Off-site storage is one of the challenges of the IT world. You want to keep data secure, and the best place for it is on site, but you also want that data off-site for disaster recovery purposes. The question is how to keep the data secure once it leaves the confines of the data center.
When data travels off site, the safest means of securing it is encryption. The problem is finding an efficient, practical and manageable way of doing it. In the past the answer has been to use software based encryption systems, but now there is another way. A hardware encryption system, designed by UK based Digital Interactive Solutions, specifically designed for one purpose and one purpose only – to encrypt data written to backup tape.
Founded in 1989, DIS is headed by Paul Howard, a veteran of the storage and encryption industry who, before starting the company, worked for numerous defense related contractors on storage solution technologies. DIS, a small low profile company with some large high-profile clients, was approached by a swiss-banking consortium seeking a product that provided on-the-fly encryption for tapes that were to be transported and stored off-site. With no product of the type available, DIS solution was to develop Paranoia, a single-box intermediary encryption system.
One of the slickest aspects of the Paranoia system is its ease of installation and configuration. The device, which is available in a free standing or rack-mount version, sits between the system and the tape drive and uses a standard Fast Wide SCSI interface for both the input and output connections. When the connected tape device is powered on, the Paranoia detects the SCSI ID of the device and essentially tricks the system into thinking that the Paranoia is the drive. Data is sent from the system, through the Paranoia, to the drive. Neither the system nor the drive is aware of the Paranoias existence.
The unit provides a real-world throughput of 9.5MB/s, which is lower than advertised speeds of backup systems but, DIS say, in-line with realized speed on many systems. DIS put the high throughput down to years of experience optimizing tape drive systems. The encryption process very slightly increases the size of the data blocks written to device which is a reason why the Paranoia only works with tape drives and not hard disks. The former has a variable sector size while the latter is fixed.
Configuration of the Paranoia is performed through a null-modem serial connection and Windows based configuration software. Once the device has been initially configured with the clients encryption key, nine levels of DES and 3DES encryption are available. Its also possible to disable encryption altogether, in which case the Paranoia pipes data straight to tape.
According to DIS, not only is the Paranoia faster than software based systems it is also more secure because it relies on a code key chip embedded in the device and a code key supplied by the customer. Only a device with the same code key chip and the right customer code key can be used to decrypt an encrypted tape. For this reason, DIS can provide multiple devices with the same key chip to facilitate off-site restores. When asked if the dependence on a single chip could cause problems in the event of failure, Howard had the following A replacement chip is supplied with the unit and can be swapped in as easily as any other component. Failures are not a big issue for DIS who say that they are yet to have a single unit fail in the field.
As well as encrypting data for safe transit between sites, DIS customers also use the Paranoia in situations where the need to avoid accidental or intentional viewing by employees. This is a situation that many organizations find themselves in when sharing a central data repository between departments and divisions.
The nature and purpose of the Paranoia makes DIS cagey about revealing clients names, which is perhaps understandable. Suffice to say that our clients include a variety of household names from the Banking, Investment, Petrochemical and Medical sectors. Basically, anyone who has something that they dont want others to see. says Howard. Talking to him you get the impression that there are other larger clients that he doesnt want to discuss as well. DIS are also keen to expound on the fact that most clients come to them rather than the other way around.
At $16,500, the Paranoia is not an inexpensive solution though as Howard points out, the tag rarely fazes customers. Customers who show an interest in the Paranoia are generally not concerned with the price. Its the kind of product you either need or you dont. As for the future, DIS are working on a Fibre-Channel version of the Paranoia to allow more flexible solutions.
With a low company profile, anonymous clients and a help you buy, rather than sell mentality, DIS Paranoia may be one of the best-kept secrets of the storage industry. Or perhaps thats the data on the tapes written with it.
For more information on the Paranoia, visit http://www.digital-interactive.co.uk