Brocade Encryption Misses Boat - For Now

Anyone who's read this blog even occasionally knows that my mantra includes "Encrypt your tapes." At first glance, Brocade's announcement of a 32-port encrypting Fibre Channel switch and 16-port encrypting blade for its DCX directors provides a new option for storage admins looking for high-performance tape encryption. However, as I read the FAQ on Brocade's site I discovered that the initial release only supports encrypting data at rest on disk.It's easy to understand why you'd want to encrypt data on tapes, especially tapes in transit. After all, lost, misplaced, or, heaven forfend, stolen tapes not only expose your valuable data to the vast underworld just looking for SSNs, credit card numbers, and other juicy stuff, but losing even one tape means you, poor slob, need to find out who's personal information was on it. Even worse, your employers will have to go public and spend money on credit report monitoring for your customers even if the crackhead that stole the tapes out of the courier's VAN tossed them in the trash as soon as he figured out that they weren't hockable.

I have a harder time getting my head around the value of encrypting data at rest on disk drives outside the obvious military and highly regulated industries that have to maintain strict and auditable "need to know." If someone is going to break into your data center and steal your disk arrays, they're probably going for the FC switches as well.

Vendors make the argument that PCI and other regulations require network accessible data be protected, and suggest encryption, but if the data is decrypted when it hits the server, it's still available through network attacks.

The one case where disk encryption inside the data center makes perfect sense to me is as a solution to the disk disposal problem. If Seagate expanded the on-drive, full-disk encryption it's selling in the laptop market to 10- and 15K- RPM drives, and array vendors used them, we could just throw drives that fail or are otherwise taken out of service in the trash.

On the other hand, Brocade promises tape compression and encryption, since tape drives can't compress encrypted data, in a future upgrade and it seems to have put together the right pieces supporting 16- or 32-GBs throughput of FIPS 140-2 Level-3 AES encryption, based on a software license, and integrating with NetApp and RSA key management systems. I'd much rather encrypt in the switch than use a standalone Decru/Netapp encryptor.

Brocade's even got an option, available only through NetApp or Brocade's professional services, to read Decru-encrypted data or write so a Decru device can decrypt it with the right keys.

I'm sure I'll get an e-mail from Brocade tomorrow telling me where I missed the boat, but I'm waiting for tape encryption before I can call this a winner.