Safeguarding storage

Attempting to address critical storage concerns, a host of companies are rolling out new security appliances that secure stored data and manage certificate-based authentication between storage devices.

Startups Decru Inc., NeoScale Systems Inc., Vormetric Inc., and traditional data security player Kasten Chase Inc. are taking up the challenge to prevent unauthorized outsiders and employees from gaining access to an enterprise’s data.

Although encryption for the data-transfer process is quite mature, very little has been done collectively by the storage industry to develop and define means to protect and encrypt the data itself as it rests or resides on a disk. However, as storage is consolidated into NAS and SAN environments, better protection of the data within is required.

Decru, based in Redwood City, Calif., is leading the storage-security charge. The stealth startup is expected to come out of hiding next week and outline specifications for a forthcoming security appliance that both encrypts data and enables authentication across both SAN and NAS environments — a dual-environment feature that its competitors can’t yet claim.

“Before, with DAS [direct attached storage], only the storage attached to that server was hurt” by a vulnerability, said Dan Avida, Decru CEO and co-founder. “But now with arrays, all the assets are compromised.”

Decru’s device, expected later this year, is able to encrypt block-and-file data and authenticate devices against each other in a SAN, as well as authenticate employees accessing a NAS, according to Avida. The device will use FIPS’ (Federal Information Processing Standard) new AES (Advanced Encryption Standard) algorithm to encrypt data residing on disks using 256-bit keys.

Requests to write to a disk are funneled through Decru’s device and the encryption, transparent to end-users, is performed when a file is saved, Avida said. Agents are deployed to all components that make up the SAN or NAS; Decru’s device holds the security keys and negotiates and exchanges digital certificates with the agents during authentication requests.

Actual authentication of users is done against a standard LDAP server that stores a company’s user information, including user names and passwords; companies can then easily define protection policies on its data and define what is available to whom, Avida explained.

On the SAN side, Avida noted that it is not users but devices that require authentication. He added that the company has spent a lot of time with storage arrays from Hewlett-Packard Co., EMC Corp., IBM Corp., and others to ensure the Decru appliance can authenticate against all third-party vendors.

According to analysts, pursuing more secure storage is a worthy cause.

“From a security standpoint, the SAN has been ignored,” said Jamie Gruener, senior analyst at Boston-based analyst company The Yankee Group. “These companies are really focusing on a new level of security that doesn’t exist today on a SAN.”

Gruener pointed out that in a recently published report from The Yankee Group, security is identified as one of the top five enterprise priorities and is becoming more of a concern as storage moves from a closed network to open, more connected SANs or NAS.

In that vein, last month Kasten Chase, a Toronto-based security company, introduced its own security appliance, dubbed Assurency Secure Networked Storage. The device is a member of a family of security devices developed by the company to help an enterprise protect various processes, including mobile computing and document delivery.

Like Decru’s devices, Assurency Secure Networked Storage validates, issues, and manages security of third-party devices. At last month’s Storage Networking Industry Association’s Security Summit in Colorado Springs, the company demonstrated the product authenticating Brocade Communications Systems Inc. switches found in a SAN.

The Assurency Secure Networked Storage appliance allows storage administrators to define which data is encrypted and at what level, using a variety of cryptography approaches including the Triple DES algorithm.

Hari Venkatacharya, senior vice president of secure networked storage at Kasten Chase, said that without device authentication it is fairly easy to spoof a storage device. He added that once a device is spoofed, especially a host bus adapter, data becomes easily accessible by unwarranted users.

“Infiltration of SANs is high, but nobody talks about it,” said Venkatacharya. “It is a lot easier than people think.”

Also addressing storage security is Milpitas, Calif.-based NeoScale Systems. In April, the startup announced that its CryptoStor device was in beta trials with a number of potential customers and would be available generally by year’s end. As with Kasten Chase’s device, CryptoStor would initially work only with Fibre Channel-based SANs, but will support NAS, DAS, and iSCSI next year, NeoScale officials said.

In the meantime, the biggest challenge for Decru and others will be educating a traditionally hesitant market about the importance of security — a task that that might get easier as more traditional security and storage vendors get in the game.

“I haven’t heard others talking aggressively about security,” The Yankee Group’s Gruener said. “But security is becoming a bigger issue.”