Patent Pending: New storage models increase accessibility, raise security issues

Until recently, data security was provided as a function of system or network security. This reflected the traditional view of the server operating system as the center of an information technology universe.Storage devices were cast in the role of simple peripheral devices, directly attached to a server and accessed via the server across a network interconnect. It followed that security of server-controlled data was the job of server security. If the server was attached to a network, responsibility for data security extended beyond the server operating system to firewalls, virtual private networks, network key encryption approaches and other method to protect networked servers.Now, however, new models have emerged in which storage devices are increasingly detached from server control to form a highly accessible storage infrastructure of their own, raising questions regarding the proper location for data security.The increasing accessibility of networked storage topologies, such as storage area networks and network attached storage, is translating into new risks to data that are poorly served by older protective measures, according to Aseem Vaid, chief executive officer and co-founder of two-year old enterprise storage security vendor NeoScale Systems Inc., Milpitas, Calif.Vaid believes networked storage creates the need for specialized data security service, such as that offered by his company's Stateful Storage Processing media privacy technology. NeoScale has implemented this technology in its first product offering, a storage security appliance called CryptoStor FC, which is aimed at securing data in a Fibre Channel switched fabric, often called a storage area network.The CryptoStor appliance installs "wherever it makes sense" within the data path between storage devices and the servers that access them. There, the appliance encrypts data as it is written into blocks on the target storage device. Vaid said this process, which uses "federal class superDES algorithms that can be applied selectively based on user-defined data security policies or other criteria," occurs at wire speed and does not slow down data transfers. NeoScale's security appliance is just a "bump in the wire."When encrypted blocks are requested from a CryptoStor-protected storage device, the process works in reverse and data is decrypted on the fly for delivery to authorized requesters. Vaid suggests that this "single-ended" approach has the merit of avoiding the hassles of key encryption systems in which both communicating ends must be equipped with compatible encryption and decryption technologies.Vaid said the technology is applicable wherever data is being entrusted to networked storage topologies for enhanced sharing. However, he said NeoScale is focusing on industry segments with "high sensitivity to data privacy, such as government, finance, health care, service providers and manufacturing."The company is working to establish its silicon-based storage security technology as a complementary product that enhances security features being developed by Fibre Channel switch makers. At present, the only alternative to the NeoScale appliance approach is to rely on every application software vendor to write an encryption technique directly into its software."The problem with a software-based approach is that people can't afford the additional processors or the processing cycles that would be consumed to implement such a strategy," he said.Storage security has special requirements, he said, that aren't going to be served well solely by network security standards, such as IPsec, the Internet security protocol favored by the Internet Engineering Task Force. "It will be a long wait before a standard means for securing storage becomes available in the market," he said. For now, there is NeoScale. is an independent consultant and author of more than 1,000 articles and 12 books. If there is an emerging technology you would like Jon to look at, contact him through or via e-mail at .