In-Depth
A Seuss-ian View of Storage Security
One of the big puzzles of storage security is how best, architecturally speaking, to deploy the technology. BitArmor answers our questions.
If you are like most people, reading through the marketing literature of storage security vendors may seem a bit like reading a Dr. Seuss bedtime story. I’m thinking specifically about "Green Eggs and Ham," a favorite among my younger kids, in which the narrator is repeatedly offered a dish that he does not want. The persistent salesman counters each rejection with an offer to change the presentation of the product to fit a variety of ancillary consumer preferences: he can enjoy his green eggs and ham on a boat, with a goat, in a box, with a fox, etc.
One of the big puzzles of storage security is how best, architecturally speaking, to deploy the technology. Should storage security take the form of server-based software; should it be hosted on a network router, switch, or appliance; or should it be built onto disk drives, tape libraries, and disk arrays (among other devices)? Depending on which vendor you speak with, the answer to this question is almost always "yes."
Recently, I asked several vendors to respond to five questions. First, I asked vendors to describe their products, the problem it addresses, and how it integrates with other system components. Next, I asked the vendor to explain why the company’s solution was superior to competitor’s solutions. I asked why other security elements (network, system, and application controls) were not sufficient for storage protection and access control. My fourth question asked whether, in the vendor’s estimation, some sort of additional storage security was required for information at rest (data not traveling outside the protection of the glass house). Finally, I asked what the vendor thought the most important criteria should be for vetting a security solution.
As a bonus question, I asked vendor to estimate the solution’s labor costs. The "gotcha" with data management technology (an umbrella term that includes data security) is that it imposes a new workflow and creates a need for additional dedicated staff. This is a soft cost in the total cost of ownership of any technology that tends to inflate the actual operating cost of technology well beyond the cost of ownership advertised by vendors.
As of this writing, two vendors have responded to my query: BitArmor Systems, a Pittsburgh, PA-based start-up that offers a server-based storage security suite (and whose answers we’ll discuss this week), and Crossroads Systems, the Austin, TX-based company that provides network-based security services, among other discreet functionality sets, on a versatile router-based platform (and the subject of my next column).
Would You, Could You, in a Box
I have been following BitArmor for over a year. The small company has developed a novel way to add value to Microsoft operating systems in the form of an additional metadata "tick box" denoting the security requirement of a data object.
You may have encountered the other tick or attribute boxes that Redmond has already provided: just look at the properties associated with any object in your server or PC and you will find attributes such as "hidden," "archive," or "read only." With BitArmor installed, you have the capability to designate a file for policy-based security services, a model that can be expanded, by the way, to facilitate the policy-based retention and deletion of data for regulatory compliance purposes.
From such an unassuming element, it might be difficult to imagine the full range of functionality the vendor is delivering in its software suite. To use the words from their e-mail response, "By building a centralized, single solution with encryption that protects data wherever it resides, automatic key management, and advanced data management functions that make managing encryption easy, BitArmor overcomes the barriers of true security and management of enterprise data."
In effect, their metadata tag provides a means not only to expose selected data to policy-based encryption, but also to manage data through retention and deletion periods with full auditability.
BitArmor’s vice president of marketing, Mark Buczynski, says that storage requires special protection both in flight and at rest, and stresses that the BitArmor solution beats competitors based on its performance speed, transparency to the user, and simplicity of operation. The company offers a patent-pending encryption scheme that eliminates the bottlenecks and the administrative hassles of typical Public Key Infrastructure (PKI) approaches: "BitArmor … uses standard symmetric key processing algorithms and has built from scratch a powerful automatic key management infrastructure, which eliminates the need for PKI. This infrastructure provides automatic key distribution, establishment, revocation, and rotation, and is transparent to both users and administrators."
He adds that with BitArmor’s Security Suite, administrators may manage users, policies, ACLs, machines, and groups, but they don’t have to manage keys. Users work as they normally would, without the need to become cryptography experts.
BitArmor’s Windows-friendly approach is also extensible across distributed computing infrastructure, according to Buczynski, who stresses that this is a critical requirement for real world security, which is not limited to the domain of the data center. He notes that BitArmor protects "data not devices"—at the file, folder, or complete volume level, providing superior encryption and security granularity.
Must-Have Features
He argues that special provisions for data security within the storage infrastructure are must haves, "Network security provides temporary, or ephemeral, encryption of data. Plain text data is encrypted before being sent over a wire, is sent, and is then decrypted at the other end of the link. Network security fails to provide any level of protection before or after transmission. Application security is fine for that application; yet once the data is extracted from the application, it is again unprotected against threats of any kind.
"Stored data absolutely requires additional specialized security. Drivers for stored data encryption include not only hackers, but threats and abuse from the trusted insiders. For example, administrators may have full access to a company’s ERP or financials, but shouldn’t."
Selection criteria for the best security solution, in Buczynski’s view, boil down to traditional checkmark items such as interoperability with existing security systems, performance, and ease of use, but where the rubber meets the proverbial road is in the area of persistency. The security of data, he contends, must travel with the data itself throughout its lifecycle so it is never compromised.
A plus of the BitArmor approach, he says, is its economical labor-cost component: "BitArmor Security Suite may be implemented and managed by as few as one or two trusted individuals in the IT or security organization." However, he adds, depending on the functionality required, companies may want to assemble a representative group from IT, storage, legal, and security departments. Because corporate ethics, compliance, and responsibility issues are being driven from the top down, there is a growing need for cross-functional groups—all of which are stakeholders—to address the provision of company-wide data security and data management.
Would You, Could You, on a Router?
BitArmor Security Suite has numerous advantages to offer, particularly in Microsoft environments, over other encryption approaches. Another alternative, proffered by Crossroads Systems, has security services being applied to data as it moves from the server into a storage device. We’ll explore this approach in the next column in this series.
Seussian metaphors aside, there are many options for delivering data security. If you are a vendor and want to brag about yours, there is still time to respond to my short questionnaire. Alternatively, if you are a user of a storage security product and have a war story to tell, e-mail it to me at jtoigo@toigopartners.com.