Encryption appliances: The new way to automate security

Encryption may sound simple in theory, but in practice, it's a demanding process in terms of both management and processing power. Increasingly, data centers are finding help for the process from a new class of device called encryption appliances.

"Previously, we had three people devoted full time to key management and encryption, recalled Christian Philips, director of security at Regulus Group LLC in Napa, Calif. "Since we started using an encryption appliance, those people have been redeployed."

The market is only about five years old and consists of a handful of small firms, noted Jon Oltsik, an analyst at Enterprise Strategy Group Inc., a market research firm in Milford, Mass. The appliances typically use specialized, dedicated processors to handle the processing demands of encryption, where every byte is the product of intense calculations. The devices cost from a few thousand to tens of thousands of dollars, Oltsik explained.

Typically, they can either sit in line with a server or a local network, encrypting and decrypting all traffic, or they can function as an application server, encrypting any file sent to them within a network, he said.

Regulus Group they is using an in-line device from Decru Inc., a division of Network Appliance Inc. in Redwood City, Calif. Having one device handling encryption made the process much easier to manage, especially in terms of managing the encryption keys, Philips explained.

The Decru DataFort
The Decru DataFort

"We had 300 to 400 custom applications where we were required to use encryption, and managing the release key for just one of them would be hard, but managing keys for all of them was untenable," Philips said. "With an encryption appliance, we get the same level of encryption across the board, but with a very small subset of the management effort, resulting in huge labor and cost savings for us."

One point of cryptographic attack?

The fact that there is now one point of cryptographic attack did not worry him, Philips said, because he was using the 256-bit version of the Advanced Encryption Standard (AES) algorithm endorsed by the National Security Agency and because previously key management had been left to the programmers, who were likely to write down the keys and do other unsafe things.

Offering an encryption appliance that functions as an application server is the specialty of Ingrian Networks Inc., also in Redwood City. An Ingrian encryption appliance can encrypt data sent to it from anywhere in a network or globally on the Internet using a strong version of Secure Sockets Layer (SSL) for encryption in transit, explained Derek Tumulak, vice president at Ingrian.

The Decru DataFort
The Ingrian Data Secure

Marc Massar, security architect at a leading electronic payments processor that he chose not to name for security reasons, said he relies on Ingrian appliances to encrypt credit card information. "If you have a large amount of data to encrypt, you might choose an appliance over software because it's scalable, the time to implement is shorter, and implementation is easier," Massar said. "But there are things that appliances don't do, such as algorithms and operations that are specific to the payments industry. Appliances are more focused on general bulk cryptography."

But sources agreed that once the encryption appliances were installed, their chief advantage arose from the way they simplified the management of encryption keys.

Key management is, well, key

If you are going to encrypt data, the management of the encryption keys is vital, explained Trent Henry, an analyst at Burton Group, a research firm in Midvale, Utah. "If you lose the key, the data is gone forever -- it's better than shredding," he said. "But you won't want people generating keys willy-nilly; you want them generated programmatically, under central control, and then stored in a central archive, with appropriate backup, without losing control of them, while handing them out only to those entitled to have them. And then there is the question of rollover, where you change keys periodically. With an appliance, there is one place where the encryption is done, and that eliminates mistakes."

Kevin Brown, vice president at Decru, explained that "if you are doing encryption in Windows, you have to expose the keys to do the calculations, and a virus could attack the operating system and get the keys. You could encrypt the keys themselves, but then there must be a key to encrypt the keys, until they're nested like Russian dolls. People do that, but there is always a top level that is exposed."

But with an appliance, the keys can be contained in specialized hardware that has been coated with epoxy and has intrusion-detection features, Brown said. The operating system of an appliance has only those features needed to run the application and will not respond to control commands without proper two-factor authentication, he noted.

In addition, the hardware module holding the keys can't be accessed by the operating system except through specialized interface hardware, and even there the data is encrypted, he indicated.

Hardware helps generate truly random key

Brown noted that it has been possible to break some encryption that was based purely on software because the software did not have any way to generate a truly random number for use as the key. The Decru appliance, in contrast, has a hardware module that generates random numbers based on heat fluctuations it detects in its circuits, Brown said.

With an Ingrian appliance, once it is generated, the key never leaves the box, which Tumulak described as a being based on "a hardened, locked-down version of Linux." Policy changes require multiple acknowledgements from multiple administrators, a process he compared to launching a missile from a nuclear submarine.

But however it's accomplished, the need for encryption is not going to go away, added Tumulak. "Ten years ago, the emphasis was on secure perimeters against hackers, but as perimeter security became mature, we began seeing other types of attacks, such as insiders or tapes lost in transit," he noted. "And then we began seeing compliance mandates, such as law SB 1386 in California and its equivalent in a couple of dozen other states, which requires that you notify a person when their unencrypted data has been exposed."

Indeed, we may see encryption appliances for the desktop. "Over the next two to three years, I believe that we will be seeing a lot more hardware dedicated to the overall threat management problem, from message scanning to encryption, since it is not at all clear that a PC will have the power to handle it," said Jack Gold, head of J. Gold Associates, a market research firm in Northboro, Mass.

More information

Lamont Wood is a freelance writer in San Antonio.

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon