Integrated Systems Corp. (ISCorp) provides a wide range of on-demand applications and data processing solutions to customers in the financial services, healthcare and education markets. And much of the 10 terabytes of data that flows through ISCorp's systems and gets stored each week is sensitive.
So it was imperative to company Executive Vice President and Chief Technology Officer Scott Rodenhuis that ISCorp have a risk mitigation plan in place, to properly protect both active and stored ("at rest") data. A key component of that plan involved encrypting backup tapes before they went off site.
"We work pretty closely with our clients and their audit and IT security groups," says Rodenhuis. "And over the last couple of years, we saw increasing interest in and requirements for encryption of data at rest, and in particular the backup tapes that went off site. It's become kind of a de facto standard that our clients are looking for in anyone that is providing services for them and handling their data in any way."https://o1.qnsr.com/log/p.gif?;n=203;c=204660765;s=10655;x=7936;f=201812281308090;u=j;z=TIMESTAMP;a=20400368;e=iThose client requirements as well as emerging industry-related security requirements drove ISCorp back in late 2005 to search for a top-quality data encryption solution for tape as well as disk. After evaluating a number of different encryption approaches and vendors, Rodenhuis and his team chose the DataFort FC-Series from Decru, a NetApp company that specializes in tape and disk-based storage security solutions.
"What interested us about the DataFort solution was that it was fairly easy to implement and to migrate onto," says Rodenhuis. "It also provided a separation of data from the keys that encrypt and decrypt the data. And it was able to encrypt both our tapes and data on disk. The other solutions didn't do that."
ISCorp installed the DataFort FC-Series, which supports 2 GB Fibre Channel for disk and tape, last fall, and so far the appliance has lived up to expectations, helping the company to encrypt and decrypt terabytes of sensitive data stored on tape and disk each week.
"It's a good tool that allows us to easily encrypt a lot of data and ensure that if anything goes off site, whether it's a tape or a disk that failed, the data is in an encrypted state that cannot be decrypted and accessed inappropriately," says Rodenhuis. His only complaint: he wishes DataFort would integrate more tightly with some of his backup software (ISCorp uses EMC NetWorker), so that they could specify at the file or directory level what needs or doesn't need to be encrypted.
Still, the added measure of security that DataFort provides ISCorp reassures ISCorp's customers that the company is doing whatever is necessary to protect their sensitive data, which is good if not essential for business.
ISCorp is just one of many companies that have turned to Decru to help them mitigate risk. And each one presents a unique encryption challenge. "Some of them have got eight different storage vendors, four different kinds of storage networks, 12 different operating systems and 423 applications," says Kevin Brown, Decru's vice president of marketing, only partially in jest.
"It's quite a challenge to come up with a plan to secure all that," he says. "And some of them, like Integrated Systems Corp., not only have to protect their own data but their customers' data too. It's what we call cascading compliance where all of those security requirements that affect a major bank or healthcare company are being pushed down the supply chain."
That's why Decru came up with its DataFort series of storage security appliances. "We built an appliance that's meant to be a turnkey device that can sit in the network and interact with essentially all of that data that's already there and new data coming in, with no disruption to servers, applications or workflow," says Brown. "By putting a device on the network and speaking the native storage protocols, we're able to invisibly insert ourselves into the middle of that data stream, so we can encrypt the data already in place and then from there on forward make sure all the data is stored securely."
The DataFort appliance is totally configurable and can be installed in two basic ways, directly inline or attached to a fabric switch.
"The inline approach is simple," says Brown. "You basically plug one cable in and one cable out, so we would intercept the data as it goes over the wire and would handle all the encryption and access controls and key management. In Fabric Switch-attached mode, you would essentially connect us to your switch and then use features like zoning to logically decide which of your thousands of buckets of data are the 10 or the 100 or the 200 that you want to encrypt. And only those would go through our box. So you would essentially re-route selective traffic through our box and everything else would keep going through your switches as it always has."
In addition to its FC Series, Decru has DataFort storage security appliances that support CIFS, NFS and iSCSI connectivity as well as SCSI tape environments, all of which provide wire-speed encryption, access controls, authentication and automated key management in a unified platform. Additional software is available to automate key archiving, clustering and failover, and endpoint security.
Finding the Right Solution
While DataFort may be a good encryption solution for many companies, particularly those with terabytes of sensitive data, it's not necessarily for everyone. Before making a purchasing decision, ISCorp's Rodenhuis advises, "Be sure that you understand your storage and throughput requirements and go through them in detail with [each vendor], to make sure that you have the capacity and capabilities that you're looking for." He also advises companies to think about all of that in relationship to their high availability and disaster recovery requirements.
"We went through significant research and discussions with Decru engineering before we did our deployment," he says. "And then we went through a process of validation and testing for about six weeks after we got the product, to make sure it was going to deliver the capabilities that we wanted. As a result, we have not had any major problems."