Chuck's Blog

Articles of Faith

Now, lots of skepticism in the press including quotes saying basically "so why would anyone need that?".  Fine, that's their job -- to present alternative viewpoints.

But I think it's important that both companies believe -- over time -- many organizations will be strongly motivated to directly protect information-at-rest from unauthorized disclosure.

We call the category "information security" to differentiate from other forms of security.  The category refers to any approach that directly protects the information itself (e.g. encryption, DRM, et. al.) rather than trying to build a defensive layer around information (usually called perimeter or infrastructure security).

And we both believe that, among different architectural options, enabling encryption in the storage network, will be preferred by many (but not all) customers who might have this requirement.

I wrote a bit about this before, but let me summarize a few main points.

First, most people just think about tape, but with a little thought, it's easy to extend the discussion to disk as well.  Disks can grow legs and walk just like tapes can (although the circumstances are usually different).  And any mandate to encrypt tapes will likely expand to include disks over time.

So, in my mind, it's probably better to take the long view when thinking about architecture.

Second, while there's a case to encrypt at the storage endpoint (tape drive or disk drive), or the client endpoint (application, database, server), the requirements will inevitably change over time.

Today it's this set of objects, tomorrow it's another set of objects -- hence the interest in putting the function in the network, rather than at the endpoints.  Better to have the ability to encrypt anything on the SAN, should you need it.  The flexibility should be appealing to many.

Lastly, I don't think most people fully comprehend the importance this whole key management thing when it comes to storage encryption.

If you're going to encrypt storage, you're going to have a whole lot of keys.  You don't want to lose any of them.  They better be easy to use.  And you don't want to lose any of them.  And it'd be great if they worked with day-to-day operations.

By the way, you don't want to lose any of them ...

Competitive impact ...

As with any technology announcement, there are potential winners and losers. 

I think Cisco and RSA/EMC do alright here -- most likely first-to-market with this kind of combined solution.  Couple this with EMC's ability to qualify, implement and support large-scale SAN technology, and it looks like a good combination.

The encryption appliance folks (e.g. Decru) have something to respond to.  In NetApp's recent earnings call, they seemed like they were pooh-poohing the opportunity around storage encryption a bit (hey, didn't you guys spend over $300m to get in the business?)

My take is that more than a few people were holding off on the Decru appliance thing hoping something better was coming along. 

Maybe this is it.

Going a bit more broadly, Cisco is not the only SAN vendor in town, and RSA/EMC will not be the only key manager in town.  There will be other combinations before too long -- which will raise a whole slew of questions around multi-vendor interoperability and support.

Predicting The Future

Will we see tons and tons of SAN-layer encryption and robust key management being adopted by customers in 2008?  Unlikely.  Like other newer SAN-based technologies, the uptake will be moderate over time.

But I think it becomes yet another important SAN architectural consideration -- planning for potential encryption requirements -- that now joins topics like virtualization, replication, provisioning, et. al. that ultimately belong in the network.