Tales from "De Crypt"

Few things get the vultures circling like news of a security breach. A look at how one company assures confidentiality by encrypting all of the data that touches its SAN.
Posted November 16, 2005

Drew Robb

Drew Robb

You can’t be too careful, these days, when you are handling other people’s data. Leaks are exposed ruthlessly in the press, shareholder confidence is eroded and customers wonder if they should move their business elsewhere. That’s why more and more firms are turning to encryption technology.

Payformance Corp. of Jacksonville, FL., for example, offers software applications that allow companies to print MICR laser checks, statements, invoices and other documents in house. The bulk of its customers are in healthcare and finance, and to do business, they have to trust Payformance with confidential financial information.

“Confidentiality is a big priority for our customers,” says George Betancourt, security officer at Payformance. “They are very concerned about security and privacy of the sensitive data they entrust to us.”

As well as payment-related data, the company also deals with protected health information (PHI), which is mandated under the Health Information Portability and Accountability Act (HIPAA).

“Some customers have to send us some PHI such as lab results or personal health information,” says Betancourt. “Naturally, they expect us to be totally buttoned up.”

The company initially tested the encrypting file system that is part of Windows Server 2003. Betancourt reports, however, that due to the way the company processes files, this system took too long to encrypt the data.

“We weren’t happy with the performance with the encrypted file system,” he says. Although it took less than an hour, it put customers on hold.”

The IT department then evaluated the various solutions available on the market CryptoStor by NeoScale Systems Inc. of Milpitas, CA, emerged from the pack. The fact that CryptoStor was certified by EMC Corp. (Hopkinton, Mass) made a big difference in the selection process, says Betancourt. The company operates a 2 TB EMC CLARiiON CX500-based SAN that it purchased through Dell Inc. (Round Rock, TX). Its switches are made by McData Corp. (Broomfield, CO) and the FC cards are manufactured by QLogic Corp (Aliso Viejo, CA).

Payformance operates CryptoStor FC (Fibre Channel) in the SAN. Two units are installed for failover purposes as no downtime of any kind is permitted with the SAN. The NeoScale units are plugged into the SAN fabric itself. Any time information is saved to the SAN, it passes through the devices, gets encrypted and then is fed to the SAN arrays. 256-bit encryption is done.

“Everything on the SAN is encrypted,” says Betancourt. “Rather than try to distinguish the sensitive from he non-sensitive, we decided to just encrypt everything.”

NeoScale CryptoStor FC storage security appliances deliver wire-speed security of SAN-attached disk arrays without requiring complex host agents or re-mapping of storage devices. CryptoStor enforces policies for primary storage access control and data-at-rest encryption. IT ran tests before installation and after to see how much of a performance hit took place. These revealed no performance or latency issues.

On the backup side of the equation, Payformance runs Veritas Backup Exec 10 by Symantec Corp of Cupertino, CA. Data is backed up to a Dell PowerVault 132T tape library that holds up to 20 tapes. Although data is backed up onsite, it is moved to a secure offsite location. As a result, the company has installed another CryptoStor Tape unit to encrypt tape backups. Why no failover for the tape backup?

“A risk assessment determined that it would be OK to not have failover in this case,” says Betancourt. “In the case of a failure, we would halt backups until it was repaired.”

Next year, he says, Payformance plans to add another NeoScale unit at a data recovery site. In this case, two units will be configured for failover.

Encryption Necessity

To avoid being tomorrow’s headline horror story, therefore, companies have begun to realize that data encryption is fast becoming yet another cost of doing business. If you access customer or confidential client information of any kind, there is no alternative but to fully safeguard that data.

“Security is finally getting attention, but still not enough,” says Steve Duplessie, a storage industry analyst with Enterprise Strategy Group of Milford, MA. “Privacy issues are going to ultimately mandate that ALL data that you care about has to be encrypted - and that will cause big issues all over IT.”

This article was first published on EmterpriseITPlanet.com.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.