. Because it sits between the server and the data, the appliance should be transparent to applications, networks and storage topology.
Installation and use
These boxes are installed and deployed easily, which is a key factor in accelerating time to value. Web-based interfaces (they also have command-line interfaces) to the management consoles will provide ease-of-manageability and an opportunity to centralize the management of multiple appliances, whether they are distributed or clustered. Each vendor also says its device scales easily.
And finally, appliances having secure clustering with failover capability can be considered a high-availability solution.
There also are risks of which you should be aware. First, it is unlikely that any site will ever want to buy just one appliance because the data won't be available if the security appliance goes away. You will need failover capability to ensure continuous access, and that comes from another appliance. So there is a good chance you will at least be doubling your expenditure.
Second, once you buy into a vendor's product, you also are likely to be locked into the vendor. These products are all proprietary, and Brand A doesn't know anything about the proprietary protection features of Brand B.
Third, make sure the product you select is interoperable with your current storage assets. Is iSCSI in your future? Will you be getting one of the new director class switches for your SAN? If so, talk to your storage vendors about how well they work with the security appliance you are considering. You want zero impact on the functioning of existing systems, which means these devices must be transparent to impact on performance and to existing management systems.
Fourth, verify that the product you buy will scale to the extent you will need. After all, these appliances are relatively new technology and are only beginning to create a track record. Trust, but verify.
Is it worth it?
Consider the portability of most data. What your company has might, inadvertently or not, go out the door on a discarded disk drive, on some old tape or on a soon-to-be lost laptop. Or you could be hacked. Either way, your unprotected data is in danger of becoming somebody else's information.
Ultimately, you just have to remember one thing: The effort an adversary puts into stealing your data is likely to be proportional to the value of the reward. If your data isn't critical, why bother? If it is, the hackers are out there.
Karp is an analyst at Enterprise Management Associates. He can be reached at firstname.lastname@example.org.