re: still nothing, page-58

re: safenet marketing I guess we will just have to wait until they bring out the product? :)

Encrypting data the right way
By Greg Farris

Securing sensitive digital data—whether it is customer information, financial figures, or intellectual property—has become a top concern for companies. With a variety of threats facing organizations today, and many of them originating inside their own networks, firewalls and intrusion protection are no longer adequate data security methods.

Data-at-rest encryption has become an essential option because, unlike perimeter controls, encryption can protect data even when accessed in storage or removed from a secure location. Encryption secures data by rendering it unreadable to anyone except authorized users who have the right digital key.

A variety of encryption options
There is no question that some type of encryption method should be employed to protect sensitive business data. The question that remains, however, is which encryption tool should be used? Users are presented with a wide range of options that differ greatly on points such as how and where encryption is deployed. They also differ when it comes to the benefits they offer and the challenges they present.

The following are a few of the more popular encryption options available today:

***In-line encryption appliances***
In-line encryption appliances reside in the SAN between the storage devices and servers requesting the encrypted data. The appliances encrypt data as it passes through them on its way to storage—protecting the data while at rest—and decrypts it going back to the applications.

In-line appliances are easily installed point-to-point solutions, but they cannot scale easily or affordably. The problem arises in high-port-count, enterprise-class environments or when multiple sites need to be secured. In these cases, the cost of installing racks of hardware appliances across distributed storage environments becomes exorbitant. In addition, each device must be configured and managed individually or in small clusters, adding a substantial administrative burden.

Database-level encryption
Database-level encryption enables the encryption of fields of data when they are stored in a database. This type of deployment is also called column-level encryption because it is performed at the column level in a database table. Database-level encryption is more economical for companies with sensitive data located exclusively in one or possibly two database columns. Because encryption and decryption are generally performed by software rather than hardware, however, the process can cause an intolerable level of performance degradation across the system.

File-level encryption
File-level encryption can take place on the host or in-line at the NAS storage level. Depending on the implementation, this encryption method can also cause performance issues, and it creates limitations when performing data backup operations, particularly for databases. In particular, file-level encryption can cause considerable difficulties with key management, adding an extra layer of administration to identify and correlate relevant keys based on file-level directory locations. File-level encryption can also introduce challenges when using certain types of database backup applications, such as Oracle RMAN, that do not use a file-level approach to backup data.

Device-level encryption
Device-level encryption is an emerging method that involves encrypting data at rest on storage devices, including hard disk and tape. While device-level encryption offers a high level of transparency to users and applications, it provides very limited protection. Data is not encrypted during transmission. It is only encrypted once it reaches the storage device, so device-level encryption only protects against theft of the physical storage media. In addition, use of this technique in a heterogeneous environment may require the use of multiple key management applications, which increases complexity of the key management process and consequently the risk to data recovery.