Ciphering out security

The past few months have seen a torrent of stories about corporate mismanagement of customer data. Backup tapes that were lost by the likes of Bank of America Corp, Citibank, Ameritrade Holding and Time Warner contained the personal data of millions of customers. Nobody wants those kinds of headlines.

"Losing backup tapes would be highly detrimental to our organization," says Daniel Chow, systems and security administrator at Boeing Employees' Credit Union (BECU). "The last thing you want is your name emblazoned on the front page for exposing customer data." To minimize the likelihood that data would be exposed if tapes were lost, BECU has adopted encryption technology from Decru (which Network Appliance recently acquired).

The logic behind such a move is straightforward. Experience makes it apparent that attempts to prevent data loss will ultimately fail. It's smart policy to make sure that data has been encrypted so it can't be read when it gets into the wrong hands.

Timing is everything

But where should the encryption be done? It can take place within the application, in the database or at the file-system level via software encryption. But software-based encryption can add an overhead burden if done incorrectly. Alternatively, there are appliances you plug in and even hard disks that encrypt data as it's written on disk. Most business users appear to prefer the appliance approach for its convenience and performance advantages -- and because it's a plug-and-play way to comply with regulatory requirements.

"Storage security is finally getting attention but still not enough," says Steve Duplessie, an analyst at Enterprise Strategy Group. "Privacy issues are going to ultimately mandate that all data be encrypted -- and that will cause big issues all over IT."

The fields of storage and security used to be an ocean apart. Storage personnel were content to let their security colleagues deal with firewalls, intrusion detection and viruses and other external threats. But it's hard to ignore the headlines. So the storage industry has awakened to its huge corporate responsibility -- the security of stored data is no longer somebody else's problem.

To date, that awareness has translated into trade magazine articles and conference briefings but not much budgetary action. Adoption of storage security technology and procedures remains low. Enterprise Strategy Group estimates that the entire storage security market totalled $US50 million last year. It's expected to double this year, however, and be a substantial growth area for several years. The backup market, in particular, is driving the adoption of encryption technology.

The largest credit union in Washington, US, BECU does nightly backups at its headquarters as well as at a call centre in Kent. The backups use Legato Networker software from EMC to transmit 6TB of data from BECU's storage-area network (SAN), which consists mainly of Hewlett-Packard hardware and Brocade Communications switches, to an HP ESL9000 tape library. Every morning, those tapes are transported off-site by Iron Mountain -- the Boston-based third-party storage provider involved in some incidents of lost tapes. That trip on the open road raises red flags for some security experts.

"If you are sending your backup tapes by UPS truck, please stop," says Curtis Preston, vice president of data protection services at GlassHouse Technologies, a storage consultancy and services firm. "And if you really must ship tapes off-site, make sure they are encrypted."

BECU uses Decru DataFort appliances to encrypt all backup data before it goes off-site. "You can't blindly trust a third party, as you never really know what they are doing with [your tapes]," Chow says. "So we took it upon ourselves to ensure our data was safe."

BECU bought six appliances for $US25,000 per unit. The two SANs at headquarters each have two appliances for redundancy, the Kent facility has one, and a disaster recovery site in Washington has another. A licence-key management server is also needed to manage encryption keys for all appliances. Chow says he gravitated toward hardware encryption because he wanted to avoid any performance hit. "We've experienced no overhead with the appliances," he says.

He's also sleeping better, since the system has worked well during audits and tests. For example, someone took a tape and attempted to extract a file, but the output was gobbledygook. Similarly, the audit department challenged IT to prove its ability to rapidly decrypt. A test restore passed with flying colours, Chow says.

While backup operations may be where most organizations start when adopting encryption, companies such as Payformance Corp have decided to encrypt everything. Payformance offers software that lets companies print laser cheques, statements, invoices and other documents in-house.

"Our financial services and health care clients are very concerned about the security and privacy of their sensitive payment-related data," says George Betancourt, security officer at Payformance. "Personal health information has to be totally buttoned up."

Betancourt tested the encrypted file system built into Microsoft Windows Server 2003, but he wasn't happy with the performance of software-based encryption. He reports that a delay for encryption, even one of less than an hour, meant forcing customers to wait.

The company ultimately decided to use CryptoStor appliances from NeoScale Systems. Two units in fail-over mode are hooked directly into the fabric of the company's 2TB SAN using EMC CX500 disk arrays, Dell tape drives and McData Fibre switches.

"We ran SAN tests before and after and saw no performance hit," says Betancourt. "So it seemed simplest to encrypt everything."

Payformance uses another CrytoStor unit for tape encryption. Symantec's Veritas Backup Exec 10 software sends data via the appliance to a Dell PowerVault 132T tape library. Those tapes are moved off-site for storage. Why no fail-over in the tape-backup architecture?

"If the appliance fails, we are prepared to stop tape backups for the short time required to have it repaired," says Betancourt. "But the SAN is different. We can't afford any downtime there."

Software hybrid

The main storage-encryption vendors -- Decru, NeoScale, Kasten Chase Applied Research and Vormetric -- all offer appliance-based products. However, Vormetric's tool differs from the others because it does software encryption while the appliance manages the keys involved.

Computer gaming middleware company Havok uses the Vormetric CoreGuard Security System at its Dublin and San Francisco offices.

"A high-profile hack of Half-Life 2 made us stand to attention as our code is in that game," says Alistair Duff, director of IT at Havok.

Havok is selective about what data it safeguards. It protects only gaming code and other critical data residing on a couple of servers and desktops.

Data can be encrypted at rest and in transit. If you're at a PC, when you access a file, it's decrypted as it passes across the network and appears on your machine as clear text, provided you have the required authorization level.

Access can be limited by application, user and host. Software is loaded on each protected machine, and there is an appliance for both offices. The system also gives Duff an added layer of defence against virus-borne threats. "If a Trojan comes in, it won't be installed and run, as it is not approved to run," he says.

Economics and regulation

Economics may be the main reason why encryption hasn't really caught fire yet. At $20,000-plus per box or as high as $2000 per software-encryption license, data protection doesn't come cheap. but then again, how much does it cost to repair the damage caused by exposure of customer data?

"Companies like Iron Mountain have lost some credibility due to recent events," says BECU's Chow. "The ROI equation is simple -- what is the goodwill of the organization worth?"

Despite the high cost, encryption may soon be unavoidable. Some US states have passed laws that include painful sanctions for companies that don't encrypt data. Other governments are following suit. While these laws don't typically demand encryption, California SB 1386, for example, requires companies to disclose security breaches to the media and all customers potentially affected -- a public relations catastrophe.

"If the [Bank of America] tapes had been encrypted, it would not have had to disclose the theft," says Enterprise Strategy Group's Jon Oltsik. "The time has come to stop talking about security and start dedicating budget dollars to address this business risk."

Cryptic differences

Encryption can be done at multiple layers. It can be performed via appliances, in the network (through a virtual private network), within certain applications, in the database or at a file-system level. In the storage world, appliance-based approaches have gained prominence.

"Appliances are built from the ground up to perform a security function, and they are certified to comply with federal standards," says Jon Oltsik, a storage security analyst at Enterprise Strategy Group. "Most of them operate as a bump in the wire. While they are all quite similar, there are subtle differences between them."

According to Oltsik, Decru and NeoScale are in-line appliances that sit between the host bus adapter and the storage switch. Kasten Chase's tool, on the other hand, is like an in-line encrypted HBA, whereas Vormetric offers more of a software-based method that encrypts at the file-system level. Vormetric's appliance is for centralized management of the system and its keys.

Which is best? Each vendor goes to great lengths to highlight the superiority of its wares. Go to their Web sites to view plenty of feature-comparison charts. However, demos of likely candidates are probably the only real way to determine what will work best in a specific environment. "Each method has its strengths and weaknesses," Oltsik concludes.