Italy Makes SANs Sicuro

As Italy strives to make its famously bloated bureaucracy a bit simpler by putting a number of government services online, the country is turning to storage security startup Decru Inc. to ensure that its citizens' records remain safe and secure (see Italy Locks Down SAN With Decru).

The Italian government is working with telecom provider AGSM Telecomunicazioni to build a secure e-commerce infrastructure that will allow Italians to do everything from pay their taxes to order new electricity services over the Internet. While this initiative is bound to greatly improve communications among Italian city governments and the average uomo on the strada, it also poses a major threat to citizens' personal data.

AGSM Telecomunicazioni plans to make once difficult-to-access data easily available across a SAN. A wide range of applications will feed often highly sensitive information into the centralized SAN, increasing the availability of that data but also its exposure to data theft and unauthorized access to information like individuals' names, addresses, health records, and credit card and billing information.

"The Italian government wanted to move away from piles of paper to [allowing people] to do everything from paying taxes to enrolling their kids in school over the Web," says Joanna Shields, Decru's VP of Europe. "It was a pretty extensive project that they initially set aside because of security concerns... You can imagine the horror stories if someone got hold of this kind of data."

That's where Decru comes in, according to Marco Pissarello, manager of business development at AGSM Telecomunicazioni. Decru's storage security system "will ensure confidentiality of personal records and transactions, with the quality and reliability needed to support this initiative," he writes in an email.Founded in 2001, Decru has built a security appliance aimed at encrypting data at rest. Using hardware-based key management, the company's DataFort FC520 appliance offers military-grade 256-bit Advanced Encryption Standard (AES) encryption, as well as authentication of users and devices, and access controls. In addition, Decru says, its box can cryptographically partition the network, so only those who are authorized to see the data are allowed access to it.

The Redwood City, Calif., startup claims the device offers a throughput of up to 2 Gbit/s, and that it sits transparently in the SAN between storage systems and clients (see Decru Ships 2-Gig SAN Crypto).

Several other companies have already started shipping similar security appliances, including Kasten Chase Applied Research Ltd., NeoScale Systems Inc., and Vormetric Inc., but Pissarello insists that Decru was the only company AGSM looked at that met all of its requirements for SAN security (see SAN Security Steps Out).

However, no matter how great Decru's technology may be, a security appliance can never be more than a piece of the puzzle, says Hamish Macarthur, an analyst with market research firm Macarthur Stroud International.

"Just throwing an appliance at it doesn't necessarily solve the problem," he says. "You have to make sure that it fits into a larger policy... You need to consider how you actually collect the information, manage it, and also delete it."In fact, Pissarello agrees with this assessment, pointing out that while AGSM is impressed with Decru's technology, the most important requirement was that the security box work with a broad range of other vendors' products being used for the project.

"Decru is a key element to secure data in our SAN, but it will be one of many technologies used in this initiative," he writes in the email. "Thus, Decru's interoperability with the other SAN vendors and commitment to support industry standards is important to us. [DataFort] allowed us to integrate multiple government agency databases and network environments while ensuring secure compartmentalization and authentication."

Decru's Shields won't reveal how much this deal is worth -- nor how many security appliances the Italian government has bought -- but she admits that it is definitely one of the company's largest contracts to date. "It's a substantial deal," she says, adding that it also opens up a wealth of possibilities across the continent. "In terms of a market opportunity in Europe, it's going to be substantial."

Macarthur agrees that there is a lot more focus on storage security in Europe than in the U.S., and that governments across the continent are busy implementing e-government projects similar to the one Italy has started. That does not, however, mean that other European countries will follow their boot-shaped friend's choice in security vendor. "Security really depends on the practices in the country," he says. "You can't just do this in the context of a specific technology... There are a series of different angles you can take."

AGSM is initially building a data center that will support the gentlemen (and others) of Verona and hundreds of surrounding towns and cities, and expects to launch the service by October 1. After that, the company plans to create similar data centers across Italy.Eugénie Larson, Senior Editor, Byte and Switch