While cloud infrastructure storage vendors have been adding security features for cloud data storage this quarter, analysts said there's still work to be done to broaden the appeal of the new medium to the most stringent of enterprises.
ParaScale Cloud Storage 2.5 provides clustered file storage for on-premise or hosted clouds. The software can be installed on any Linux hardware of the end user or service provider's choosing, and it offers the ability to run applications on the clustered storage servers and to boot virtual machines (VMs).
With ParaScale's keyless encryption, a user's authentication into the back-end system generates an encryption key on the fly to write to the user's apportioned virtual file system (VFS). A similar process will allow users secure access to reading data.
With Version 2.5, each virtual file system is also its own secure FTP server, separated by the same sign-on process that generates encryption keys. "Service providers can have different authentication across different file servers, and different LDAP servers for different virtual file systems," Norris said. "With the FTP server, authentication is consolidated into the same process [as encryption] and applied to FTP."
Finally, ParaScale is adding algorithmic, automated data integrity checking that scrubs disks in the ParaScale cluster to eliminate silent data corruption and bit-flipping through local data signatures. "There is a little bit of overhead to this process," Norris acknowledged, "but it's minimal — between 5% and 7%, depending on the underlying hardware and CPU that you have."
Cloud data storage security is evolving, but has room to grow
One ParaScale customer, Iceland-based ThorDC, had been looking for secure multi-tenancy and data integrity features to satisfy the security requirements of its financial services customers, according to chief technology officer Benedict Grondal. "Before Version 2.5, we were looking for financial customers to be able to encrypt data, so we couldn't ourselves look at it," he said.
ParaScale isn't the first cloud storage vendor to move toward better security in hopes of removing one of the chief objections to the cloud among enterprises. ParaScale competitor Cleversafe Inc. claims its geographic distribution algorithms, which slice data up and replicate it to various locations, provides native data security. This year, the company added a certificate authority to prevent its dsNet devices from being spoofed, as well as support for third-party authentication systems including biometric scanners.
Wikibon.org analyst Michael Versace said Cleversafe may be ahead of the game when it comes to security, although it comes with some tradeoffs. "Both Cleversafe and ParaScale address the complexity of encryption key management by removing a large piece of the problem and complexity -- the human factor -- and embedding key lifecycle management securely within the system," he wrote in an email to SearchStorage.com. "By combining forward correction schemes and several cryptographic algorithms that encrypt and disperse data across storage nodes, Cleversafe by design is more resilient to failure than standalone encryption schemes based solely on AES and RC4. This is particularly important to service providers that can sacrifice storage capacity for an RPO [of] zero data loss."
Cloud data storage vendors generally should look beyond encryption, according to Jon Oltsik, senior principal analyst at Milford, Mass.-based Enterprise Strategy Group. "Users want cloud providers with the right physical security, certification, and accreditation before moving sensitive data to the cloud," he wrote in an email to SearchStorage.com. "I think this is a step in the right direction and may help motivate organizations to move some data to the cloud … [but] I don't anticipate that a lot of sensitive, private, or regulated data will end up in the cloud anytime soon."
ParaScale's Norris counters that "there's nothing precluding" users from attaching third-party security systems to ParaScale Cloud Storage for more stringent requirements. He also said this is the best way to manage encryption at "cloud scale" — where storing and protecting individual keys could become unmanageable.
Arun Taneja, founder and consulting analyst at Hopkinton, Mass.-based Taneja Group, pointed out that even with separately managed keys, encrypted data is usually accessed on-premise and in the cloud using authentication. "There's no free lunch — you can either focus on the toughest security or simplicity," he said. "Like everything in computer science, your design center will tell you what your pros and cons are."
Taneja said the advantage to keyless encryption is manageability. "This is definitely a simpler way — the user and the administrator don't have to worry about managing keys," he said.
Taneja said he'd like to see ParaScale support RESTful APIs in its next release, along with the protocols it supports today. "I think they need to do that," he said. "It may not be as smart as their system, but customers want it and the world is converging on RESTful APIs."