Covering your (tape) assets

With two major vendors -- IBM and Sun -- announcing tape encryption technologies, Sept. 13 should have been a turning point in datacenter security. Well, it wasn’t.

If those two tape devices, the IBM TS1120 and the Sun StorageTek T10000, are compatible with your datacenter and your budget, you now have the ability to encrypt data before sending a reel outside of the company. However, don’t feel too relaxed -- you are not much more secure than you were before.

Is it because those solutions have major flaws? Not that I know of, although the two vendors are taking shots at the other’s product’s shortcomings. I’m not going to get into that debate: They are both right, because from where I stand, both solutions have room for improvement.

Where I see a problem is that covering your tape assets with encryption takes care only of one of the many vulnerability points in your company.

Granted, with tape encryption you don’t risk making headlines if one of your backup tapes falls off the delivery truck or is stolen in transit, but sensitive data can still trickle outside the company by other paths. Think of a laptop with a copy of your customer database, or a CD -- or a DVD, a USB key, a removable drive, an external drive, you name it. They all have similar potential to become an embarrassing and damaging piece of news if lost or misplaced.

How can you make sure that you cover all your data storage security vulnerabilities? And is this even possible?

According to startup BitArmor, its Security Suite can protect company data anywhere at anytime, including those uncontrollable mobile devices and personal storage systems.

BitArmor Security Suite’s features list includes in-flight encryption, data protection regardless of the media used, and centralized control of security and retention policies. If that sounds impressive, there’s more: According to BitArmor Vice President of Marketing Mark Buczynski, the suite can also seamlessly maintain an audit log of changes affecting data security -- an auditor’s nirvana -- and remotely zap or physically delete expired data.

These last two features solve two important aspects of handling data: Making data that is detached from the network -- on a USB key, for example -- not accessible, and recovering the capacity used by old information.

Security Suite relies on a central server (actually two, for redundancy) based on a hardened version of Linux. This central server hosts policies, users, and their privileges. The targets include Windows environments, servers, desktops, and laptops, where a BitArmor agent on each machine enforces data access policies according to instructions received from the central server.

BitArmor doesn’t rely on Microsoft Active Directory (“We can offer better security,” Buczynski says) and doesn’t use PKI (“For us, PKI is a four-letter word,” he says). Instead, it deploys a proprietary symmetric key processing system that, Buczynski suggests, is easier to manage and offers similar -- if not better -- authentication.

BitArmor has a compelling story. If they can deliver on that promise, Security Suite could be the best thing that ever happened to a Windows shop, and it could mark a real turning point in data security.

Join me on The Storage Network with questions or comments.