Tape Encryption Devices: Host-based vs. Appliance

We did get our hands on NeoScale Systems' CryptoStor Tape FC704, an inline appliance, and Kasten Chase's Assurency SecureData host-based encryption system. We tried to get Decru's DataFort appliance into our labs, but the company declined.

Kasten Chase's Assurency SecureData easily complies with any regulations imposed by current government contracts--this bad boy wouldn't even boot up for us without biometric authentication, and it has Medeco locks guarding its front panel. Indeed, Kasten Chase claims the National Security Agency as a customer. But we found the list of supported OSs and backup software shorter than we'd like. In contrast, NeoScale Systems' CryptoStor inline appliance is not picky about its playmates.

Location, Location, LocationOnce you determine you want to encrypt, the main decision points revolve around whether data encryption should happen at the server (host-based), in transit (appliance-based) or, if you're willing to wait, at the tape drive itself. Surprisingly, there aren't a lot of players vying for your tape-encryption dollar (learn more about the market in "Don't Be the Next Data Debacle" on page 32). We focused our evaluations on how practical, manageable, effective and enterprise-ready each approach is.

With the host-based product, data on your servers is encrypted before it hits the wire by an encrypting PCI card, which authenticates to and receives keys from a key-management appliance on the same network.

In the standalone appliance scenario, all data passes through the appliance, which sits between the storage network and the tape library, and undergoes compression and encryption in the process.

From a functionality standpoint, we found a couple of differences between standalone encryption appliances and host-based encryption cards; the complexity and size of your storage implementation and budget constraints will be deciding factors. The standalone appliance we evaluated costs less than the host-based, card-assisted encryption product, but if your storage network has several backup servers and multiple tape libraries, as well as other storage media and FC devices, it will be more difficult to employ and configure standalone appliances. In addition, consider what you're encrypting--do you have policies, extremely sensitive data or regulatory drivers that demand additional levels of security?Data tape cartridges are expensive, so to make sure we fill tapes to their maximum capacity, all tape drives on the market ship with compression capabilities. But what happens when you try to compress encrypted files? Nothing. When using robust encryption algorithms--the devices we tested use 3DES and AES256, both widely recognized by the security industry as sufficiently strong--encrypted data sent to the tape drive is functionally uncompressable. But there's good news: The vendors whose products we evaluated made sure their devices both compress and encrypt data on its way to tape. Nice.

A big benefit of host-based encryption is that data is encrypted before it leaves the host, so it's never unencrypted going over the wire to tape. An ultra-strict security policy would dictate that some data never be sent over the network unencrypted. Only a host-based PCI card strategy will do. All the standalone appliances--and the future built-in encrypting tape drives--receive data over the wire unencrypted. But this shouldn't be a strong selling point if the rest of your network transfers run in the clear--the distance between server and tape on a Fibre Channel line isn't likely to be your network's weakest link. Plus, this doesn't even take into account the increased difficulty of sniffing FC traffic; it can be done, but it's not as simple as conventional network sniffing. Unless you have SSL or other trusted encryption implemented across your internal network, having data encrypted on the storage path won't make or break you. That's not to say it doesn't raise your level of security, just that it can't be the only consideration.

As we mentioned, the encryption product you pick must play nice with your storage implementation. Both of the products we tested support both Fibre Channel and iSCSI, but we tested only with FC. The nature of each product and where it sits on the storage pipeline determine how the storage environment will affect operation. The host-based card installs at the server, so the OS can be a deciding factor, though storage network device selections matter less, because the card encrypts all storage data leaving the server on the FC network, regardless of where it's going. For this reason, a host-based PCI card-assisted product can accommodate all types of storage implementations with a single product. A standalone appliance doesn't care about which OS is sending the data down the pipe, so while separate appliances are required for different device implementations, your server configuration is moot.

Let's start with your current backup application and operating system. Assurency SecureData supports IBM Tivoli, Legato Networker, Veritas NetBackup and Windows NT backup software; on the OS side it supports only Windows 2000/2003 and Solaris 8/10. Kasten Chase says future versions will add AIX 5.2/5.3 and Linux, but given the company's slew of government certifications, we were surprised these weren't already on the list. Why is this an issue? Because encryption PCI cards reside on your servers, so OS support is a limiting factor.As you start looking at inline appliances--that is, devices that reside between your backup server and your tape drive--your options are a bit more diverse. The inline appliance we evaluated, NeoScale's CryptoStor Tape FC704, supports all the major backup applications currently in use, with Windows NT, Windows 2000/2003, Solaris, Linux and HP-UX. However, the CryptoStor is not necessarily the best choice for large data centers with complex storage networks. This is because one appliance is needed for each network path between data and tape, but the maximum number of clustered appliances is six. You could create multiple clusters, but that adds management complexity.

We expect that encryption on the tape drive will be able to support diverse operating infrastructures because tape drives are independent from the backup environment and by their very nature are application-agnostic.

One obvious benefit of a standalone appliance is ease of deployment. Based on our tests, we're confident NeoScale's CryptoStor can be easily installed into any point-to-point environment. This is the obvious option for many small and midsize businesses, because it's nonintrusive and does not change current processes. Large enterprises or SMBs with complex network and SAN topologies may be better off with a host-based product; in our tests, Kasten Chase's Assurency offered the same transparency and ease of use once installed and configured, though the list of supported backup environments decreased significantly.

Whichever approach you choose, you're tied to it to recover your data. This sounds scary, especially for anyone who's ever lost an irreplaceable key, but it's actually a good thing--your tape data has fewer vectors of attack this way.

Where Did I Put My Keys?That brings us to key management. The devices tested vary slightly in method, but both operate PKI-like implementations dressed up in fancy clothes. NeoScale's master encryption key is stored on one or more smart cards, while Kasten Chase uses Sony Puppy fingerprint drives. We give points for coolness to the fingerprint method, though both offer similar levels of security. Both methods also allow configuration of master-key splitting over the devices, with a maximum of a 10/10 quorum requirement for key recovery or any activity that requires knowledge of the master key, such as system reset or tape zeroization. That is, if you split the master key 10 ways, all 10 people who possess key tokens must be present and authenticate correctly for key recovery to work. NeoScale defaults to 2/5, while Kasten Chase provides no default configuration here.

This is not to say that all these people are needed for a standard restore, which worked seamlessly in both cases; but for a recovery or manipulation of data off of the tapes in the absence of the standard infrastructure, or an overwrite or restore of the appliances , you'll need to gather the troops. Both products allow for autonomous unlocking, where only one key device is required.

Kasten Chase's Assurency SecureData requires a valid key to boot the key authentication appliance; when we initiated this request we got a pleasingly musical singsong of request alerts and blinking blue LEDs. NeoScale let us apply separate encryption keys to individual tapes and then store these keys on their particular tapes. At first glance, this seems to defeat the purpose, but it turns out that the key stored on the tape is encrypted by a separate key. We put the tape into a drive outside of the configured architecture and were able to discover nothing at all; the drive didn't even recognize that a tape was present.

The maximum throughput for each device will depend on the type of data being transferred--compression of nonrandom text is naturally more efficient than that of random or binary data. With a host-based product, there's no danger of an appliance bottleneck because all compression and encryption happen before the data leaves the host. The PCI encryption card takes the overhead off the host CPU, performing compression and encryption in the background. Theoretically, it sounds like this, too, could become a bottleneck, though we weren't able to make that happen in our testing. But it's a valid concern because this server may also be your Web or mail server, both listed as standard in a typical installation.

In our tests, both products were able to compress, encrypt and transfer simple text data at roughly 1 GB per minute, only slightly slower for more complex randomized text and binary data. We hit a bottleneck at the disk on the backup client, because both our 10/1000 network and our 2-Gbps Fibre Channel connection to the tapes provided substantially wider pipes than the disk access times could exceed. With one backup server sending out hundreds of gigabytes of both data and text to tape, we weren't able to bog down either the appliance or the host-based product. As for backup windows, you do the math: 1 GB per minute, 60 GB per hour, how much data do you have? We tested using around 400 GB, which took about seven hours; it adds up quickly.The longest part of any job submitted is the verification pass, which is, unfortunately, rarely used because of the substantial time increase that accompanies it. This is where the backup is first performed, then accessed and checked a second time to make sure the data is complete and accurate, with no corruption. For your academic amusement, we submit that this additional pass in our tests increased the total time required with either product by about 150 percent.

You Can't Be Too Rich or Too Thin

The most useful information for deciding how to implement storage encryption is the increased size of the stored data. It seems easy enough to swallow until you consider how these numbers apply to data centers already facing ever-increasing demands for tape storage media. Currently, unencrypted tape storage benchmarks average about a 1:2 compression rate, happening at the drive. Encrypting all of your storage data prior to tape would require a substantially higher number of tapes to compensate for the increased data size. Because encrypted data cannot be compressed, the encrypting agent is required to perform compression before it encrypts the data. Got that?

Embedded drive compression functionality is useless in the implementations we discuss here; wait for the encrypting/compressing drives we expect to hit the market in the coming months. The bottom line: These devices do a good enough job compressing prior to encrypting that the ratios hold up, so you're looking at about the same compression rate with the addition of encryption.

When You're Hot, You're HotWhat happens if your building burns down and the appliances are toast? Assuming your tapes weren't stored in a cardboard box in the data center, you'll be fine as long as you have your keys, so keep copies of smart cards secure in an off-site vault. Both vendors offer last-resort tape restoration in the form of recovery software that, once installed, can authenticate your keys and recover your data from tape. Get your quorum together, call your secure tape storage facility, and get back to work. This is a pesky what-if scenario--right up until it becomes the most important thing for your business. Disaster-recovery preparation is like that, which is why so many businesses never give it the consideration it deserves.

As for price, as financier Ronald Perelman illustrated in his $2.7 billion lawsuit against investment bank Morgan Stanley, a storage mishap can end up costing significantly more than the most expensive encryption system. With that in mind, here's a basic cost breakdown of the devices tested.

The Assurency SecureData setup we installed in our lab was smaller than what Kasten Chase considers an average implementation, but it still cost $62,000. This got us two key management appliances, one CryptoAccelerator PCI Card to perform the data compression and encryption on one server, and the server encryption driver for the card--yes, there's a separate charge for the driver. The average installation as documented by the company runs $86,450, based on two appliances with five CryptoAccelerator cards and accompanying drivers--still significantly below what a major public relations fallout might cost, though out of reach for many smaller operations.

The NeoScale CryptoStor Tape appliance we evaluated costs $20,000 with two Fibre Channel interfaces, one input and one output; it also offers the product with four FC interfaces. We used only one box for our small test network; to determine how many you will need, count the number of data paths between your storage network and your tape libraries. Small environments could get by with only a single appliance, but for failover and appliance backup, we'd feel better with two.Kasten Chase's Assurency SecureData seems geared toward large enterprise customers. The system comprises one or more SecureData Appliances for key management, working with CryptoAccelerator cards and server encryption drivers at each server holding data that requires secure backup. The product didn't care about our storage network because encryption was done on the servers themselves. We had to install PCI cards on the servers in our test bed; encryption takes place at the driver level for all data heading outbound over the Fibre Channel wire to the tape library. We used a separate host to run the management software used for configuring our key-management appliances. According to Kasten Chase, its SecureData Appliances run a "proprietary key authentication" system, which distributes keys to the approved hosts' PCI cards. The key appliance does not touch storage data, nor does it do any encryption; its only job is authentication. So, the Kasten Chase model includes a PCI card, which does the encryption and compression at the server, authenticating to a key-management appliance on the same network before sending the data out over Fibre Channel to the tape library.

Installation was a breeze. We popped the PCI card into our Dell server and followed the detailed step-by-step instructions. These included installing a driver onto the host and configuring at least one biometric device to boot up the appliances on the network. In our configuration, the SecureData authentication appliances sat on the same network as our hosts; they performed authentication and key management only. Additional appliances can be added as necessary, though a typical installation requires only two for failover purposes. In addition, these devices can be clustered across networks, allowing the installation of a remote key cluster right at your disaster-recovery site. (See possible setups in the diagram at left.)

Our storage system Fibre Channel links plugged into the PCI card on each host, and we were ready to go.

We performed configuration and management for the Assurency SecureData Appliances through a software package, the Assurency SecureData Manager, installed on any host on the same network. The interface was straightforward and easy to walk through. Once configured, data encryption was completely transparent; our storage devices were accessed just as they were before the appliance and PCI card installation. It should be noted that one of Assurency SecureData's strongest benefits is the ability to use the same appliances and configuration with any combination of backup implementation, tape or not; it even provides for encrypting shares and SAN volumes.

Because encryption takes place before the data hits the wire, Kasten Chase's approach has a slight security edge over NeoScale's, but the cost difference is anything but slight. Each Assurency SecureData Appliance costs $27,950, and you'll need two at each site. Each Assurency ACA-800 CryptoAccelerator runs $4,150, and Assurency Server Encryption Drivers cost $1,950. So you're looking at an MSRP starting price of around $62,000.

Assurency SecureData Appliance, ACA-2400 CryptoAccelerator and Server Encryption Driver, $62,000, as tested, with two appliances, one card and one driver. Kasten Chase, (800) 263-1448, (905) 238-6900. www.kastenchase.comWe placed NeoScale's shiny red CryptoStor Tape 704 between our storage data and our Hewlett-Packard Ultegra tape drives, encrypting all data that passed in from our storage network via Fibre Channel and sending it out over a second FC line to our tape storage system (see the diagram, below left). A NeoScale installation technician helped with setup; this is standard with any purchase, but installation was easy enough that we could have handled it ourselves.

The appliance would work the same with arbitrated loop implementations, where the storage network operates with many FC devices on a single segment or loop, but each data path must have a separate appliance intercepting traffic. Multiple CryptoStor appliances on the storage network operate as a cluster. So far so good, but as of this writing, the maximum number of appliances that can cluster is six, possibly not enough for large data centers operating complex SAN implementations with many tape libraries. NeoScale told us it plans to raise the number of devices in a cluster to 16 soon, maybe even by the time you read this.

On the bright side, clustering the appliances is a simple matter of selecting the clustering option during configuration; the rest of the process is automated. Each appliance in the cluster is aware of your configuration for encryption and restoration functionality--the appliance automatically obtains this information as each appliance is added to the cluster.

Once we were connected, we configured our IP information through a serial console, then did all additional configuration over an SSL-enabled connection to a Web interface on the appliance. The interface was straightforward--we created users and defined roles as we would in any backup environment. However, before the appliance could take over, we had to create at least one CryptoStor rule to define which traffic should be encrypted. CryptoStor rules are essentially wild-card-friendly pattern matches for either specific devices or source hosts that will be sending backup data through the appliance. The necessity of this becomes clear when a loop-type implementation is considered--that is, when many FC devices share the same network segment. You don't want the appliance encrypting all traffic, only that destined for the tape drives. The appliance communicated with our tape library, which was displayed on the network in the same manner as before we installed the appliance. If a host performing a backup must disable and then rediscover the tape library, it will appear the same as it did without the appliance in place, as if it were still the old unencrypted connection.

We were pleased with performance; there was no noticeable slowdown in total time to transmit data from host to tape after adding the appliance.

CryptoStor Tape FC704, starts at $45,000 for one appliance and two SCSI or Fibre Channel ports. NeoScale Systems, (408) 473-1300. www.neoscale.com

Marisa Mack is a security consultant for Neohapsis, a Chicago-based security consulting firm. Write to her at [email protected].When you stop and think about the compression/encryption tag team, the use of hardware acceleration to accomplish these tasks is a no-brainer--the raw hardware and software technology are available, and neither is rocket science.

But when we set out to find a tape drive manufacturer that offers both compression and encryption on the tape drive itself, we came up with a big goose egg. This is a clear case where an immediate market need was completely missed by conventional tape backup vendors, and they now find themselves playing catch-up in a marketplace that required the technology yesterday.

Fortunately, 2006 should be the year we start to see crypto-enabled tape devices hit the shelves.

We met with product managers from the StorageTek unit of Sun Microsystems, who were kind enough to give us a peek at their product road map.

StorageTek has been working on a device it calls the T10000, which is a next-generation tape unit with built-in encryption functionality. The T10000 boasts AES256 encryption, both encryption and compression on the drive using hardware acceleration, robust key-management features and a 500-GB native storage capacity (larger with compression).Although we were excited to hear about the drive, one of the coolest features is relatively low tech: In an effort to address worst-case disaster recovery scenarios, StorageTek is building a keypad entry system directly on the tape drive for manual encryption-key entry. Printing out the actual keys on paper may be cumbersome, but now even the most paranoid organizations can keep their keys in an off-site safe in preparation for an "everything burned to the ground" scenario.

StorageTek says the devices should work with existing silo technology, but unfortunately these devices will require new media; the company is not planning on the T10000 being backward-compatible with the 9940x or other tape drives.

StorageTek would not commit to an exact ship date, but says to expect the drives to be out by mid-year 2006. We look forward to testing them when they arrive.

--Greg Shipley

We used NetBackup from Veritas (now Symantec) with Hewlett-Packard Ultrium LTO2 400-GB tape drives and tapes. Our hosts ran Windows 2000 and 2003 Server on Pentium 4 hardware with 512 Kb of RAM through a 10/1000 switch. We sent simple text (all 0Ss), complex text (a dump of all file contents within C:Winnt*.*), and binary data through the encryption products. Our thanks to StorageTek for providing test hardware.All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.