Decru, Inc., the leader in storage security, and Network Appliance, Inc. (NASDAQ: NTAP) a leader in advanced networked storage solutions, today unveiled a joint solution to enable secure storage of credit card data, and to support compliance with new mandatory Payment Card Industry (PCI) security standards. The CardVault^TM solution features Decru® DataFort^TM storage security appliances and Decru Client Security Module (DCS), integrated seamlessly with NetApp® data protection and regulatory compliance data management solutions to provide a turnkey platform for secure processing and storage of credit card data.

The new PCI standards, instituted by top payment firms including VISA and MasterCard, require merchants and payment processors to protect stored credit card data with security best practices including encryption, access controls, and authentication. Penalties for non-compliance include fines up to $500,000 and other restrictions. The PCI compliance deadline for large and mid-level merchants and payments processors is June 30, 2005.

Requirement 3 of the PCI standards directs organizations to "render sensitive cardholder data unreadable anywhere it is stored (including data on portable media, backup media, in logs and data received from or stored by wireless networks).” Suggested approaches include strong cryptography, such as AES-256 with associated key management processes and procedures. Further, PCI specifically requires organizations to take steps to protect encryption keys against disclosure and misuse, including creation of separate roles for sensitive key recovery functions.

The PCI standard highlights the importance of encryption for protecting data at rest: "Encryption is the ultimate protection mechanism because even if someone breaks through all other protection mechanisms and gains access to encrypted data, they will not be able to read the data without further breaking the encryption. This is an illustration of the defense in depth principle."

Legacy software encryption solutions have often suffered from low performance and complicated integration requirements, which have hindered the deployment of appropriate protection mechanisms. The NetApp and Decru solution delivers strong cryptographic protection for credit card data, without compromising performance or simplicity.

Simplicity Equals Security

NetApp storage systems and Decru DataFort appliances have been tightly integrated and tested to provide reliability, high performance, and ease of use. From an end user and application perspective, the CardVault solution looks exactly like standard networked storage. NetApp and Decru platforms support the full range of storage environments, including NAS, SAN, and IP SAN, enabling flexible deployment into any existing application environment. The system is deployed transparently, with no changes to servers, applications, authentication, or user workflow, and is compatible with all major operating systems and databases.

“Identity theft has become one of the fastest growing crimes in our society, and enterprises are struggling to comply with overlapping privacy and security regulations,” said Jon Oltsik, senior analyst with Enterprise Strategy Group. “An effective way to address this risk and adhere to compliance standards is to deploy a transparent, appliance-based security and storage solution.”

The CardVault solution secures stored data with a combination of strong AES-256 encryption, authentication, access controls, and tamper-evident logging. All encryption and key management are performed at wire-speed in DataFort’s specialized hardware, avoiding the latency and complexity associated with legacy software approaches. Decru Cryptainer® compartments allow multiple different vaults on the same storage device, each with its own access list and policies. NetApp data protection and regulatory compliance solutions provide comprehensive data protection and management capabilities, supporting a variety of data retention, disaster recovery, and compliance requirements on an industry-leading storage architecture that spans multiple tiers of storage.

Using the CardVault solution, administrators can manage processes such as backup and replication, but the file contents are encrypted and can only be read by authorized users through DataFort. Decru Client Security Module, an optional software agent, can be deployed on application or database servers to provide end-to-end policy enforcement and prevent attacks by administrators, root kits, viruses, or spyware. In addition, at the gateway level, using the NetApp Internet access and security solution based on NetCache® systems, customers can drastically improve the security layers at the perimeter of the enterprise from Internet threats that could corrupt data. No other storage solutions provider offers this additional layer.

NetApp FAS and NearStore® storage systems and Decru DataFort storage security appliances have completed extensive interoperability testing, and the joint solution received U.S. Department of Defense certification in September 2003. Decru DataFort is the only storage security solution to receive FIPS 140-2 Level 3 government certification. NetApp and Decru serve joint customers in sectors including investment banking, healthcare, semiconductors, software, and military.

“There are many reasons to migrate sensitive data onto a secure, robust storage platform, and now there’s one more,” said Patrick Rogers, vice president, Products and Partners at Network Appliance. “Working together, NetApp and Decru have simplified the process of storing, securing, and managing sensitive financial data for our customers.”

“Enterprises are not in a position to choose among security, performance, compliance and efficiency – all of these are hard requirements,” said Kevin Brown, vice president of marketing at Decru. “Our joint solution with NetApp is a timely answer to an urgent business requirement for many firms.”