EMC plans array-based encryption via PowerPath

EMC's next security move will be array-based encryption through PowerPath by 2008, according to internal documents obtained by SearchStorage.

EMC Corp. made several major announcements this week as part of the RSA Security conference in San Francisco, including the first integration between its Symmetrix arrays and technology from its $2.1 billion acquisition of RSA Inc. EMC also plans to build encryption directly into its arrays by integrating RSA's encryption into its PowerPath failover software, according to an internal EMC document obtained by SearchStorage.com.

According to the document, "PowerPath Data at Rest Encryption will leverage RSA Key Manager to provide data encryption at the storage-device level to protect data from unauthorized access or the removal of a disk drive or array from a secured environment."

The document said the feature will also allow for encryption across heterogeneous arrays and use PowerPath migration to migrate between encrypted and nonencrypted boxes. The capability is still in its infancy, according to the document, which said it will be beta tested in customer environments throughout the next 12 months and generally available sometime in the first half of 2008.

More EMC related info
EMC to announce major refresh at RSA show

EMC and Ibrix elbow out Panasas at Disney Studios

Brocade migration tool does the trick for EMC user

EMC, NetApp execs debate the future of iSCSI
In the meantime, EMC has updated Symmetrix with three new security features: Audit Logging, for a tamper-proof view of management and support actions; Symmetrix Service Credential, which prevents unauthorized service actions; and Certified Data Erasure, a feature that performs a U.S. Department of Defense-certified overwrite of bits on failed Symmetrix disks to prevent data theft.

During a panel discussion at the RSA security conference on Wednesday, EMC CEO Joe Tucci hinted that the encryption update would be coming. "It will not be long -- though the day is not today -- when we will be able as a company to encrypt data on the fly in the storage array without one of two bad things happening, one of which is additional cost and two is slowing down I/Os," he said. Adding bigger processors to the director boards would add the "horsepower" to accomplish this, Tucci added.

"It's certainly feasible," said Jon Oltsik, senior analyst with the Enterprise Strategy Group, of the purported encryption plan. "Since RSA owns the cryptography library, they can add it to their code."

A potential issue for encrypting via PowerPath would be the duality of the data streams, Oltsik said, which could result in different data encrypted with the same key, or the same data encrypted with different keys, both of which could present a management challenge. "But it's not something that couldn't be overcome," he said.

Oltsik said that array-based application could have a relatively limited application, as it wouldn't protect data over the wire, and anyone with logical access to the application could still get at the data. However, Oltsik said, there is a "niche market" that would probably be interested, mostly large intelligence, law enforcement and financial customers and pointed out that this is a huge and highly lucrative market for EMC.

Users react to Symmetrix updates

Users said they were most intrigued by "tiered storage optimization features" announced for the Symmetrix array this week, which include dynamic cache partitioning and quality of service (QoS). The dynamic cache partitioning feature will allow the assignment of upper and lower thresholds of cache allotted to device groups arranged by application -- meaning that if users want their Exchange server to be given more cache than a file share, it's now possible. QoS will allow for similar prioritization when accessing disk drives -- now, if two hosts are attempting to access the same drive, the user can set which one gets priority.

"That's something we would really be excited about," said one DMX-3 user for a major telecom provider who asked that neither he nor his company be named because of a policy his company has prohibiting him from speaking on record with the press. "Cache is something that's come up lately in our environment -- we've known for years that cache can really affect throughput."

Now, the user said, he's wondering how to figure out how much cache to partition for his particular applications. "I would like to see EMC offer a product or service that suggests partition sizes for different-sized applications with this feature," he said.

There's a catch for users of older systems, however: not every Symmetrix will be able to take advantage of the updated caching feature. The code is part of the Engenuity 5772 version, which is for DMX-3 only. EMC has no plans to release a version of the dynamic cache partitioning for older systems, said Bob Wambach, senior director, Symmetrix product marketing for EMC, though he said there was no technical reason for the restriction to newer DMX systems.

"It is due to lack of demand on the older machines that have been deployed for several years now," he told SearchStorage in an email. "Symmetrix DMX-3 is the platform that customers are performing large consolidations with, so dynamic cache partitioning is more relevant to DMX-3."

However, according to Becchetti, senior infrastructure engineer for a major national financial services company, adding even one Symmetrix frame to his system is proving to be tricky. In order to phase DMX-3 into his shop, which currently runs on DMX 2000 and 3000 arrays less than two years old, Bechetti said he's been looking into adding one frame of the newer system, "but even that could blow my budget for the year," he said.

Read more on Voice networking and VoIP