CryptoStor secures vital data - Security

Computer Technology Review, Oct, 2003 by Ken Phillips

Data storage security, lot avoided as a sinkhole for mission-critical service performance, warrants fresh attention. In independent test a pair of products from NeoScale Systems, Inc. (CryptoStor FC and CryptoStor for Tape) sealed up data in primary and secondary storage by encrypting it at maximum speed--transparently and without creating a management burden. Add a Fibre Channel firewall, hardware-based tape data compression and integrity, clustering-made-simple, automated off-site storage and disaster recovery capabilities to answer multiple storage security exposures.

Organizations of all size, from enterprises and agencies with Fibre Channel Storage Area Networks (FC SANs down to businesses using direct-attached SCSI tape drives, can protect their data-at-rest through CryptoStor, keeping it out of the hands employees, service personnel and hackers alike who have no fights to the information. Use of the NeoScale System appliances adds data protection not covered by other products the encrypt data-in-flight between hosts and storage but leave it exposed in storage.

We found the products s easy to install and configure that managers won't have sweat deployment. CryptoStor FC is totally invisible in FC SANs, while CryptoStor for Tape functions as a plug-n-play backup proxy.

Both CryptoStor models encrypt data using standard triple DES or AES algorithms at the block level, preserving transport information to ensure compatibility with leading applications, switches, storage devices and backup system CryptoStor for Tape work with tape backup software from Veritas, Legato, HP an Computer Associates (Tivoli TSM is slated for support in future release, according to the vendor).

CryptoStor FC for primary SAN-based storage costs $35,000, while CryptoStor for Tape (in either of two version for SCSI tape or Fibre Channel) costs $20,000. The appliances have been shipping since March 2003.

Deployment Decisions

Setting up both appliances easy. From the moment the box is opened, one gets the impression that there will be no unwelcome surprises due to NeoScale's attention to detail. A JumpStart packet laid out the process, and complete administrative and technical documentation was also available on a CD.

The only big decision is where to position the CryptoStor box in the data flow. On Fibre Channel networks, the 2U rackmount CryptoStor FC can be deployed in multiple scenarios. Most commonly, the box is inserted between the fabric and the storage disk array or tape library. Rules can then be constructed to specify which data is encrypted from what host to what device, and the appliance can also perform firewall functions such as blocking specific host to storage device communications and SCSI commands.

Alternatively, the CryptoStor FC can be inserted into the middle of the fabric, or even at the originating host under rare circumstances. Since the appliance encrypts just block data, it will support storage virtualization as well.

No matter where it is deployed, CryptoStor FC invisible to the network. does not expose a new address in the Fibre Channel data traffic, nor does it require any RPC demons that could be exploited.

CryptoStor for Tape Fibre Channel unit would be typically installed in front of the target FC tape system or FC to SCSI bridge. The SCSI unit sits on a SCSI bus with the SCSI library target. Either way, this 1U rackmount unit is not transparent to the library, since it now appears as the new target to an initiator. Since the tape appliance does hardware-compression prior to encryption, compression rates are maintain and there is no need to buy more tape.

Highly Manageable

We hooked up the wiring and performed basic IP network address setup through a command line interface to the CryptoStor console port. Although all of the configuration can be performed this way, we only spent one to two minutes using the command line and were then able to jump into the Web interface, accessing CryptoStor's integrated Web server securely from a browser.

Smartcards common provide authenticated access to the appliance through an integrated smartcard reader, permitting tasks to be based administrative privilege Setup prompts for the administrator have mainly to do with defining users, alerting, logging, and archiving security policies. The security officer has a little more to do than write simple storage access or media encryption rules, as well as generate system and rule encryption keys.

Depending on the appliance, rules are based on WWN FC address, LUN, volume block range, SCSI command or backup application. The entire setup process takes less than half an hour, if the person setting it up does not have to research these attributes for rule creation.

We liked the configuration interface, which was clearly organized and icon-based. One section displayed statistical information, another real-time traffic going through the box (by MAC address). Creating storage rules to govern selective encryption on the CryptoStor FC was easy. We wrote a rule for a particular host group and storage targets. After creating the rule, we used a supplied utility to prepare the volume and make it available for encryption. Thereafter, a data going to the volume was encrypted, and all data pulled from it was decrypted. We noted that if the administrator deleted the rule, users could not access the data until the rule was restored.