CryptoStor secures vital data.Data storage security, lot avoided as a sinkhole for mission-critical service performance, warrants fresh attention. In independent test a pair of products from NeoScale Systems, Inc. (CryptoStor FC and CryptoStor for Tape) sealed up data in primary and secondary storage by encrypting it at maximum speed--transparently and without creating a management burden. Add a Fibre Channel firewall, hardware-based tape data compression and integrity, clustering-made-simple, automated off-site storage and disaster recovery capabilities to answer multiple storage security exposures. Organizations of all size, from enterprises and agencies with Fibre Channel Storage Area Networks (FC SANs down to businesses using direct-attached SCSI tape drives, can protect their data-at-rest through CryptoStor, keeping it out of the hands employees, service personnel and hackers alike who have no fights to the information. Use of the NeoScale System appliances adds data protection not covered by other products the encrypt data-in-flight between hosts and storage but leave it exposed in storage. We found the products s easy to install and configure that managers won't have sweat deployment. CryptoStor FC is totally invisible in FC SANs, while CryptoStor for Tape functions as a plug-n-play backup proxy. Both CryptoStor models encrypt data using standard triple DES or AES algorithms at the block level, preserving transport information to ensure compatibility with leading applications, switches, storage devices and backup system CryptoStor for Tape work with tape backup software from Veritas, Legato, HP an Computer Associates (Tivoli TSM is slated for support in future release, according to the vendor). CryptoStor FC for primary SAN-based storage costs $35,000, while CryptoStor for Tape (in either of two version for SCSI tape or Fibre Channel) costs $20,000. The appliances have been shipping since March 2003. Deployment Decisions Setting up both appliances easy. From the moment the box is opened, one gets the impression that there will be no unwelcome surprises due to NeoScale's attention to detail. A JumpStart packet laid out the process, and complete administrative and technical documentation was also available on a CD. The only big decision is where to position the CryptoStor box in the data flow. On Fibre Channel networks, the 2U rackmount CryptoStor FC can be deployed in multiple scenarios. Most commonly, the box is inserted between the fabric and the storage disk array or tape library. Rules can then be constructed to specify which data is encrypted from what host to what device, and the appliance can also perform firewall functions such as blocking specific host to storage device communications and SCSI commands. Alternatively, the CryptoStor FC can be inserted into the middle of the fabric, or even at the originating host under rare circumstances. Since the appliance encrypts just block data, it will support storage virtualization as well. No matter where it is deployed, CryptoStor FC invisible to the network. does not expose a new address in the Fibre Channel data traffic, nor does it require any RPC demons that could be exploited. CryptoStor for Tape Fibre Channel unit would be typically installed in front of the target FC tape system or FC to SCSI bridge. The SCSI unit sits on a SCSI bus with the SCSI library target. Either way, this 1U rackmount unit is not transparent to the library, since it now appears as the new target to an initiator. Since the tape appliance does hardware-compression prior to encryption, compression rates are maintain and there is no need to buy more tape. Highly Manageable We hooked up the wiring and performed basic IP network address setup through a command line interface to the CryptoStor console port. Although all of the configuration can be performed this way, we only spent one to two minutes using the command line and were then able to jump into the Web interface, accessing CryptoStor's integrated Web server securely from a browser. Smartcards common provide authenticated access to the appliance through an integrated smartcard reader, permitting tasks to be based administrative privilege Setup prompts for the administrator have mainly to do with defining users, alerting, logging, and archiving security policies. The security officer has a little more to do than write simple storage access or media encryption rules, as well as generate system and rule encryption keys. Depending on the appliance, rules are based on WWN WWN - Weekly World News WWN - With Winch WWN - World Wide Name WWN - World Wide Net, Inc. WWN - World Wide Network FC address, LUN, volume block range, SCSI command or backup application. The entire setup process takes less than half an hour, if the person setting it up does not have to research these attributes for rule creation. We liked the configuration interface, which was clearly organized and icon-based. One section displayed statistical information, another real-time traffic going through the box (by MAC address). Creating storage rules to govern selective encryption on the CryptoStor FC was easy. We wrote a rule for a particular host group and storage targets. After creating the rule, we used a supplied utility to prepare the volume and make it available for encryption. Thereafter, a data going to the volume was encrypted, and all data pulled from it was decrypted. We noted that if the administrator deleted the rule, users could not access the data until the rule was restored. Similarly, the CryptoStor for Tape unit used the same configuration interlace with fewer options; there are no firewall access rules, for example. The storage rule section was slightly different to enable the creation of volume pools as well as to identify the backup application. We created an encrypted backup tape See tape backup. using Veritas' BackupExec and restored it without difficulty. We noted a nuisance with CryptoStor for Tape: If the target tape drive became permanently unavailable, CryptoStor had to be rebooted before the listing was updated, although this did not prohibit operation of the appliance. To prevent someone from secretly grabbing a tape and 1 tampering with the data, NeoScale hashes each block. CryptoStor for Tape will determine tampering instantly and alert an administrator. Under the Hood NeoScale claims that CryptoStor FC encrypts at wire speed with nominal latency, which is something worth proving. To test this, we connected a CryptoStor FC box between two switches. We then used the Intel IOMeter with the TPC-D data set to read and write an assortment of traffic. The test consisted of one host reading and writing to multiple LUNs with over 20 unique data protection rules (Brocade switch, Windows multi-processor server, EMC Clarion Array, and assorted JBODs). Our time trials indicated that for the data set used, CryptoStor FC performed at close to 99% throughput--not much impact to be bothered about. We examined more detailed test results provided by NeoScale, where latency of the appliance is <100 microsecond port to port latency, regardless of the number of encryption rules. In the case of CryptoStor for Tape-SCSI, we noted speeds of up to 56 Mbytes per second for combined compression, encryption and data integrity. Depending on the compressibility of the data, this could equate to a top speed in excess of 80MB per second. In some cases, the appliance caching actually improves backup performance, according to the company. Special Features Since mixing encrypted and unencrypted data in the same partition would be a severe confusion, CryptoStor FC provides an offline disk preparation utility to initialize disks for use. The utility encrypts an existing data storage disk, block-by-block. Or if there is a new disk awaiting the data, the utility more quickly encrypts the data during the disk copy operation. Alternatively, the process can be automated online by mirroring the disk, encrypting the mirrored image, and then breaking the mirror. Automatic clustering is a valuable feature in CryptoStor. We set two CryptoStor units between switches and synchronized their system keys and policies. CryptoStor uses the IPSec protocol to securely communicate between cluster members. Any aspect of a policy or rule is instantly communicated across the cluster, and data write actions are suspended until a rule is completely replicated, erasing fears of getting out of sync. The only requirement is that storage rules cannot have overlapping block ranges. When we took down one CryptoStor, the remaining box handled the failover traffic. If disaster strikes, knocking out a CryptoStor appliance, the encrypted data is always retrievable through special Recovery Tool software. To test this on the Fibre Channel network we created a small partition for encryption, noting the block range since we were not encrypting the entire disk. We then encrypted data onto it and turned off the appliance. Using the previously mentioned smartcard, an external card reader and the Recovery Tool, we were able to securely decrypt the disk. A similar test for recovering a CryptoStor for Tape volume worked well; we had to first copy the tape to a hard disk for decryption by the Recovery Tool and then write it back to the tape unencrypted. Then we could restore the data using regular means. Administrative Details Role-based administration made it possible for us to divide the responsibility among several people. We set up users with roles as user (just to monitor the system), system administrator (for system configuration), security officer (for creating policies), and disaster recovery officer (for system key recovery The ability to uncover the secret key to a cryptographic message. See key escrow.), with an additional option to require two-factor authentication. A single person can also serve multiple roles, if desired. Smartcards provide an easy to use authentication mechanism as well as the means to securely export keys and policies. For master key recovery, the system supports splitting the master key among different security officers and requiring a set number of those offers injecting their partial key (database) partial key - A key which identifies a subset of a set of information items (e.g. database "records"), and which could narrow the subset to one item if other partial key(s) were combined with it. for recovery. We liked the fact that NeoScale made event logging, querying and alerting foolproof. If a pre-determined system event occurs, built-in alerting sends email to multipie addresses, including an SNMP management system. Even if it is the system administrator that makes a change, it is not possible for him to either prevent or erase the automatic audit trail that is generated on the box; the audit log is secured. All log files can be exported in TXT or CSV format to support external reporting. www.neoscale.com Ken Phillips is a freelance reviewer and former contributing editor to eWeek and other computer industry publications. He can be reached at kphillips@fuzztech.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion