Tales from 'De Crypt'
You can't be too careful these days when handling other people's data. Leaks are exposed ruthlessly in the press, shareholder confidence is eroded, and customers wonder if they should move their business elsewhere. That's why more and more firms are turning to encryption technology.
To avoid being tomorrow's headline horror story, companies are beginning to realize that data encryption is becoming yet another cost of doing business. If you access customer or confidential client information of any kind, you have no alternative but to fully safeguard that data.
"Security is finally getting attention, but still not enough," says Steve Duplessie, founder and senior analyst at Enterprise Strategy Group. "Privacy issues are going to ultimately mandate that all data that you care about has to be encrypted and that will cause big issues all over IT."
Payformance Corp. of Jacksonville, Fla., is one company that's already answered the wake-up call. The company offers software applications that allow companies to print MICR laser checks, statements, invoices and other documents in house. The bulk of its customers are in healthcare and finance, and to do business, they have to trust Payformance with confidential financial information.
"Confidentiality is a big priority for our customers," says George Betancourt, security officer at Payformance. "They are very concerned about security and privacy of the sensitive data they entrust to us."
In addition to payment-related data, the company also deals with protected health information (PHI), which is mandated under the Health Information Portability and Accountability Act (HIPAA).
"Some customers have to send us some PHI, such as lab results or personal health information," says Betancourt. "Naturally, they expect us to be totally buttoned up."
The company initially tested the encrypting file system that is part of Windows Server 2003. Betancourt reports, however, that due to the way the company processes files, this system took too long to encrypt the data.
"We weren't happy with the performance with the encrypted file system," he says. "Although it took less than an hour, it put customers on hold."
NeoScale Stands Out
The IT department then evaluated various solutions available on the market, and CryptoStor by NeoScale Systems of Milpitas, Calif., emerged from the pack. The fact that CryptoStor was certified by EMC Corp. made a big difference in the selection process, says Betancourt. The company operates a 2TB EMC CLARiiON CX500-based SAN that it purchased through Dell. Its switches are made by McData, and the Fibre Channel (FC) cards are manufactured by QLogic.
Payformance operates CryptoStor FC in the SAN. Two units are installed for failover purposes, since no downtime of any kind is permitted with the SAN. The NeoScale units are plugged into the SAN fabric itself. Any time information is saved to the SAN, it passes through the devices, gets encrypted and then is fed to the SAN arrays. 256-bit encryption is used.
"Everything on the SAN is encrypted," says Betancourt. "Rather than try to distinguish the sensitive from the non-sensitive, we decided to just encrypt everything."
NeoScale CryptoStor FC storage security appliances deliver wire-speed security of SAN-attached disk arrays without requiring complex host agents or re-mapping of storage devices. The product enforces policies for primary storage access control and data-at-rest encryption. Payformance ran tests before and after CryptoStor installation to see how much of a performance hit took place. The tests revealed no performance or latency issues.
On the backup side of the equation, Payformance runs Veritas Backup Exec 10 from Symantec. Data is backed up to a Dell PowerVault 132T tape library that holds up to 20 tapes. Although data is backed up onsite, it is moved to a secure offsite location. As a result, the company has installed another CryptoStor Tape unit to encrypt tape backups. Why no failover for the tape backup?
"A risk assessment determined that it would be OK to not have failover in this case," says Betancourt. "In the case of a failure, we would halt backups until it was repaired."
Next year, he says, Payformance plans to add another NeoScale unit at a data recovery site. In this case, two units will be configured for failover.
Article courtesy of Enterprise IT Planet