A Key to Security

5:50 PM -- NeoScale plans to support PKCS#11, a protocol generated by RSA (now part of EMC) that controls encryption keys generated by multiple third-party applications or devices.

Example: If I'm using NeoScale's CryptoStor KeyVault to protect my SAN, but I'd previously installed open systems tape encryption from another vendor, mainframe tape encryption from a third, and disk drive encryption from still a fourth, I can manage all the storage access via KeyVault.

The "key" here is that I could use KeyVault to enforce policies about access and to centralize control over security for "data at rest." Get the picture?

NeoScale also claims to be "working closely" with the IEEE P1619.3 committee to create links between multiple key managers and encryption devices.

NeoScale's vision sounds great, and it's tough to argue with standards efforts, but there aren't any partners in the loop just yet. For now, the nirvana of central encryption control remains a castle in the air.What's more, support for standards hasn't been a feature of storage security wares from NeoScale, Decru, and Vormetric up to now, though all have their own APIs for use by partners.

A spokeswoman for Decru says the company doesn't pay much attention to PKCS#11 because Decru engineers don't think the spec is too "low level." "Consequently, Decru is heavily involved with the standards bodies that are specifically targeting security for data at rest such as IEEE P1619, Trusted Computing Group, and ANSI T10/T11," she writes in an email.

A Vormetric spokesman says his company also supports PKCS#11 and may also see some convergence with IEEE P1619 in the future.

None of these competitive comments bolsters NeoScale's position. Still, the idea of a common key manager for stored data is intriguing. Maybe it's time to take a closer look at the possibilities. Thanks for the tip, NeoScale!

Mary Jander, Site Editor, Byte and Switch