In-Depth

eVault: A Secure, Managed-Storage Solution with Low Overhead

At least one company has been doing something right with its secure, managed-storage solution.

• By Jon William Toigo
• 05/12/2005

Against the backdrop of recent storage security snafus, it is worth mentioning that at least one company has been getting traction for its secure backup solution. That’s Emoryville, CA-based eVault.

Responding to recent columns, PR representatiave Erin Lutz contacted me and set up an interview with Senior VP of Marketing, Tony Barbagallo. He rightfully observed that his company had been doing storage encryption since before it became so sexy. Partly this had to do with the company’s origins in the Application Service Provider (ASP) craze of the late 1990s.

Some readers of this column might remember ASPs. (I wrote a book on them, in fact.) The idea was that no one would buy shrink-wrapped software anymore. Instead, they would pay for a nibble of software hosted at a remote data center. Thank goodness we didn’t sell off all of our servers and move from PCs to NCs (network computers) as we were advised by Gartner Group and IDC, or else we wouldn’t be in business today.

Truth be told, most ASPs simply folded their tents after a year or two, having hit the market at the tail end of the dotcom bubble and having attracted primarily the dotcoms themselves as clients. One major impediment to ASP success was that businesses could not accept that their data, flying through the untamed wilderness of the Web, was secure. They also had a hard time believing that their data could cohabit with another company’s data without some sort of contamination occurring. Common sense said that if you lived in a multi-family dwelling, it really didn’t matter whether you were scrupulously clean. If your neighbor had cockroaches, you’d get them too.

Without the ability to convince consumers that their data was safe, the ASP model proved untenable for most vendors. But not, it seems, for all.

eVault remains a viable concern today. The company has several competitors, but it is unique in the field because it’s profitable.

The company’s basic play is a managed service. They offer client-server software for doing backups across the Internet. Backup your servers. Backup your laptops and desktops. Backup your big iron arrays, if you are so inclined. The company has several data centers of its own and a few more with partners where their client data is vaulted. They also work through resellers who have their own data vaults and service organizations and use only the eVault software to backup their customers’ data.

The model is pure ASP. You can get rid of those pesky tape libraries and backup software and let eVault handle your backups for you. If you have deep pockets, you can even get rid of your overpriced point-in-time mirroring software and use eVault’s Continuous Data Protection solution.

Encryption is Key

The secret sauce at eVault is the encryption software. Your data is encrypted by their software when it is shipped across the Internet and encrypted while it resides on eVault disks. It is only decrypted after it has been safely returned to your company premises. Disaster recovery maven Sungard is a big user of the technology.

So are St. Vincent Hospital and Health Services and Union Bank, just to name a couple of customers. At Union Bank, headquartered in South Florida, the need for some sort of remote backup was a no-brainer. Not only was HQ in the path of just about every hurricane we’ve seen in the last decade, it also had far-flung branch operations that required a distributed, yet centralized, data-protection solution.

Security was, for the financial institution, a major requirement that needed to be satisfied before giving eVault the nod. According to CIO Carlton West, the eVault solution is adequate to withstand the most cynical auditor. “With eVault, we have no qualm with stepping up to auditors and let them do their own testing on our systems. It’s also helpful when other business units within the bank get audited because their backup processes are part of their own audits, and our IT staff is involved in that.”

St. Vincent Hospital and Health Services in Indianapolis, IN, is also a satisfied eVault customer. They say that substituting a StorageTek ServerBlade ATA drive array for their conventional tape target helped them shorten backups “from more than 36-48 hours to less than five hours and saved the hospital more than $1.1 million in costs, including hardware and media costs and manpower time to manage the process.”

eVault’s InfoStage agents were installed on the servers, which performed incremental backups of the host computers and then compressed, encrypted, and transported the reduced amount of data to the BladeStore. This solution replaced an aging tape infrastructure and provided an additional measure of privacy for patient data while it resided in standby mode on the BladeStore array.

Barbagallo concedes that encryption adds more time to the backup process, but the company has found ways to work around it. “The initial copy of data at a client site is always the one that takes the most time,” he says. “After that is done, only changed-data snapshots are exchanged between the clients and the vault. With the reduced amount of data moving from source to target, the impact of encryption is very bearable.” He supplemented his comments with a set of spreadsheets that are provided to customers to help them to estimate the time the service will take given bandwidth and other latency-inducing factors.

Barbagallo told me that in cases where an extremely large quantity of data needed to be backed up, eVault shipped a network-attached storage array so the first copy could be made on site. “Then we retrieve the device with its encrypted data and install it directly into our data center where it continues to host the backup and the snapshots from the client.”

In my view, eVault is worth a look—especially in the wake of recent incidents of lost backup tapes. Building on the success of eVault, other storage security technologies are appearing in the market:USB pen drives that encrypt data stored on them (and decrypt only when a password is provided), firewalls expanded to include protection for storage-related network traffic, and iSCSI-based arrays implemented with full support for key-based encryption. The only real question that consumers will need to ask going forward is “How much is enough?”

ESJ provides a great security column where readers can learn more about enterprise security strategies (see http://esj.com/Security/ for past articles). For information about legal and regulatory developments in the area of data security, two sites I like a lot are the Executive Alliance (http://www.execalliance.com), which hands out awards to security savvy companies, and the Compliance, Governance, and Oversight Council (CGOC) at http://www.pss-systems.com/CGOC/index.html. You may also wish to check out a sister site of Storage Strategies: the IT Compliance Institute's ComplianceNOW newsletter discusses current compliance regulations, many of which involve storage (http://www.itcinstute.com).

We will, of course, continue to cover the storage security side of the house here. Your comments are welcome: jtoigo@toigopartners.com