Storage Security in a Box? (Part III in a Series)

Placing storage security in the network is another option for locking down your data

In the last installment, we began our look at architectural alternatives for providing security for data stored on magnetic media. We heard from an early-stage storage security vendor, BitArmor Systems in Pittsburgh, PA, who argues that storage security begins at the server and that encryption and other security controls should be applied as data is first created by applications and end users.

Conceptually, the BitArmor view made considerable sense. Those who create data might be in a better position to separate the important data from the inconsequential, and thus be in a better position to mark the important bits so that functions such as encryption could be more judiciously and economically applied. BitArmor’s software can mark data with an additional security attribute, then track it over its useful life, a strategy that provides added value in the form of a workable data-deletion process. When files exceed their useful lifespan, simply shred them (electronically speaking)—or at least make them inaccessible by breaking their encryption keys.

However, other voices in the storage security realm claim that on-server approaches aren't adequate. They say, first, that using the application server for doing anything other than serving applications poses a potential problem. Encryption consumes cycles, so server performance will be adversely impacted by sharing CPU resources between the real work of the business application and the tasks associated with encryption and security.

To clarify this point, it would be useful for the security-on-server vendors (BitArmor included) to produce actual data on the load imposed by their software on production systems. Until that happens, a number of appliance vendors have popped up who want to handle security as an off-server task.

We have written about appliance-based storage security products before: Decru, NeoScale, DISUK, and others have appeared on the market in recent years. Conceptually, they are all the same. They provide an encryption service (usually together with key management services) in the data path between the production server and the storage target. As data crosses the transom, it is transformed and sent on to the storage target as encrypted bits.

Some security appliances are essentially over-clocked PCs (fairly generic computers whose CPUs have been accelerated to handle the encryption burden more rapidly, so as not to introduce latency into the data input/output path). As a result, they generate considerable heat, which may be undesirable in data centers that are already hamstrung for additional utility power for air conditioning plants. In almost every case of appliance-based security, you need to have a unit for every data path on which you want to provide encryption services. One can imagine racks and racks of heat belching encryption appliances to protect many ports in a large enterprise Fibre Channel fabric.

Unique among the crowd is Crossroads Systems, based in Austin, TX. Crossroads’ original claim to fame was as a provider of protocol bridges that enabled legacy parallel SCSI hardware to be connected to FC fabrics. As more and more storage hardware adopted on-board FC connectivity, Crossroads, which had evolved its bridge to a router capable of supplying its bridging functionality to any number of parallel SCSI devices, found its future with the solution increasingly limited.

That’s when CEO Rob Sims and his executive and technical team went behind closed doors and developed a new business plan. They came out of the dark a little over a year ago with a strategy called Business Information Assurance (BIA) in which their router becomes a platform for delivering discrete application services, including storage security. One of the latest manifestations of this strategy is the StrongBox TapeSentry.

The company emphasized the merits of this product in their response to our invitation to security vendors to explain their storage security perspective. In their written response, the company said, "The best possible implementation of an encryption solution is one that offers robust key management and is flexible enough to integrate seamlessly with the current and future infrastructure. It should introduce no additional overhead, complexity or latency."

A Router-Based Solution

Essentially, what the company offers is a non-intrusive, router-based solution that delivers high performance, low latency, flexible encryption policies that are both drive and device independent. Additionally, TapeSentry provides industry-standard encryption algorithm (AES—256 bit) to secure data stored on tape.

Distancing Crossroads’ router-based TapeSentry from other appliance-based approaches is the presence of a router engine, based on patented Crossroads technology, which has a port-multiplying impact. Diverse data streams can be afforded the services offered by TapeSentry (and other storage-related services hosted on different flavors of the platform), thereby breaking the one route-one appliance algorithm associated with most appliance-based offerings today.

The Crossroads Router Message Interface (RMI) core technology in TapeSentry intrinsically provides three key differentiators, in the company’s view. From a performance standpoint, TapeSentry provides wire speed for data traversing it, and it can pass through non-encrypted I/O with no loss at full line rate. Up to three concurrent streams to LTO 3 drives can be supported on one router. Inquiries to tape devices can be cached and write commands can be buffered to optimize the streaming of data to tape devices.

The security story of the solution is even more compelling. Begin with Crossroads’ patented access control functionality, which enables access to storage targets from multiple hosts to be regulated down to the LUN level in accordance with corporate policy. This feature enables libraries to be partitioned into secured and unsecured areas and facilitates troubleshooting if problems develop in certain backup or restore processes.

Also, leveraging router architecture, the solution delivers a highly available security service that can be readily configured to fit with host access or drive connectivity requirements. This feature provides the basis for the company’s claims to have the most flexible and scalable solution in the business—a boast that is further reinforced by over 125,000 router systems installed, facilitating the operation and security of more than 300,000 tape drives, to date.

Crossroads focus on tape encryption is not a narrow one. The company insists that storage requires its own security standards and points to tape encryption as an obvious need. In their words, "Data at rest (i.e., backup data), archive data, or any data stored on tape introduces additional and unique security requirements beyond the traditional data in motion security measures. It is not unusual for this data at rest to be stored outside the scope of the network, system, and security measures. Therefore, it is imperative that this data be secure in an isolated fashion. This typically means encryption."

Key Management is Crucial

That said, the company adds, "Encrypting the data is only half the story. The ability to decrypt the data during restore is the other half of the story. As tape encryption requirements grow to an enterprise level within heterogeneous environments, managing encryption keys becomes a highly sophisticated process. Similarly, encryption of the keys themselves is needed. Managing the keys and the key encryption requirements, also outside the scope of the traditional network, system and app security processes, further defines the need for specialized security for storage data at rest."

This insight is original among the other security appliance vendors' product literature I have reviewed. Clearly, Crossroads has dedicated a lot of thought to the holistic backup/restore process, not just to expediting the encryption of data streaming toward the tape drive. This is further reflected in their market assessment around tape outsourcing, increasingly popular in larger enterprise environments.

According to Crossroads, outsourcing tape storage is a growing IT trend; corporate liability, however, remains an internal responsibility. Companies need to maintain, internally, the keys to the data to avoid the embarrassment of lost tapes and in some cases fines, lawsuits, and so forth for negligence in protecting data. Even if tape management is outsourced, the encryption of the data on the tape and the management of keys used to access it are supported by the Crossroads TapeSentry solution.

That said, Crossroads insists that key management is not a burden to the consumer. "Because of our imbedded key management, there is little to no labor cost associated with the system. The average install would take less than one hour. The responsibility of operations, management, and oversight would typically be handled by the IT staff that is in charge of the server backups. While we have made accommodations for multiple user levels, the reality is that the systems are completely automated and would rarely be accessed from any staff member; these are simply intended to provide auditing tools. Management of the keys is frankly transparent to the IT staff and BMA. A successful implementation would be analogous to the user checking a box for tape encryption and then returning to normal operations." TapeSentry enables a role-based implementation model, separating responsibilities between an Appliance Administrator, who enables users such as system and network administrators to install, configure, and administer TapeSentry, and a Security Administrator, who enables users such as security personnel to define policies that determine which data is encrypted, how certificates are managed, and which users have access to what data. A good report viewer is provided to allow CFOs, CISOs, and auditors to view reports on TapeSentry status and enable troubleshooting.

All in all, Crossroads Systems makes a compelling case for building storage security as a set of services available to data streams that require them directly in the network or fabric. The company is busily expanding the range of storage and data management services hosted on their router platform beyond security and encryption. We will be eagerly watching to see what they come up with.

Bottom line: placing storage security in the network is another option for locking down your data. In the next installment, we will consider a third option: building security directly onto the storage target. Until then, your comments are welcomed: