CryptoStor secures vital data.Data storage security, lot avoided as a sinkhole sinkhole or sink or doline Depression formed as underlying limestone bedrock is dissolved by groundwater. Sinkholes vary greatly in area and depth and may be very large. for mission-critical service performance, warrants fresh attention. In independent test a pair of products from NeoScale Systems, Inc. (CryptoStor FC and CryptoStor for Tape) sealed up data in primary and secondary storage by encrypting it at maximum speed--transparently and without creating a management burden. Add a Fibre Channel firewall, hardware-based tape data compression data compression Process of reducing the amount of data needed for storage or transmission of a given piece of information (text, graphics, video, sound, etc.), typically by use of encoding techniques. and integrity, clustering-made-simple, automated off-site storage and disaster recovery capabilities to answer multiple storage security exposures. Organizations of all size, from enterprises and agencies with Fibre Channel Storage Area Networks (FC SANs down to businesses using direct-attached SCSI SCSI in full Small Computer System Interface Once common standard for connecting peripheral devices (disks, modems, printers, etc.) to small and medium-sized computers. SCSI has given way to faster standards, such as Firewire and USB. tape drives, can protect their data-at-rest through CryptoStor, keeping it out of the hands employees, service personnel and hackers alike who have no fights to the information. Use of the NeoScale System appliances adds data protection not covered not covered Health care adjective Referring to a procedure, test or other health service to which a policy holder or insurance beneficiary is not entitled under the terms of the policy or payment system–eg, Medicare. Cf Covered. by other products the encrypt data-in-flight between hosts and storage but leave it exposed in storage. We found the products s easy to install and configure that managers won't have sweat deployment. CryptoStor FC is totally invisible in FC SANs, while CryptoStor for Tape functions as a plug-n-play backup proxy. Both CryptoStor models encrypt data using standard triple DES See DES. (cryptography) triple DES - A product cipher which, like DES, operates on 64-bit data blocks. There are several forms, each of which uses the DES cipher 3 times. Some forms use two 56-bit keys, some use three. The DES "modes of operation" may also be used with triple-DES. or AES algorithms at the block level, preserving transport information to ensure compatibility with leading applications, switches, storage devices and backup system Noun 1. backup system - a computer system for making backups ADP system, ADPS, automatic data processing system, computer system, computing system - a system of one or more computers and associated software with common storage CryptoStor for Tape work with tape backup Using magnetic tape for storing duplicate copies of hard disk files. Users can add an internal or external tape drive to their desktop computers for backup purposes, and files are typically copied to the tapes using a backup utility that updates on a periodic schedule. software from Veritas, Legato, HP an Computer Associates (Tivoli TSM TSM Tivoli Storage Manager TSM Transportation System Management TSM Taiwan Semiconductor Manufacturing (stock symbol) TSM Taiwan Semiconductor Manufacturing Co. Ltd. is slated for support in future release, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the vendor). CryptoStor FC for primary SAN-based storage costs $35,000, while CryptoStor for Tape (in either of two version for SCSI tape or Fibre Channel) costs $20,000. The appliances have been shipping since March 2003. Deployment Decisions Setting up both appliances easy. From the moment the box is opened, one gets the impression that there will be no unwelcome surprises due to NeoScale's attention to detail. A JumpStart packet laid out the process, and complete administrative and technical documentation was also available on a CD. The only big decision is where to position the CryptoStor box in the data flow. On Fibre Channel networks, the 2U rackmount CryptoStor FC can be deployed in multiple scenarios. Most commonly, the box is inserted between the fabric and the storage disk array or tape library. Rules can then be constructed to specify which data is encrypted from what host to what device, and the appliance can also perform firewall functions such as blocking specific host to storage device communications and SCSI commands. Alternatively, the CryptoStor FC can be inserted into the middle of the fabric, or even at the originating host under rare circumstances. Since the appliance encrypts just block data, it will support storage virtualization Treating storage as a single logical entity without regard to the hierarchy of physical media that may be involved or that may change. It enables the applications to read from and write to a single pool of storage rather then individual disks, tapes and optical devices. as well. No matter where it is deployed, CryptoStor FC invisible to the network. does not expose a new address in the Fibre Channel data traffic, nor does it require any RPC (Remote Procedure Call) A programming interface that allows one program to use the services of another program in a remote machine. The calling program sends a message and data to the remote program, which is executed, and results are passed back to the calling demons Demons See also devil; evil; ghosts; hell; spirits and spiritualism. ademonist one who denies the existence of the devil or demons. bogyism, bogeyism recognition of the existence of demons and goblins. that could be exploited. CryptoStor for Tape Fibre Channel unit would be typically installed in front of the target FC tape system or FC to SCSI bridge. The SCSI unit sits on a SCSI bus with the SCSI library target. Either way, this 1U rackmount unit is not transparent to the library, since it now appears as the new target to an initiator. Since the tape appliance does hardware-compression prior to encryption, compression rates are maintain and there is no need to buy more tape. Highly Manageable We hooked up the wiring and performed basic IP network address setup through a command line interface to the CryptoStor console port. Although all of the configuration can be performed this way, we only spent one to two minutes using the command line and were then able to jump into the Web interface, accessing CryptoStor's integrated Web server securely from a browser. Smartcards common provide authenticated access to the appliance through an integrated smartcard reader, permitting tasks to be based administrative privilege Setup prompts for the administrator have mainly to do with defining users, alerting, logging, and archiving security policies. The security officer has a little more to do than write simple storage access or media encryption rules, as well as generate system and rule encryption keys. Depending on the appliance, rules are based on WWN WWN World Wide Name WWN Weekly World News WWN World Wide Network WWN With Winch WWN World Wide Net, Inc. WWN World Webcasting Network WWN Wizarding Wireless Network WWN World Wide Number WWN Workshop Website Network FC address, LUN, volume block range, SCSI command or backup application. The entire setup process takes less than half an hour, if the person setting it up does not have to research these attributes for rule creation. We liked the configuration interface, which was clearly organized and icon-based. One section displayed statistical information, another real-time traffic going through the box (by MAC address). Creating storage rules to govern selective encryption on the CryptoStor FC was easy. We wrote a rule for a particular host group and storage targets. After creating the rule, we used a supplied utility to prepare the volume and make it available for encryption. Thereafter, a data going to the volume was encrypted, and all data pulled from it was decrypted. We noted that if the administrator deleted the rule, users could not access the data until the rule was restored. Similarly, the CryptoStor for Tape unit used the same configuration interlace To illuminate a screen by displaying all odd lines in the frame first and then all even lines. Interlacing uses half frames per second (fields per second) rather than full frames per second. with fewer options; there are no firewall access rules, for example. The storage rule section was slightly different to enable the creation of volume pools as well as to identify the backup application. We created an encrypted backup tape using Veritas' BackupExec and restored it without difficulty. We noted a nuisance with CryptoStor for Tape: If the target tape drive became permanently unavailable, CryptoStor had to be rebooted before the listing was updated, although this did not prohibit operation of the appliance. To prevent someone from secretly grabbing a tape and 1 tampering with the data, NeoScale hashes each block. CryptoStor for Tape will determine tampering instantly and alert an administrator. Under the Hood under the hood - [hot-rodder talk] 1. The underlying implementation of a product (hardware, software, or idea). Implies that the implementation is not intuitively obvious from the appearance, but the speaker is about to enable the listener to grok it. NeoScale claims that CryptoStor FC encrypts at wire speed with nominal latency, which is something worth proving. To test this, we connected a CryptoStor FC box between two switches. We then used the Intel IOMeter with the TPC-D A benchmark that measures decision support performance. See TPC. data set to read and write an assortment of traffic. The test consisted of one host reading and writing to multiple LUNs with over 20 unique data protection rules (Brocade switch, Windows multi-processor server, EMC (1) (EMC Corporation, Hopkinton, MA, www.emc.com) The leading supplier of storage products for midrange computers and mainframes. Founded in 1979 by Richard J. Egan and Roger Marino, EMC has developed advanced storage and retrieval technologies for the world's largest companies. Clarion Array, and assorted JBODs). Our time trials indicated that for the data set used, CryptoStor FC performed at close to 99% throughput--not much impact to be bothered about. We examined more detailed test results provided by NeoScale, where latency of the appliance is <100 microsecond One millionth of a second. See space/time and ohnosecond. (unit) microsecond - One millionth (10^-6) of a second. port to port latency, regardless of the number of encryption rules. In the case of CryptoStor for Tape-SCSI, we noted speeds of up to 56 Mbytes per second for combined compression, encryption and data integrity. Depending on the compressibility of the data, this could equate to a top speed in excess of 80MB per second. In some cases, the appliance caching actually improves backup performance, according to the company. Special Features Since mixing encrypted and unencrypted data in the same partition would be a severe confusion, CryptoStor FC provides an offline disk preparation utility to initialize To start anew, which typically involves clearing all or some part of memory or disk. disks for use. The utility encrypts an existing data storage disk, block-by-block. Or if there is a new disk awaiting the data, the utility more quickly encrypts the data during the disk copy operation. Alternatively, the process can be automated online by mirroring the disk, encrypting the mirrored image, and then breaking the mirror. Automatic clustering is a valuable feature in CryptoStor. We set two CryptoStor units between switches and synchronized their system keys and policies. CryptoStor uses the IPSec protocol to securely communicate between cluster members. Any aspect of a policy or rule is instantly communicated across the cluster, and data write actions are suspended until a rule is completely replicated, erasing fears of getting out of sync. The only requirement is that storage rules cannot have overlapping block ranges. When we took down one CryptoStor, the remaining box handled the failover traffic. If disaster strikes, knocking out a CryptoStor appliance, the encrypted data is always retrievable through special Recovery Tool software. To test this on the Fibre Channel network we created a small partition for encryption, noting the block range since we were not encrypting the entire disk. We then encrypted data onto it and turned off the appliance. Using the previously mentioned smartcard, an external card reader and the Recovery Tool, we were able to securely decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. the disk. A similar test for recovering a CryptoStor for Tape volume worked well; we had to first copy the tape to a hard disk for decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. by the Recovery Tool and then write it back to the tape unencrypted. Then we could restore the data using regular means. Administrative Details Role-based administration made it possible for us to divide the responsibility among several people. We set up users with roles as user (just to monitor the system), system administrator (for system configuration), security officer (for creating policies), and disaster recovery officer (for system key recovery), with an additional option to require two-factor authentication. A single person can also serve multiple roles, if desired. Smartcards provide an easy to use authentication mechanism as well as the means to securely export keys and policies. For master key recovery, the system supports splitting the master key among different security officers and requiring a set number of those offers injecting their partial key for recovery. We liked the fact that NeoScale made event logging, querying and alerting foolproof. If a pre-determined system event occurs, built-in alerting sends email to multipie addresses, including an SNMP (Simple Network Management Protocol) A widely used network monitoring and control protocol. Data are passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device (hub, router, bridge, etc. management system. Even if it is the system administrator that makes a change, it is not possible for him to either prevent or erase the automatic audit trail that is generated on the box; the audit log is secured. All log files can be exported in TXT TXT Text TXT Text File (filename extension) TXT Textile TXT Teletext TXT Tecnologia per a Tothom TXT Textron Corporation (stock symbol) or CSV (1) (Comma Separated Value) Same as comma delimited. (2) (Computer System Validation) See software validation. CSV - comma separated values format to support external reporting. www.neoscale.com Ken Phillips is a freelance reviewer and former contributing editor to eWeek and other computer industry publications. He can be reached at kphillips@fuzztech.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion