All Keyed Up With NeoScale

NeoScale Systems will soon be one of the first major vendors of storage security appliances to support third-party encryption keys -- but it won't be the last.

On March 14, NeoScale plans to unveil the CryptoStor KeyVault, a system designed to manage encryption keys for multiple instances of its CryptoStor appliances -- and, via a free application programming interface (API), equipment from other vendors as well.

NeoScale's CryptoStor, installed alongside tape libraries or other appliances, digitally encodes stored data so that it can't be read except by a qualified recipient with a unique key. The new KeyVault automatically shares encryption keys associated with NeoScale CryptoStor appliances in multiple data centers. KeyVault can be used to streamline archiving procedures, safeguard disaster recovery sites, or exchange secure records with business partners, the vendor claims.

All good news, although the automated sharing of multiple keys is also claimed by competitors like Decru (now part of Network Appliance). The real highlight of the announcement -- and a feature that isn't duplicated by archrival Decru yet -- is the third-party API. NeoScale says it is circulating among several large tape appliance and backup device vendors interested in having their keys managed along with CryptoStor's, though it won't identify these third parties just now.

If NeoScale can back its words with deeds, it could lead to a change in how storage encryption devices function. Instead of being relegated to one or two data streams, these units could now become the focal point for security in the storage network."Customers don't need different key management from different people," says NeoScale CEO Barbara Nelson. "Key management is the big pain point." (See Barbara Nelson, CEO and Chairman, NeoScale Systems Inc.)

Managing encryption keys, particularly across multiple sites for a range of data stores, is an increasingly complex task. Using a standalone hardware platform like NeoScale's for key management is potentially more secure than relying on software, which consumes CPU cycles and can lead to performance degradation. KeyVault integration could also save resources for storage vendors.

Indeed, suppliers of encryption appliances say they are being pressed by storage partners to get on board with integration. Spokespeople from Decru, Ingrian Networks, and Vormetric all say their firms are at work on the issue. Some even claim to have "major partners" waiting in the wings.

It remains a question whether users are as eager for the integration as their suppliers. "Third-party key support? It wouldn't really be for us," says Carlo Colon, a systems administrator at California Credit Union and a CryptoStor user. While he's delighted with the rest of NeoScale's announcement, he just doesn't have a pressing need for multivendor key management.

Still, the idea intrigues at least one user. "I'd be interested in this. Hardware is more secure, and key management is always a critical aspect. A dedicated appliance is better than multiple ad hoc solutions," says the CTO of a company that specializes in Web transaction systems. The exec, who asked to speak anonymously, isn't using NeoScale now.Notably, another vendor, Kasten Chase, unveiled a key management product in December called Assurency Keystone, for which it offers a third-party API. However, execs acknowledge they haven't had demand for the product yet -- even though Kasten Chase, like NeoScale, is a member of the prestigious EMC Select partnership program.

Bottom line? If NeoScale delivers on its partnership promise, it could strike an early blow in a shift among storage encryptors.

"What's great about this announcement is not only is Neoscale stepping up addressing key management, they are also talking about it in the context of third parties and multiple technologies, including Fibre Channel and IP storage (SAN and iSCSI), among others," writes Greg Schulz, founder and senior analyst at the StorageIO Group consultancy. But Schulz acknowledges that talk won't prove any concept. "It's time to start showing what can be done besides simply talking about it."

While NeoScale preps its third-party program, it also is pushing the other innovations KeyVault brings, including support of FIPS 140-2 Level 3 from the U.S. National Institute of Standards and Technology (NIST). (See NeoScale Receives NIST Certification.)

NeoScale also boasts automation improvements and key sharing, though both have been featured by competing appliances. Formerly, data encryption would have to be duplicated by a separate CryptoStor appliance at the DR site.KeyVault will be generally available in the second quarter for about $20,000 for a typical installation.

Mary Jander, Site Editor, Byte and Switch

Organizations mentioned in this article: