Data News

June, 2009

Compos Mentis
Sanity Speaks

Last month in Data News we briefly discussed that our clients have asked us to help lower their data management costs, even though their data has continued to grow. In order to help them, Sanity Solutions has been adding resources and skills to our Professional Services organization. Our customers are now utilizing several technologies to help lower their expenses. I’ve highlighted a couple of those technologies here:

Server Virtualization – Server virtualization allows its users to leverage the processing power of all of their physical servers to better utilize hardware. By implementing this solution, our customers have been able to forgo hardware purchases yet provide better performance and reliability for business-critical applications. This could be compared to the hybrid automobile. Essentially, a hybrid has two engines – one electric and one gasoline. If the electric engine is enough, then the hybrid doesn’t need to call on the gasoline thus reducing operating expenses. But the hybrid has the benefit to call on the more powerful engine when getting up to speed or climbing a hill or mountain.

Sanity’s partners include VMware and Virtual Iron.

Storage Virtualization – Similar to server virtualization, storage virtualization allows its users to spread the workload and cost to multiple controllers and drives. By using this technology, our customers get better storage utilization and easier/better data management.

Let’s say, for example, an organization has 50TB of data. In many cases, after completing a storage assessment this organization is actually using 30% of the total space (or 15TB). It’s not that this organization wishes to under utilize its investment, but rather the technology forces them to under utilize the asset. Now, let’s say that we introduce technology that increases the 30% to 80%. Now the user gets 40TB of space available. The savings in this example is (40TB – 15TB) x cost per TB = savings.

Sanity’s partners include Compellent, Hitachi Data Systems, Xiotech, and Data Core.

WAN Acceleration – Have you ever inquired about increasing bandwidth to one or multiple locations? As data grows and data replication becomes common, bandwidth needs and costs have multiplied. WAN acceleration can help reduce costs because not every data block needs to be transferred if that data block was transferred previously. The math is quite easy: less data transfer = less bandwidth requirements.

Sanity’s partners include Riverbed and Cisco.

Data Deduplication – In a nutshell, data deduplication helps our customers reduce the amount of disk storage that they need to purchase. This technology not only helps reduce disk expenditures but also reduces power and tape media expenses as well.

Sanity’s partners include Data Domain and CommVault.

Archiving – Archiving will save you money by eliminating the non-changing/stale data from your primary and costly disk subsystem and placing it on a less costly media, while keeping it online for fast recovery.

Sanity’s partners include CommVault, Data Domain, and Hitachi Data Systems.

Tiered Storage – When tiered storage is done correctly, it allows you to put your data on the "right" type of media. In this case, "right" means the media/appliance that provides the business with the performance that is at the acceptable performance and uptime metrics yet the lowest cost. Also note that "lowest cost" consists of acquisition, upgrade, and time to manage (operational) the media.

Sanity’s partners include Hitachi Data Systems, Compellent, Xiotech, Overland Storage, Spectra Logic, Crossroads, CommVault, Data Domain, and Data Core.

These are just a few of the products and technologies that have helped our customers and can help you do more with less. Thank you for your continued support.

Thank you for your ideas and your continued support.

Sincerely, Jason
jcherveny@sanitysolutions.com

Sanity Services

As announced last month, we are now providing comprehensive service and assessment programs. Our current offerings include assessments in Storage (performance, LUN creation, and utilization), Data Centers (power and cooling) and an evaluation of the CommVault Simpana technology and its best practices. Our team of experts is continually trained on the latest products, services, and industry standards in order to provide you with storage and technology solutions that include securing data, eliminating data loss, increasing data availability and lowering overall costs. Give us a call to learn more about our services that will help your business run more efficiently.

Click here to download a printable PDF of our service offerings.

Focus on Services: CommVault Simpana Assessment

Our CommVault Simpana assessment services include an overview of best practices and overall analysis of system functionality. Our specific services include:

Business Requirement Assessment

Simpana Best Practices
DR/Business Continuity
Compliance
Migration (HSM) and Archiving

CommCell Review
Configuration Review
Software Inventory and Compatibility Review
Applications Review
Scalability Review

For specific information on our CommVault Simpana Assessment Services, contact David Stalcup at dstalcup@sanitysolutions.com.

Click here to download a printable PDF with more details about our CommVault Simpana Assessment Services.

Click on the links below to download information about our other service offerings:

Data Center Services
Storage Services

Sanity Spotlight — Mike Chaput

Mike Chaput has been hired as a systems engineer in the company’s Phoenix office.

Chaput comes to Sanity from Xiotech Corporation where he was a principal systems engineer. At Sanity, Chaput’s key responsibilities included presales, support and being a trusted advisor to Sanity’s clients. He enjoys having the opportunity to provide clients with end-to-end design solutions and problem solving.

"Sanity is a great company to work for," explains Chaput. "After working with a manufacturer for eight years representing a single product line, I’m very excited to offer clients a full solution or help them solve a problem and fill gaps with an entire portfolio to represent."

Podcasting For Your Data Management Success

Sanity is hosting a series of five podcasts that address common best practices for data management in your business environment. Listen to our third podcast, Encryption in the Data Center and Beyond now, and stay tuned for future topics including:

Server Virtualization and Its Considerations
Storage Virtualization for Your Environment

Already in the Web site best practices section are podcasts on the following topics:

Encryption – Uses and Methods

Written by: Chris Harrold

For more information on encryption, or any of your data services needs, contact Chris Harrold at charrold@sanitysolutions.com.

Blowfish Spotting
As the reliance on your storage system grows, so too does the need to secure the access to that data. Data provided by datalossdb.org, which maintains a listing of data loss incidents, shows that at year-end 2007 340 incidents of data loss had occurred. Now in fairness to the statistics some of these were as small as a single file with Personally Identifiable Information (PII) but ranged up to the loss of 94,000,000 (yes MILLION) Social Security Numbers and account information records from TJX (the parent company of TJ Maxx and others). The information exposures in these statistics all share one commonality – none of the data was encrypted and therefore it was publicly available for anyone to read provided they had physical access to the information storage.

The second important thing to take away from this is that there is no way to ever completely prevent access to data – short of putting your hard drives in a pillow case full of magnets and hitting it repeatedly with a hammer – if I have your physical media then I can likely get at the data on it eventually. It is that last word that drives the encryption business and that makes the loss of an encrypted data set much less likely to cause public embarrassment. The job then of these encryption solutions is not to prevent access to the data but to delay it long enough so that once you have the data it is likely no longer relevant.

Encryption Methods
The root of all encryption systems, regardless of where they are employed, is the mathematical construct that they use called an algorithm. There are many encryption algorithms commonly in use today, and all of them are generally based on an algorithm that requires a key to complete the formula to decipher the data. Breaking the encryption requires a system to essentially "guess" over and over at different keys trying to find the one that unlocks the cipher. To put this into perspective, the encryption algorithm for Blowfish is considered relatively simplistic in mathematical terms, but even with its "simple" system for encrypting and decrypting, a total of 522 iterations of the encryption algorithm are required to test a single key, effectively adding 29 steps to any brute-force attack. And that’s just ONE KEY. In a good encryption model, there will be several keys and they are changed regularly. It is like a janitor having a key ring with keys to all the doors in the building, only the building reaches from here to Jupiter and his key-ring has more keys on it than grains of sand on all the beaches in the world and he gets new ones every 30 days. It’s going to be a while before he mops up the floor in the office…

The second key part of the encryption model is WHERE do you encrypt? There are two very general places you can encrypt data: at rest (this is on media encryption) or in flight (this is like VPN or network traffic). How you do this can vary wildly depending on the needs you have of the encryption. The fundamental issue with selecting an encryption solution is the penalty you pay for the overhead of the encryption itself. Remember the janitor and his key ring? Well, someone had to go and make all those keys for him, and it is the processing of the algorithm over and over again that causes the overhead for encryption. This overhead can vary in extremes depending on the complexity of the algorithm and the key required to complete the encryption/decryption of the data.

This need for speed has prompted a response in the form of encryption appliances and offloading devices designed to sit in line with your data streams, such as a blade in a SAN switch or Network router. This offloading of the encryption process means that the hosts and the consumers (end users) of the data do not see the lag in response from encrypted file systems and transmission encryption. The secondary encryption field has rapidly expanded, too, as the loss of tape media has caused some very high-profile data breaches. LTO4 tapes now support encryption on the drive and most major software manufacturers are supporting at least some level of encryption to media.

What determines encryption need?
Unfortunately (or fortunately, depending on your perspective) the drive for encryption in the IT world is currently being motivated by fear. I think that in spite of the many high-profile data loss scenarios of recent years, this fear is largely misdirected. The loss of a laptop by an NSA agent is not something that SAN encryption or backup tape encryption would have fixed. Client encryption would have been the solution here – another example of "at rest" encryption. Also, if you are protecting top-secret government data, then the paranoia level will understandably be much higher and the encryption selected will likely follow suit. (The government requires AES on all secret and above classified documents, with a minimum key of 128bits.)

Where you encrypt, it needs to be related to the likelihood of loss (yes LOL – not a laughing matter in this case). You are much more likely to have an employee’s laptop stolen than your whole SAN. Likewise, you are also much more likely to have a tape "fall off the truck" than to have someone eavesdrop on your network, capturing data packets and assembling them into something useful. So why then would I want to encrypt at these points, which many manufacturers are driving us all toward? Simple. It is FAST – really fast. Once data is encrypted, it is encrypted until you decrypt it. So where you encrypt really boils down to the place that makes the most sense and has the least impact. This is the reason that appliance-based encryption, SAN blades and Network encryption devices are gaining in popularity – the data passing through them is encrypted, regardless of where it ends up. There’s one MAJOR exception, thought – your end-user. Unfortunately, the glaring weakness is that in order to use it, the end-user has to see data in plaintext. That means if they copy it local, it is wide open.

Plugging the leaks
An encryption solution will only be as good as the policy and procedures that support it. Change control, user guidelines, proper auditing and security roles, and good security discipline are as important as choosing to encrypt data in terms of maintaining data integrity. The 94,000,000 records stolen from TJX over the summer last year were obtained because a Web server had not been properly patched against a three-year-old vulnerability. No amount of encryption would have fixed that.

When you are considering a solution to provide encryption for your critical data, you need to ask yourself the following key questions:

Where is my LOL highest?
What is the level of paranoia?
What is driving the decision?
Do my policies and procedures support my plan to protect my data?

In short, from where will I lose it? How concerned is my business that loss of data will impact us? And is it the perception or the reality that is driving the decision?

Armed with these basic answers you can start to navigate the landscape of encryption solutions to find the one that fits your needs and requirements best.

I will send you a case study that was written about one of Sanity’s recent wins. While it doesn’t say Sanity in the write up we can say that it is our customer and it is a case study about encryption…timely.

TapeSentry® Provides Maximum Security for a County Government's Critical Data Stored Offsite

With a slew of data breaches in the headlines, Affiliated Computer Services (ACS) proactively decided to encrypt tape media stored offsite for a local government client.

Michael Welch, a Network Specialist at ACS, works with a government county made up of elected officials and emergency response departments. Tasked with making sure data security is at the forefront while not slowing down any processes was the goal. "We need our government clients to know that we proactively prevent data breaches to keep data safe and the county out of the headlines," said Welch. "I, personally, have received letters from former employers or credit card companies saying ‘you may have been affected by a loss of backup tapes,’ so I am very aware of the importance of protecting data."

Other Encryption Solutions Not Acceptable Due to Expense and Performance
Welch considered adding encryption and compression through a Backup Management Application (BMA) but found that the performance hit to servers was a problem. "The client-side encryption really took a hit on my CPU," said Welch. "We have some 24x7 departments that cannot go down or have a noticeable slowdown at all—most notably emergency response departments." Additionally, ACS evaluated a solution that would encrypt and compress data locally before storing it remotely. "It was a very expensive solution for remote backup," said Welch. "There comes a point where, if you are a large enough shop, you either don’t have the bandwidth or remote backup services are cost prohibitive."

Since the county needed to easily backup all data, there was no way to reduce the 9TB of data; therefore, Welch couldn’t consider disk-to-disk because of the expense. "So, we use tape, which is relatively cheap," said Welch. "But, we must take tape media offsite, so there’s a vulnerability there."

Welch was introduced to TapeSentry, an appliance solution that eases the security challenges inherent in tape, offering router based, high-performance tape encryption.

TapeSentry Chosen for Cost-Effectiveness & Ease-of-Use
After evaluating TapeSentry, which met both the budget and resource constraints, Welch said, "TapeSentry hasn’t caused me any backup slowdowns or maintenance issues. It is a very cost-effective solution for the client’s environment." As a heterogeneous solution, TapeSentry installed quickly and integrated easily at the county’s site. Without requiring costly infrastructure updates or add-on costs, TapeSentry now provides ACS easy administration and management via a secure, Web-based interface. Additionally, comprehensive key management is required for a distributed enterprise encryption infrastructure, and TapeSentry supports all phases of the key life cycle. Welch said he is very pleased with the key management, ranging from key generation and distribution to key archiving, recovery and deletion. Fear of data loss is unnecessary due to TapeSentry’s complete multi-site key replication and automatic backup/recovery.

Scalability Allows TapeSentry to be a Long-Term Solutions for ACS
Today, ACS runs weekly incremental and full backups, which are duplicated, and the monthly backups are now encrypted using TapeSentry and stored to tape offsite. "We have a transport to the offsite location, so if something were to happen to the driver, or if the tapes were stolen, the client is covered because the tapes are encrypted," said Welch. "You really must do something to secure data stored offsite on tape." Due to scalability, ACS will be able to use TapeSentry moving forward—even if the tape backup environment changes. Since TapeSentry’s configurable encryption policies are not device- or drive-dependent, it has the ability to translate the inconsistencies of the languages used by different types of tape drives. "I plan to use TapeSentry for at least the next five years," said Welch. "If you are storing tape at a remote location, I would highly recommend TapeSentry."

"TapeSentry® was chosen because of cost and convenience. Client-side tape encryption was hiring some of the servers too much, and I didn’t care for that. I wanted something in-line that wasn’t going to impact the speed of my backups—TapeSentry does what I need."

~Michael Welch – Network Specialist for ACS

© 2009 Crossroads Systems, Inc. Crossroads, Crossroads Systems and TapeSentry are registered trademarks of Crossroads Systems, Inc. All other trademarks are the property of their respective owners.

The Sane Choice Monthly Drawing

Anyone who registers for an event or requests to receive an information package will automatically be entered to win in the Sanity Solutions Sane Choice Drawing. You can also fill out this form and type the word "DRAWING" in the event code section.

Check back monthly to see what you could win!

Following Sanity’s News and Industry
Best Practices on Twitter

A great way to easily keep up with Sanity’s free educational events, Sanity news and industry best practices is to follow us on Twitter.

We will regularly post our events and other educational material available to help you keep up with changes and offerings within the SAN environment.

Twitter id: sanitysolutions.

New Technology Partners

Sanity is please to announce partnerships with DataCore and Elliptical Mobile Solutions. Both of these companies will enhance our already strong service and product offerings in order to solve all of your storage area network needs. If you have questions or would like product demonstrations for either company, please contact one of our sales representatives.