It’s no secret that third party BLOB externalization solutions have provided tremendous value to organizations with growing SharePoint environments. The capability first appeared in SharePoint 2007 as BLOB Storage (EBS) and later in SharePoint 2010 as Remote BLOB Storage (RBS).
The value of RBS/EBS has always been clear. Removing BLOBs from the SharePoint database increases file access performance, allows for scalability in a cost effective manner, reduces storage costs and improves backup performance. Despite the clear value of BLOB externalization guidance on whether to use RBS/EBS varies wildly depending who was dispensing the advice, many SharePoint MVPs, consultants and even some Microsoft employees aggressively recommended against using BLOB externalization. Yes, there have been supporters of BLOB externalization including Microsoft’s own Bill Baer. However, guidance on whether to use RBS/EBS has been, at best, chock-full of contradictions.
Microsoft recently disclosed the inner workings of Fort Knox, a project that aims to bring increased security to Office 365 through the use of heavy encryption. Fort Knox is being described as RBS-like as it externalizes and stores file shreds across multiple Azure blob storage containers while encrypting each shred with AES 256 bit encryption. Yes, this isn’t RBS in its purest form but rather a custom, one-off BLOB externalization capability developed by the Microsoft product team for Office 365. Regardless, the Fort Knox project is BLOB externalization. Ironically this capability has been available from third party RBS providers since the introduction of SharePoint 2010 and even earlier leveraging EBS with SharePoint 2007.
The process of removing a BLOB from a SharePoint content database creates an opportunity to perform certain functions such as encrypting BLOBs, thus allowing a higher level of protection in transit and at rest. Encryption of files is only possible when externalizing BLOBs for SharePoint Content Databases. Yes, Transparent Data Encryption (TDE) is a possibility but requires that the entire database be encrypted. TDE is not without its caveats including the potential for performance degradation.
It may be time to revisit whether BLOB externalization is right for your growing, more secure SharePoint environment. Heavy encryption of externalized content is just another feather in the cap of BLOB externalization. Unofficially the BLOB externalization capability used by Office 365 is employed to provide more than just encryption of files at rest. Consider the massive size of Office 365 farms and you have to assume that scalability, backup, and high availability are all challenges for such a massive deployment of SharePoint. So you have to ask yourself, if BLOB externalization is the right answer for Office 365 shouldn’t it also be right for my growing SharePoint environment?