Marines put airtight security around data

Conventional wisdom about security emphasizes perimeter defenses such as firewalls, security gateways and intrusion-detection systems.

But for all that protection, an organization's central data may remain largely unguarded. Data may be encrypted in-flight as it traverses wide-area networks, but data resting in the typical storage subsystem is unencrypted. The data is there for the taking, whether the culprit is a successful intruder or a malicious insider. What should a security-minded government organization do?

Some federal officials are adding a layer of protection specifically for stored data. Among them is the Marine Corps.

Problem:

Protecting data at rest

The Marines have a tough challenge: They must protect data that could be at-risk even though it resides within the reasonably safe confines of a federal office building, and they must protect data stored at military outposts. As service officials expand computing resources into the field, preventing data from falling into the wrong hands has become a priority.

"Data at rest can be exploited," said Col. Robert Baker, commanding officer of the Marine Corps Network Operations and Security Command.

The Marines' objective is to protect data housed in locations on the frontlines. To do that, command officials have been testing a storage encryption appliance. This emerging class of data-protection technology adds another dimension to a defense-in-depth strategy. A host of security products focus on the network's edge, but encryption appliances secure data in network-attached storage (NAS) and storage-area network environments.

Solution:

Storage encryption

To address their data security concerns, the Marines evaluated Decru's DataFort E-Series storage security appliance. The product offers storage encryption and decryption, secure access controls, and authentication, among other features. DataFort can attach to rackmount servers and is available in one- or two-unit configurations. A unit can be up to 1.75 inches high, which is the amount of space available on one shelf of a multishelf rack for mounting computer equipment.

The Marines tested the one-unit version by encrypting data to be stored on a Network Appliance (NetApp) NAS system. The one-unit product measures 17 inches wide and 1.73 inches high and weighs just under 23 pounds. It supports 1 gigabit/sec throughput and costs at least $36,000.

Baker said the product worked well and met the service's security requirements. DataFort offers the strong Advanced Encryption Standard (AES) algorithm. This level of protection is important because, Baker said, the Marines intend to deploy DataFort while in harm's way.

Metrics:

Certified security

When the most important requirement is airtight security, many typical information technology metrics don't apply. To measure the level of encryption, a major metric is third-party validation. Decru has achieved the National Institute of Standards and Technology's certification for the company's 256-bit AES version of DataFort.

NIST officials have also certified Decru's Secure Hash Algorithm (SHA)-256 and SHA-1 products. In addition, Decru's full encryption and key management systems have been certified for compliance with Federal Information Processing Standard (FIPS) 140-2, Level 3, company officials said.

DataFort met some high standards, Baker said, citing FIPS compliance and the product's 256-bit AES encryption.

"This third-party validation has been instrumental in our adoption by the Marines Corps, as well as other government organizations," said Michele Borovac, Decru's director of marketing.

After checking for NIST and FIPS approval, customers typically put encryption appliances through a battery of tests. Although details of the Marines' DataFort tests aren't publicly available, Borovac said, the general points of measurement included performance, data integrity, key management and disaster recovery.

The Marines especially liked several features during their evaluation of the product. Among them was DataFort's CryptoShred Key Deletion. DataFort's approach is to encrypt sensitive data and store the encryption keys in secure hardware. If unwanted users breach a storage system, a Marine could press the appliance's red button to purge the key database stored locally in DataFort's Storage Encryption Processor.

That feature instantly deletes the keys, said Kevin Brown, Decru's vice president of marketing. The data in storage "stays on the disk, but without the keys, it is not possible to read the data, since it's in ciphertext," Borovac added.

Training:

Ease of use a priority

Despite its sophistication, DataFort is fairly simple to use, Baker said. In addition, the appliance fits the Marines' NetApp infrastructure well. "The way it works with NetApp is seamless," he said.

Ease of implementation is typical of appliances, said Jon Oltsik, senior analyst for information security at Enterprise Strategy Group. "That is the beauty of the appliance," Oltsik said. "The device is transparent to the storage and the network."

DataFort's simplicity provides another advantage: ease of operation. Baker said if he had to hire engineers to use the equipment, the solution would not have met the Marines' requirements. "Training and manpower issues are important," he said.

Oltsik said the amount of training for an encryption appliance varies based on the solution. Overall, "our research indicates that storage administrators are pretty weak when it comes to security knowledge," he said. "They may not need specific device training, but they should have some general security training."

Deployment:

Redundant systems

The Marines plan to use DataFort to encrypt data on NetApp FAS250 and FAS270 storage appliances, which they are deploying at several locations. During the past several months, more than 100 terabytes of storage have found their way into all the hot spots, said Mark Weber, vice president of NetApp's federal division. Smartronix, a solutions provider in California, Md., has conducted the field installations.

The NetApp appliances are primarily used to house Microsoft Exchange databases, Weber said. Separate appliances are installed within Marine compounds for use with classified and unclassified networks. Appliances are installed redundantly, with databases mirrored, or copied, across them. The configuration provides for disaster recovery, giving the Marines a continuity of operations plan in each compound.

Moore is a freelance writer based in Syracuse, N.Y.

***

Storage encryption options

Decru's DataFort is one of a handful of options for organizations seeking to protect data when it isn't in transit. Ingrian Networks, Kasten Chase, Neoscale Systems and Vormetric also offer storage encryption appliances.

Jon Oltsik, senior analyst for information security at Enterprise Strategy Group, places Decru, Kasten Chase and Neoscale in the same category. "Basically, [those vendors] provide security at the storage infrastructure layer," he said. "There are subtle differences between the three, but they all secure the bits within the storage."

Decru's DataFort product line covers network-attached storage, storage-attached networks (SANs) and tape, and tape only. Also, Decru, Network Appliance and Smartronix together offer a secure, turnkey storage solution: the Expeditionary Encrypted Data Store.

Kasten Chase offers Assurency SecureData, which officials recently announced is interoperable with IBM Tivoli's data compression and backup services.

Neoscale, meanwhile, provides CryptoStor FC for Fibre Channel and CryptoStor for Tape. A recent addition is the company's CryptoStor SAN virtual private network appliance. It encrypts Fibre Channel links that go across public fiber networks, according to the company. "Critical information is protected at all times when it flows outside the building," said Dore Rosenblum, NeoScale's vice president of marketing.

As for Vormetric, Oltsik said the company "provides storage security at the host and requires software on each host it protects." The approach, he said, is more difficult to set up but affords access control at the host and protects the storage by restricting hacker access at the host.

Ingrian, Oltsik added, protects storage residing at the database/ application layer. The company's DataSecure appliance allows "more flexibility and granularity of protection but requires modifications to applications and databases to do so," he said. "Ingrian's primary challenge is to make this as seamless as possible, and I believe it is doing a good job."

In a move toward simplification, Ingrian officials recently announced a new release of DataSecure that automates many of the tasks associated with database encryption, according to company officials. Karim Toubba, Ingrian's vice president of product management and marketing, said tasks that had been done manually are now handled automatically through a graphical user interface.

Industry executives said the storage encryption market tends to be niche-oriented. Mike Speiser, vice president of product marketing and product management in Veritas Software's data management group, said most customers don't ask for really strong encryption, noting that the exceptions tend to be in government and financial services.

Veritas launched Net Backup software products this year with 128- and 256-bit encryption. He said encryption may be more widely adopted because today's algorithms run faster than their predecessors.