An
encryption appliance inserts inline into the existing network
and uses purpose-built electronics to encrypt full duplex data at
multigigabit line speeds. This essentially eliminates the
performance penalty imposed by
encryption software running on a general-purpose server and
allows the organization to encrypt more data in flight to storage
at local or remote locations. The biggest downside to encryption
appliances are their upfront expense and implementing multiple
appliances within the same organization can be cost prohibitive.
Key management is also important since keys are managed within the
appliance itself. The product snapshots in this chapter highlight
key specifications for a cross section of dedicated encryption
appliances. The following products were selected based on input
from industry analysts and SearchStorage.com editors, and
specifications are current as of
September 2007.
The following specifications have been provided by vendors and
are periodically updated. Vendors are welcome to submit their
updates and new product specifications to
sbigelow@techtarget.com.
Go to the
first
product snapshot, or select the desired product below:
Return
to the beginning
Product Snapshot
#1
-----------------------------------------------------------------------------------------------------------
Product:Crossroads Systems, Inc.; Crossroads
StrongBox TapeSentry f4
Encryption type:AES 256 CBC (Cipher Block
Chain)
Encryption strengths:256 bit encryption
algorithm
Encryption targets:The encryption targets are FC tape
drives. We are in development for the support of SCSI
drives.
Compression:Yes, LZF
Compression before encryption:Yes
Key complexity:The AES 256 bit keys are generated using
a strong pseudorandom number generator. One key is issued per tape
and the tape header contains only the key ID and not the key
itself. The keys are stored in an encrypted form in a key database.
The keys are always secure and transmitted through a secure channel
using SSL.
Key management:TapeSentry provides the following
enterprise-class key management features: Key generation using a
strong pseudorandom number generator; Key storage in encrypted form
in a relational database; Key recovery that includes secure backup
and restoration of the key database for complete disaster recovery;
Key sharing that occurs between multiple TapeSentry appliances with
trusted relationships using mutually authenticated SSL
connections
FIPS Validated:No; In process of getting FIPS validation
for 140-2 level 2
Data encrypted at rest:No; TapeSentry is a solution
geared towards data-at-rest encryption by encryption data as it is
written to tapes.
Data encrypted in flight:Yes; data is encrypted
in-flight.
Host and application protection:No; we do not provide
environmental host and application protection as those solutions
are offered by other solution providers. Given Crossroads' legacy
working with all lead industry storage and security providers,
TapeSentry f4 fully integrates with most enterprise
environments.
Access control features:Yes; Crossroads' patented access
controls limits host visibility to the logical unit level device
(LUN). Only those hosts that are mapped to a specific device can
see that device in the network. All other host cannot see or
discover those devices. This limits then which systems can then
recover data from those devices as well. TapeSentry offers a
role-based user access management system to ensure security and
separation of duty between administrative and security personnel.
The appliance administrator installs, configures, and administers
TapeSentry; the security administrator defines encryption policies,
manages certificates and users and views audit log.
Auditing and reporting features:Yes, we support digitally
signed audit log of key to review security-related activity, such
as when a user logs in, a policy is updated, or a certificate is
created. TapeSentry provides discovery and system reports that help
appliance administrators to gather information on devices that are
connected to ports and view information on TapeSentry appliance and
its configuration.
Other encryption features (if any):TapeSentry provides
unprecedented security and ease-of-use for a one-step disaster
recovery solution, with secure sharing of data and keys across
business partners and authorized locations. TapeSentry can
integrate with external key management systems. This flexibility
allows it to coexist with other key management systems in the
enterprise. TapeSentry ensures the key database is backed up, and
allows the automatic backup destination (NAS or SCP) to be at a
secured remote site. This allows for a quick restoration of the key
database at a remote site and recovery of critical business
data.
Interface/Ports:4 port 4Gig Fibre Channel
Appliance
Vendor Comment:TapeSentry is the industry's highest
performing solution delivering encryption into the existing fibre
channel network. The backup application and tape devices require no
upgrades or infrastructure change to implement this leading
encryption appliance so all your data stored on tape media is fully
secured. TapeSentry was designed using Crossroads' industry-leading
routing platform called the Routing Messaging Interface (RMI). With
over 100,000 systems in the field connecting tape drives and
libraries using Crossroads RMI, TapeSentry customers are empowered
with best-in-class interoperability and scalability.
Availability:Currently available
Base Cost:MSRP: $31,500
Detailed Specs:http://www.crossroads.com/Products/StrongBox/TapeSentry.asp
Vendor URL:http://www.crossroads.com/
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#2
-----------------------------------------------------------------------------------------------------------
Product:CipherMax Inc.; CM100T Tape Appliance
No specifications were provided by publication time.
Detailed specs:http://www.ciphermaxinc.com/products/products.html
Vendor URL:http://www.ciphermaxinc.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#3
-----------------------------------------------------------------------------------------------------------
Product:CipherMax Inc.; CM180D, CM250 and CM500 Disk
Appliances
No specifications were provided by publication time.
Detailed specs:http://www.ciphermaxinc.com/products/products.html
Vendor URL:http://www.ciphermaxinc.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#4
-----------------------------------------------------------------------------------------------------------
Product:CypherOptics Inc.; Security Gateways
No specifications were provided by publication time.
Detailed specs:http://www.cipheroptics.com/products/security-gateways.html
Vendor URL:www.cipheroptics.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#5
-----------------------------------------------------------------------------------------------------------
Product:Digital Security International; Paranoia2
Appliance
No specifications were provided by publication time.
Detailed specs:http://www.dsiencryption.com/products.html
Vendor URL:www.dsiencryption.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#6
-----------------------------------------------------------------------------------------------------------
Product:Hifn Inc.; Swarm 1000 Appliance
No specifications were provided by publication time.
Detailed specs:http://www.hifn.com/products.aspx?id=3506
Vendor URL:www.hifn.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#7
-----------------------------------------------------------------------------------------------------------
Product:Hifn Inc.; Sypher 3000 Appliance
No specifications were provided by publication time.
Detailed specs:http://www.hifn.com/products.aspx?id=3510
Vendor URL:www.hifn.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#8
-----------------------------------------------------------------------------------------------------------
Product:Ingrian Networks Inc.; DataSecure i-Series
Appliance
No specifications were provided by publication time.
Detailed specs:http://www.ingrian.com/products.html
Vendor URL:www.ingrian.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#9
-----------------------------------------------------------------------------------------------------------
Product:NeoScale Systems Inc.; CryptoStor Tape
Appliance
No specifications were provided by publication time.
Detailed specs:http://www.neoscale.com/English/Products/CryptoStor.html
Vendor URL:www.neoscale.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#10
-----------------------------------------------------------------------------------------------------------
Product:NeoScale Systems Inc.; CryptoStor FC Disk
Appliance
No specifications were provided by publication time.
Detailed specs:http://www.neoscale.com/English/Products/CryptoStor.html
Vendor URL:www.neoscale.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#11
-----------------------------------------------------------------------------------------------------------
Product:Network Appliance Inc.; Decru DataFort
Storage Security Appliances
Encryption type:AES 256
Encryption strengths:256 bit
Encryption targets:All major platforms for NAS, file
servers, IP SANs, Fibre Channel SANs, tape drives and libraries
(SCSI and Fibre Channel)
Compression:2-to-1 compression is supported for tape
encryption
Compression before encryption:Yes, compression is done
in hardware before encryption
Key complexity:Keys are 256-gigabit length and have
256-gigabit entropy (i.e. they are generated by a True Random
Number Generator and not from a predictable source, like a
passphrase)
Key management:Each DataFort appliance generates, tracks
and manages its own keys during runtime operation. Decru Lifetime
Key Management system is available in software or appliance form
factor and supports archiving, retrieval and transfer of keys over
time and across the enterprise.
FIPS validated:Yes, FIPS 140-2, Level 3. Decru DataFort
is also in process for Common Criteria certification, targeting
EAL4+
Data encrypted at rest:Yes
Data encrypted in flight:Yes
Host and application protection:Decru Host
Authentication ensures only authorized and validated hosts can
access data
Access control features:Yes, DataFort can add a layer of
enforcement to directory services, like Active Directory, NIS or
LDAP, as well as additional registration capabilities
Auditing and reporting features:Yes, comprehensive,
configurable auditing is available to track access to data,
administrative actions and other events. Logs can be exported to
Syslog or other management tools.
Other encryption features (if any):Other features
include hardware-based encryption to prevent performance
degradation, CryptoShred key deletion for easy, permanent deletion
of expired data, role-based access controls, such as smart
card-enforced roles for administrators, Cryptainer vaults allow
different data to be encrypted with different keys for
compartmentalization, and quorum-based recovery (using smart cards)
prevents any one person from having overly broad access to
sensitive functions.
Interface/ports:DataFort is available in several
configurations; E-Series: two Gigbit-Ethernet ports; Fibre Channel
Series for disk or tape: two Fibre Channel ports; FC1020 for tape:
10 Fibre Channel ports; S-Series for tape: two SCSI ports
Vendor comment:Decru created the storage security market
in 2002. Decru solutions have been shipping for five years with
proven encryption and key management deployments in financial
services, healthcare, government, manufacturing and many other
industries.
Availability:Decru encryption and key management
solutions are currently available
Base cost:Pricing begins at $15,000 per
appliance
Detailed specs:http://www.decru.com/products/datafort0.htm
Vendor URL:www.decru.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------
Product Snapshot
#12
-----------------------------------------------------------------------------------------------------------
Product:Vormetric Inc.; CoreGuard
Encryption type:AES and Triple-DES
encryption
Encryption strengths:AES (128-gigabit and 256-gigabit
key length); Triple-DES (keying option 1; three unique
keys)
Encryption targets:CoreGuard encrypts file system data.
Security policies specify which files and folders get encrypted,
which key is used and what users and applications are allowed to
access and decrypt the protected files.
Compression:Encrypted file system data is not
compressed. CoreGuard 4.0 introduces backup agents that will
optionally compress and then encrypt backup data.
Compression before encryption:Yes
Key complexity:Deterministic random number generator
(DRNG) that is compliant with ANSI X9.31
Key management:Keys are generated and stored on the
CoreGuard Security Server that features FIPS 140-2 Level 2
validated design and is compatible with NIAP security requirements.
Encryption keys are physically separate from the protected hosts.
Security administrators authenticate to the server to configure
security policies and associate them with encryption keys.
CoreGuard then manages all authentications transparently. All
encryption keys, system setup parameters and policy information can
be exported in a secure format for remote safeguarding or key
escrow and key exchange.
FIPS validated:Yes, FIPS 140 Level 2 validation. Common
criteria EAL 2 compliant.
Data encrypted at rest:Yes, CoreGuard allows concurrent
access to encrypted data files and ensures that only an authorized
users using the intended application can access and decrypt the
data.
Data encrypted in flight:No, although CoreGuard policies
can ensure that encrypted data remains encrypted when accessed by
specific network transfer applications.
Host and application protection:Yes, CoreGuard protects
the integrity of hosts and applications preventing the deployment
of unauthorized applications and the introduction of unauthorized
changes. CoreGuard authenticates the cryptographic fingerprint of
all applications and resource files against a reference database,
thereby preserving the system's "gold image" and preventing
unauthorized applications and patches, software tools,
operating/file system calls, and malicious code from running and
accessing protected data.
Access control features:Yes, in contrast to other
solutions that authorize access requests based on one or more user
attributes, CoreGuard's context-aware access control system grants
access to protected data only after policy evaluation that can
optionally include any of the following criteria: user,
application, file, type of I/O and time.
Auditing and reporting features:Yes, CoreGuard policies
can audit specific I/O attempts to a file. The audit logs are
centrally stored on the CoreGuard security server to record the
complete context of the request, enabling complete traceability of
host intrusion and data access events. The audit events captures
the user, the application, the file name, the type of I/O and
whether the action was allowed or denied, and whether or not an
encryption key was used. Audit logs can also be exported for
consolidation into event correlation and reporting
applications.
Other encryption features, if any:CoreGuard can
optionally authenticate applications (processes and libraries) via
digital fingerprints.
Interface/ports:Data ports: Two 1000BaseSX Ethernet, SFP
optical transceivers, LC connectors; Two 1000BaseT Ethernet, RJ45
connectors. Management: 10/100BaseT Ethernet, RJ45 connector RS-232
serial, DB-9 connector. High-availability interface: 10/100BaseT
Ethernet, RJ45 connector
Vendor Comment:CoreGuard provides the only complete data
protection solution through the tight integration of strong
encryption, access control and separation of the duties of end
users system administrators and host integrity
protection.
Availability:Currently available
Base cost:Pricing starts at US$40,000
Detailed specs:http://www.vormetric.com/products_features2.html
Vendor URL:www.vormetric.com
Go
to beginning
-----------------------------------------------------------------------------------------------------------