Just a few short years ago, the storage industry buzz was all about security. Startups like Decru, NeoScale and Kasten Chase were all the rage with their revolutionary concept that stored data should actually be secured.
But instead of surging to dominance, these storage security specialists are history, either acquired or out of business (see nCipher Scoops Up NeoScale). And in the interim, just about every major vendor has rolled out its own form of encryption technology. So the question is, have standalone storage security vendors gone the way of the dodo bird and 8-track tapes?
“The challenge for most enterprises is that information is found literally everywhere, and many businesses are having difficulty even knowing where to start in pursuing a strategy to mitigate information risks,” said Scott Crawford, an analyst at Enterprise Management Associates. “This, however, is also why security is becoming an aspect of storage systems themselves, and why customers are seeking more integrated solutions.”
Crawford won’t go so far as to say that the standalone crowd is dead in the water, however. He says to look out for storage security pure plays that excel in one or more areas that are either of value to the enterprise or are not yet candidates for acquisition — but could be some day.
“nCipher, for example, continues to offer a range of solutions not just in crypto, but in key management, which is of particular value to businesses that must rationalize a variety of approaches to encryption,” said Crawford. “As encryption continues to proliferate, key management may well become of much higher interest to major vendors. Because of the relationship of encryption to identity and authentication, vendors with interest across storage and information management as well as security and identity would be expected to take a closer look at that segment.”
On the other hand, Greg Schulz, senior analyst and founder of StorageIO Group, thinks the window is closing on standalone storage security and software security appliance vendors, particularly those that don’t have key OEM agreements.
“This is not to say that the role of standalone security appliances and standalone security software for storage vendors goes away; similar to LAN networking and application servers, there remains a need for the functionality,” said Schulz. “However, without true OEMs or consolidation or becoming part of a larger portfolio or solution offering, storage-centric vendors who are focused on just one window of opportunity are finding the window blinds to be pulled down and nobody at the OEMs’ homes, unless they already have those arrangements in place.”
Moosa Matariyeh, a storage specialist at CDW Corp., believes there is room for the standalone specialists, though he points out that a transition is occurring in the marketplace. Following the incorporation of encryption technology into LTO-4 tape, he expects similar integration of encryption directly into disk arrays. But that will only be on the newest gear. Production environments will continue to employ an abundance of units that are not fitted with this technology. And that will keep the standalone encryption appliance market going for some time. But before long, standalone vendors will have to decide whether to ally with storage and tape manufacturers to produce their products, or perhaps look to be acquired. Maybe a few will even make acquisitions of their own to expand their product offerings.
“Gartner estimated that by the end of 2007, 80 percent of Fortune 1000 companies would encrypt their data,” said Matariyeh. “We expect this to move down market from the Fortune 1000 into the SMB market. No organization, of any size, wants to be in the news for compromising privileged information.”
Quantum Corp. is one of the big vendors that has pushed forward with its own technology, effectively pulling the rug out from niche storage vendors in recent years. It has rolled out de-duplicationand encryption in recent months, for example. It sees the market largely turning away from the standalones, although appliance makers may last a little while longer.
“Encryption appliances meet a certain need, especially for those companies that must have the highest level of FIPS certification, are in the most highly regulated industries, and have the budget to support it,” said Robert Callaghan, senior product manager for Security and Enabling Solutions at Quantum. “We will continue to support compatibility with these appliances, but believe the trend is headed towards the embedded native encryption model, and of course centralized and cohesive standards-based key management.”
He sees security becoming an embedded feature of most storage solutions, and therefore much more cost-effective for customers. Quantum’s approach is to secure data “in-flight.” For example, it provides encryption protection of that data when it is written to tape media, since that data may then leave the security of the library and data center. This also includes ensuring the encrypted data can be recovered again for archive or disaster recovery purposes via centralized key management.
“We currently provide embedded solutions that encrypt data on tapes, such as the native encryption technology found in LTO-4 tape drives, or encrypting replicated data between our DXi-Series disk backup and data de-duplication systems,” said Callaghan.
One Size Fits All
The consensus, then, appears to be that even the best-positioned storage security specialists won’t stay independent forever.
“The challenge for standalone storage security vendors is that, in order for security to be optimally effective, it must extend to every aspect of the company,” said Mike Karp, an analyst with Enterprise Management Associates. “For the last year or so it has become increasingly apparent that the holy grail of security is single sign-on.”
That is to say, one solution must fit all, which is a real challenge, and no one has really found a way to do this yet, even among the largest vendors. But that’s what the market ultimately wants.
Karp anticipates that the solution will have to encompass more than security and storage — perhaps something like the Configuration Management Database (CMDB) of the IT Infrastructure Library (ITIL), or a similar development that provides enterprise-wide federation. If this sort of hierarchical security structure is implemented, the layers below the security database will include security for storage, security for networking, and so on, all of which feed upstream to the central security database.
But there is hope for the little guys. The major players typically are focused on what is known and well understood. Around the fringes stand the more nimble upstarts envisioning new threats and new tomorrows.
“Regardless of whether it’s storage or any other aspect of security, the nature of the market suggests that there will always be pure plays no matter what the focus,” said Crawford. “As threats continue to evolve, new solutions will emerge to address those threats.”
And no doubt the cycle will continue. Those with promise will flourish briefly and be acquired by portfolio vendors seeking to flesh out a more complete story, and then the cycle will start anew as new opportunities arise. It’s the way the technology world goes ’round.