Posted by: ramspower
In reply to: None Date:4/15/2007 8:35:41 AM
Post #of 141364
Encryption appliances: The new way?
These devices handle chunks of data but not algorithms specific to the payments industry.
By Lamont Wood and Jonathan Hopfner
ComputerWorld Malaysia
Encryption may sound simple in theory, but in practice, it’s a demanding process in terms of both management and processing power. Increasingly, data centres are finding help for the process from a new class of device called encryption appliances.
This hardware sits between servers and storage systems, encrypting data as it moves back and forth. It encrypts data at close to wire speed with very little latency. In comparison, encryption software on servers and in storage systems slows backups.
“Previously, we had three people devoted full time to key management and encryption,” recalls Christian Philips, director of security at Regulus Group, a US-based provider of payment processing solutions. “Since we started using an encryption appliance, those people have been redeployed.”
The market is only about five years old and consists of a handful of small firms, notes Jon Oltsik, an analyst at market research firm Enterprise Strategy Group. The appliances typically use specialised, dedicated processors to handle the processing demands of encryption, where every byte is the product of intense calculations. The devices cost from a few thousand to tens of thousands of dollars.
Also, they can either sit in line with a server or a local network or they can function as an application server, encrypting any file sent to them within a network, he said.
Regulus is using an in-line device from Decru, a division of Network Appliance. Having one device handling encryption made the process much easier to manage, especially in terms of managing the encryption keys, Philips explains.
“We had 300 to 400 custom applications where we were required to use encryption, and managing the release key for just one of them would be hard, but managing keys for all of them was untenable,” Philips said. “With an encryption appliance, we get the same level of encryption across the board, but with a very small subset of the management effort, resulting in huge labour and cost savings for us.”
The fact that there is now one point of cryptographic attack did not worry him, Philips said, because he was using the 256-bit version of the advanced encryption standard (AES) algorithm endorsed by the US National Security Agency and because previously key management had been left to the programmers, who were likely to write down the keys and do other unsafe things.
Scalable, Easy to Implement
Offering an encryption appliance that functions as an application server is the specialty of US-based Ingrian Networks. An Ingrian appliance can encrypt data sent to it from anywhere in a network or globally on the internet using a strong version of secure sockets layer (SSL) for encryption in transit, explained Derek Tumulak, vice-president at Ingrian.
Marc Massar, security architect at a leading electronic payments processor that he chooses not to name for security reasons, said he relies on Ingrian appliances to encrypt credit card information. “If you have a large amount of data to encrypt, you might choose an appliance over software because it’s scalable, the time to implement is shorter, and implementation is easier,” Massar said. “But there are things that appliances don’t do, such as algorithms and operations that are specific to the payments industry. Appliances are more focused on general bulk cryptography.”
But sources agree that once the encryption appliances are installed, their chief advantage arises from the way they simplify the management of encryption keys.
Key management is, well, key
If you are going to encrypt data, the management of the encryption keys is vital, explained Trent Henry, an analyst at US-based research and advisory services firm Burton Group. “If you lose the key, the data is gone forever—it’s better than shredding,” he said. “But you won’t want people generating keys willy-nilly; you want them generated programmatically, under central control, and then stored in a central archive, with appropriate backup, without losing control of them, while handing them out only to those entitled to have them. And then there is the question of rollover, where you change keys periodically. With an appliance, there is one place where the encryption is done, and that eliminates mistakes.”
Suresh Nair, Network Appliance’s managing director for Asean, says encryption appliances offer clear advantages over other solutions.
“Software-based encryption, currently the most common solution, is slow, limited in scope, and not fully secure,” he says. “Device level encryption technologies, now available for disk and tape, allow encryption at wire speeds without an impact on the application server or host. Appliance-based encryption solutions offer similar performance advantages along with the benefit of flexible deployment, and are largely storage systems agnostic and can be applied readily in heterogeneous disk and tape environments.”
“If you are doing encryption in Windows, you have to expose the keys to do the calculations, and a virus could attack the operating system and get the keys,” adds Decru vice-president Kevin Brown. “You could encrypt the keys themselves, but then there must be a key to encrypt the keys, until they’re nested like Russian dolls. People do that, but there is always a top level that is exposed.”
With an appliance, the keys can be contained in specialised hardware that has been coated with epoxy and has intrusion-detection features, Brown said. The operating system of an appliance has only those features needed to run the application and will not respond to control commands without proper two-factor authentication, he notes.
In addition, the hardware module holding the keys can’t be accessed by the operating system except through specialised interface hardware, and even there the data is encrypted, he indicates.
Hardware helps generate a truly random key
Brown notes that it has been possible to break some encryption that was based purely on software because the program did not have any way to generate a truly random number for use as the key. The Decru appliance, in contrast, has a hardware module that generates random numbers based on the heat fluctuations it detects in its circuits, Brown said.
With an Ingrian appliance, once it is generated, the key never leaves the box, which Tumulak describes as a being based on “a hardened, locked-down version of Linux.” Policy changes require multiple acknowledgements from multiple administrators, a process he compares to launching a missile from a nuclear submarine.
But however it’s accomplished, the need for encryption is only set to grow. After a series of high-profile security breaches, many companies in markets like the US are now legally required to encrypt customer data, and Nair says Asian financial institutions and organisations dealing with these markets are being forced to follow suit.
“While the cost of a data breach can be substantial, the damage to the organisation’s reputation is immeasurable and may take years to repair. Data centre managers and administrators are looking for ways to secure their data and prevent it from falling into the wrong hands, so technologies that deliver storage security and encryption are gaining traction,” he says.
The growth of storage area networks (SAN) is another factor pushing the growth of the encryption appliance market, Nair says.
“The risk of unauthorised data access only increases as enterprises adopt larger storage network deployments with expanded access, using file sharing protocols and emerging storage protocols,” he explains. “Advances in disk technology means more data can be stored on fewer, physically smaller disks, further increasing the risk and impact of theft.”
|
