Barbara Nelson, CEO and Chairman, NeoScale Systems Inc.

When Barbara Nelson joined NeoScale Systems Inc. in 2003, security in storage networks really was "neo." Most solutions used software encryption, a technique that couldn't keep up with burgeoning disk-based storage.

"There were lots of good products in network security, but storage was completely exposed," she recalls. NeoScale was among the handful of companies offering appliance-based solutions.

It was time for a change. Legislation following the tech bubble bust gave IT a whole new set of worries. In California and other states, companies are required to make public disclosures on the chance that stored records may have been breached.

"It's now very public and very damaging," she says. "Most of the threats we see and solve are accidental, not malicious. But once something happens, it's your name in the second column of the Wall Street Journal."

The edge of glee in her voice is unmistakable. From Nelson's perspective as supplier, storage growth, legislation, and new technology have converged to form what she calls a "perfect storm opportunity" in storage security.It's paving a nice career path for her as well. NeoScale is her first CEO job. Prior to NeoScale, Nelson worked for several years at Quantum Corp. (NYSE: DSS). She joined as VP of marketing for the company's Desktop and Portable Storage group in 1997 and was promoted to VP and general manager of its DLTape division in 2000.

Before Quantum, Nelson, who has a BSEE from Stanford, worked for four years at Maxtor Corp. (NYSE: MXO) and 13 years at

By the time Nelson arrived at NeoScale in October 2003, the company was at a crossroads. There was new funding, but two of the firm's founders, Aseem Vaid and Soummya Mallick, departed. CEO John McGraw, who was also a defendant in a lawsuit by former Nishan founder Aamer Latif, exited after just six months on the job (see NeoScale Secures Funding, CEO and Nishan Founder: VCs Screwed Me).

Three years later, Nelson has no regrets. The last few months have been especially active, not just for NeoScale but for other storage security appliance vendors, including Decru Inc., now owned by Network Appliance Inc. (Nasdaq: NTAP) (see NetApp Buys Decru); Kasten Chase Applied Research Ltd.; and Vormetric Inc.

When we caught up with Nelson by phone earlier this month, she talked about it all -- and where NeoScale goes from here. Read the whole interview, or click per page:

Byte and Switch: So tell us about the storage security market and how you got into it.

Nelson: What drew me to NeoScale was that it was going to make a difference. Storage has a lot of startups and opportunities, a lot of clever ideas, but nothing that will change the world. You have lots of virtual tape, CDP, and so forth. Security is also cluttered with lots of products. You have a little better firewall here, a little better monitoring or auditing there, a little better mousetrap.

That wasn't terribly interesting to me. They weren't big enough ideas to make a difference in the market.

To me, what's exciting is the intersection between a real customer pain point and technology that really addresses it in a meaningful way -- not just making something 10 or 20 percent better than what's already on the market. Storage and security are already overcrowded. Storage security is uncharted waters.

When I joined the company, there were lots of good products in network security, but storage was completely exposed. The other piece is that Senate Bill 1386 went through. Legislation plays an active role in this market. It was clear the pain point was going to be there. Legislation was accelerating market demand.What we have is a perfect storm opportunity. In the last year, we have really seen these things come together.

[Ed note: Senate Bill 1386, passed in California in July 2003, requires any company doing business in California to make public disclosure if there's a possibility that the security of personal data owned or licensed by the company has been breached.]

Byte and Switch: There are several companies involved in storage security right now. Can small companies survive when the issue is so hot? Won't bigger companies, the EMCs and so forth, want a piece of the action?

Nelson: The highway is small. This stuff is hard to do. It took us and Decru a couple of years to get this to work -- we were in development stealth before we had a product. And even outside of the patents we filed, it's not a simple task. There are engineering and cost issues. It takes time. Even if they decide tomorrow to do something internally it will take a couple of years to do it. The market is heating up way faster than that.

The big storage vendors won't burden their products with something that not everyone wants today. It's prudent for them to have relationships for the next couple of years. But if we penetrate just 30 percent of the storage security market, that could be worth $1 billion.Byte and Switch: Can you speak about the major threats to stored data?

Nelson: People tend to think about storage on tape or disk as data at rest, as opposed to an IP link where you're actually going across a WAN. There tends to be a different perception of security for data in flight on the network and data at rest, in storage.

You have to think. Just because data is technically at rest doesn't mean it isn't moving. When someone takes media from a tape library offsite, it's moving. The data may be at rest, but the media is moving. On the other hand, in a data center, people may not steal a disk array, but the greater threat happens during an upgrade to disk arrays or hard drives. Then, the stuff goes out the door to a reseller, and people forget to clean the disks off. It's a very common accident.

Most of the threats we see and solve are accidental, not malicious. But once something happens, it's your name in the second column of the Wall Street Journal.

Byte and Switch: What role do regulations play?Nelson: Well, start with Senate Bill 1386. If you even suspect that you have had a breach, you have to tell customers in California and publicly disclose the risk and what you're doing about it, unless the information has been encrypted. Fifteen other states have passed legislation that's similar, and Congress and the Senate have bills floated to bring it to the national level.

There's also the Gramm-Leach-Bliley Act, passed in 2001, that relates to the privacy of financial information. When the Bank of America breach happened, the act was modified to say that when there was unauthorized access to modified information you had to disclose it.

Byte and Switch: Why so much legislation now?

Nelson: The reason is pretty simple. The Bank of America breach included data for 60 senators on tape. We joked that it was the 'filibuster factor,' since that's the number of senators needed to break a filibuster in the Senate.

Situations like this accelerated attention to data security issues and identity theft. And there are some factoids showing an increase in identity theft... A couple of years ago, roughly 10 million people annually were victims of identity theft... Over 50 million people now are victims. And 5 million of those were just due to tape losses.Byte and Switch: Are customers actually reporting problems to you?

Nelson: EMC and StorageTek and McData and other partners of ours hear from customers. Of course, now a lot is public because of the laws. Loss of tape is not new. It's now very public and very damaging.

It's a situation kind of like seatbelts. In the 60s and 70s people died without seatbelts. A few used them, but most didn't get serious until laws were passed. First those laws required you have seatbelts in the front seat, later they included the whole car. Where we are today, security laws are for the front seat. Over time, we'll see the whole car involved.

Storage security will move to information security. Certain things will be encrypted, but some won't, and some only for a certain amount of time. Ultimately, I see a very nice fit long term with the management piece, helping solve the problem at the solution level.

Byte and Switch: What was it that made you think NeoScale's approach to storage security was different?Nelson: First, what had been done before 2003 was mainly software encryption. And that is slow, with very low-level algorithms, and it can be easily cracked. Key management is tough to use. So customers don't use it. Something like six or seven percent of Oracle customers use the encryption they sell with the product.

Then in 2003 people came to the space with appliance solutions. The appliance is absolutely how you have to go after a problem. Otherwise, you just don't get the performance and manageability. If a customer is looking to solve the security problem, you can expect them to create a security problem in the process.

Byte and Switch: There are other storage appliance vendors. How do you differentiate?

Nelson: We optimize for the storage application... We took that approach instead of one size fits all. We make sure the hardware is suited to the storage environment, so you have minimal impact. There's no remapping or rezoning, you just drop it in.

We also have some different aspects of security, particularly in the tape environment, where we have a couple of extra layers of security... You can encrypt tape per media, tape per pool, and that adds to disaster recovery.That's really the future. Today, people tend to think of storage encryption, not storage security. Over time, we'll see policy and key management really fitting into the whole information security perspective, along with ILM and SRM.

Byte and Switch: What are the technical issues of storage security today?

Nelson: It's really the plumbing. Storage is all about performance, about uptime and performance and availability and the reliability of the product. If you have five nines reliability, that can still be five minutes of downtime a year. That is a performance issue, and in disk storage it's a huge deal.

Think of it as a stream. When I get up in the morning, I have to turn on the shower and the way it's set up in my house, I have to wait. I figure out what I'm going to wear, and then finally there's hot water. That's latency. How fast the water comes out of the shower head is throughput time. In storage, latency happens with every single command. You can have thousands of commands in a second of time. It's all about the performance of the product.

Design-wise, you have to handle on-the-fly changes to Fibre Channel. You need to have stateful inspection as opposed to a proxy approach, which terminates I/O and slows down performance quite a bit....Byte and Switch: Do the issues change with the kind of storage you're backing up -- disk or tape?

Nelson: Yes.... When somebody is buying an EMC or IBM or HP disk array, it's all about availability. Encryption can't get in the way. It can't slow anything down. If you're slowing something down, people don't want it. With tape, it's about not interfering with streaming performance. You have to be semantically aware... Tape speaks an entirely different language. If the language of disk is Spanish, then tape is Chinese. Media management needs to be simple.

Byte and Switch: So how many customers does NeoScale have at this point?

Nelson: Hundreds.

Byte and Switch: How many employees?Nelson: Fifty.

Byte and Switch: How much funding do you have?

Nelson: Forty-four million.

Byte and Switch: Will you go for more?

Nelson: No.Byte and Switch: What about profitability?

Nelson: The first half of next year.

Byte and Switch: What about an exit strategy?

Nelson: We're building a public company, we're keeping an eye on the ball. It's all about building revenue and channels. We work with people who can be the best channel partners for us and have access to the right places. Like EMC and IBM and HP, and we have resale arrangements with StorageTek and McData/CNT.

The point is to build a market presence with key storage and connectivity players, to get the most coverage for what you're doing. Over time we want to be more strategic with solutions that tie into more robust policy management to extend security... You'll see more in the areas of key and policy management, better ways in which to manage information with granularity. We're building a company that is very broad-based and independent.Byte and Switch: You have a SAN VPN product. Is that a sign of things to come?

Nelson: Our SAN VPN product is an extension of storage. It's not for IP VPNs, but for WDM, Sonet, not IP. Those kinds of connections are typically in a metropolitan area network that supports storage extension. We're not going to create VPNs or firewalls. Plenty of companies do that and we can't add anything there. What we could do is make a product more robust in terms of policy management.

Byte and Switch: Is there anything else you'd like to say?

Nelson: I've never seen an opportunity quite like this. A year and half ago, the discussion with customers was entirely different than it is today. It's been interesting ot see how the market has accelerated. People have internalized the threat, they have gotten to be aware of the problem and how to solve it.

I was under the hairdryer at the beauty parlor and a lady said she was moving her money from Bank of America because of the tape breach. Customers see the threat of accident as requiring the same security measures as somebody being malicious, particularly as it relates to storage.Byte and Switch: Does it help you as a CEO to be an engineer?

Nelson: Definitely... And it really helps that at Quantum I had the experience of running an IT organization, when we revamped the Quantum ERP system because of acquisitions and consolidating. I know what people worry about. I used to worry about these things too.

Mary Jander, Site Editor, Byte and Switch