Storage firms lock down data

When thieves broke into the office of Defense Department contractor TriWest Healthcare Alliance in December 2002 and stole computers containing personal information about more than 500,000 people, the crime exposed one of the flaws in how most organizations protect their computer-based information.

Many information technology managers routinely use security measures such as firewalls and virtual private networks to foil outsiders who would try to use the Internet to hack into internal networks or eavesdrop on e-mail, but much less has been done to secure computers from people inside an organization, whether they are on the payroll or got in by climbing through a window.

Now, a handful of start-up companies, including one financed partly by CIA venture capital firm In-Q-Tel, believe they can help the situation. Their solution involves specialized hardware appliances that encrypt data before it is stashed away on hard disks or backup tapes, then decrypt it when it is retrieved by an authorized user or application.

The data is scrambled using hard-to-crack encryption techniques such as the Advanced Encryption Standard and Triple Data Encryption Standard, rendering it useless to a burglar who might steal the disks or an employee who might abuse his or her access privileges to take a peek, or worse.

Decru Inc., the company with In-Q-Tel ties, was the first to bring its product to market when it released its DataFort storage security appliances last October. Decru was followed by NeoScale Systems Inc., which started shipping its boxes last week. A third player, Vormetric Inc., is set to start shipping its product next month.

The Naval Research Laboratory used Decru's DataFort last fall to provide security to an experimental, distributed storage-area network. "As we expand the storage network's borders, the security of that data becomes an even greater concern," said Hank Dardy, chief scientist for the lab's Center for Computational Science.

Stored data wasn't always so vulnerable. In the mainframe's heyday, storage devices were tucked away in the controlled confines of data centers, physically accessible to only a few people and not connected to a wide-open network like the Internet. But as decentralized client/server computing and network-based storage technologies began to scatter data throughout organizations, the potential entry points for theft and snooping multiplied, and so did the risks.

"Today you can attack through application servers or storage because it's all networked, and you'll focus your attack on whatever is most vulnerable," said Dan Avida, Decru's president and chief executive officer.

Until now, the standard ways to keep shared, network-based storage resources safe from prying eyes were passwords and device management techniques such as zoning and masking, which carve up the storage into subsets that are identifiable and accessible only to those with permission. But defeat any of those measures, or simply steal the disks, and the raw, unprotected data is there for the taking.

In addition, data has always been vulnerable to compromised insiders, rogue IT employees who have permission to access data for administrative tasks, such as running backups or configuring networks. This group could also include employees at private firms, which more and more agencies now depend on to run parts of their IT operations.

"The problem is that there hasn't been a way to separate administrative access to data and the ability to view that data," said Bill Schroeder, president and CEO of Vormetric.

That's why storage encryption devices are positioned as the last line of defense, the security for an organization's jewels in case the other defenses — from firewalls to trust policies to door locks — fail.

Although security appliances vary in focus and capability (see box, Page 28), they all consist of a specialized hardware processor that handles encryption/decryption duties plus ports for connecting to servers, networks or storage devices. Some also include smart cards that can authenticate administrators who need to manage the appliances. They can operate at multigigabit speeds and are transparent to the other devices on the network. Multiple appliances can be clustered for faster performance and for redundancy in case one unit fails.

Potential buyers should be aware of the impact encrypting and decrypting all that data can have on a network's performance. They should also carefully evaluate how an appliance manages the software encryption keys, which can be a particularly tricky task, according to Pete Lindstrom, research director at Spire Security LLC.

"Data at rest [or stored data] is potentially being accessed by multiple applications over an extended period of time, with bits and pieces of it often accessed randomly," Lindstrom said. "The challenge is to figure out how to carve out the data so you can encrypt it appropriately, so that when you decrypt it, you don't have to get a thousand keys."

Miguel Collado, president and CEO of systems integrator Technica Corp., sees potential for using the new appliances to fill a security hole that many agencies know they have but have done little to address. His firm has begun to show Decru's appliance to some of its federal customers, though for now it has been more of an educational than a sales opportunity.

The customer concerns he has heard most often relate to the need for more thorough testing of security products and certifying them for government use. Some customers are also concerned about the longevity of the start-up vendors that are selling them.

***

Sample of storage security solutions

Company: Decru Inc.

Products: The DataFort E440 for network-attached storage (NAS) environments lists at $30,000, and DataFort FC440 for storage-area networks (SANs) lists at $35,000. Both are available now.

Highlights: The E440 uses Gigabit Ethernet for file-based host and storage connections and supports many popular NAS boxes and protocols. The FC440 uses Fibre Channel connections for block-based SANs.

Company: NeoScale Systems Inc.

Products: The CryptoStor FC appliance for primary storage starts at $35,000; CryptoStor for Tape starts at $15,000. Both are available now.

Highlights: CryptoStor for Tape works with third-party backup software and compresses data before it encrypts it, which the company claims is more efficient than encrypting the data first.

Company: Vormetric Inc.

Product: The first product is scheduled to begin shipping in early April. A recommended setup consisting of two redundant units is expected to cost less than $100,000.

Highlights: The product is designed to provide security in two layers: It will combine host-based intrusion-prevention software with an appliance for in-line data encryption between hosts and storage devices.