If anyone was under the illusion that data storage was boring, think again. The new technology engaged in protecting your critical data takes a fresh and enthusiastic approach to data security - ensuring that what you deem sensitive, value or trusted, is also worthy of iron clad protection within your storage infrastructure.
If you think that there's anything exciting to see as the data passes through the box, you'd be disappointed. In fact try finding CryptoStor within the Fibre Channel (FC) network or backup application and you may just hit a small snag - it's nowhere to be seen. But that's the point.
NeoScale has developed two distinct runners in the storage security area; one appliance for securing data on subsystems or tape libraries within FC networked storage, and one solely for protecting backup data on tape and probably destined for vaulting. Employees, even administrators, will remain unaware of its invisible protection.
The two appliances generally work on the same principle as the unit is placed inline and the storage payload is encrypted at the block level using triple-DES or AES upon satisfying an administrator defined rule. The difference is that the FC unit operates at wire-speed, offers storage traffic blocking and is network transparent, while the Tape unit operates at tape-speed, offers compression and authentication, and is backup transparent.
Stealing backend data, up until now, can be accomplished despite access controls. Given the spread of networked and distributed storage, bulk data access risks are on the rise. Companies have usually avoided data storage encryption since it typically puts a drain on performance and adds management complexity to the storage process. And by solely relying on physical protection, the data sits unprotected. Therefore, those who attempt logical or physical breach of systems, arrays or tapes may get the goodies. Most organizations are aware of the 'insider' threat and limit exposure with portable media backup tapes. But with an appliance such as CryptoStor, this type of theft does not bode well.
One difference between the FC and Tape solutions is in their transparency, as the FC unit is totally transparent in the SAN, while the Tape unit is transparent to the backup application and the tape library device. This makes it easier to implement, less disruptive to storage processes, and far harder to 'break' as you can't fight what you can't see or know.
The storage data going through the box is encrypted at the block (not file) level while keeping the needed transport information intact to ensure integrity with all storage applications and routing. This encryption is dealt with at lightening speed so that there are no tell-tale signs to impact storage operations, therefore, it really does execute at nominal port-to-port latency. Theft of critical data, once it has passed through a CryptoStor box is futile. It will not be readable outside the data path, nor will it be salvageable without the appropriate set-up and authority, therefore useless to the thief. However, data can be recovered through the appliance or a software-only version by authorized staff.
Setting the box up, whichever version you are connecting, is relatively straightforward, once you have determined what applications address which storage devices. You first log on (directly or remotely) to configure the box to work in your storage environment. A set of system keys are required - one to encrypt all the individual encryption data keys overall and the other to authenticate system configuration.
All processes are accomplished through several fields in a useful tabbed menu structure in a web GUI. The system accepts manual key input, or can generate random keys (the later being more likely). The parameters to create data protection rules are simple as they can combine source or destination ID, world wide name (WWN), logical unit number (LUN), volume, and block range. This makes it capable of readily protecting any application data, with centralized and securepolicy and key management.
Both rack-mountable solutions are hardened appliances, which basically mean that attempts to get under the hood physically or electronically will prove fruitless. The FIPS 140-2 compliant units have built-in and support remote smartcard readers used for two-factor authenticated system access and secure escrow/recovery of system keys and policies. There are four user types: user (monitoring), admin (system set-up), security officer (rules and keys) and recovery officer. For added security, system keys recovery can require one or more officers to inject partial keys, and the system can be set for secured audit logs, alerting, and auto log outs after inactivity. Reliability is achieved through redundant hot-swappable fans, power supplies and support for clustered failover pairs.
CryptoStor FC yields line rate speeds at 99.x percent throughput for FC SANS with hundreds of rules. Beyond encryption, the system can also act as a storage 'firewall,' blocking unauthorized communications between hosts and resources down to LUN or block range. And the box supports offline data preparation and subsystem virtualization.
CryptoStor for Tape works with the fastest tape drives in FC or SCSI configuration and is wholly compatible with Veritas, Legato, HP, CA and TAR backup applications. The system can also compress the stored data prior to encryption, and the box supports unique, pooled and remotely stored media with secure, authenticated recovery.
Depending on where you need to guard your critical information (network or backup), both products offer good value and are readily deployable.
