February 09, 2009, 2:22 PM — BECU, Washington state's largest credit union, used to keep its stored data locked down using an appliance to encrypt data before it was stored to tape. But when it had the opportunity to upgrade storage equipment, the company chose a simpler, cheaper and perhaps more secure option -- an application that encrypts tapes in the tape library.
The appliance "was the best solution at the time," says Kathryn Antonetti, IT systems and security manager at Tukwila-based BECU, a not-for-profit financial cooperative with assets of more than US$8.5 billion. "Now encryption is being offered at virtually every layer." The switch eliminated maintenance and training costs for the appliance, and other headaches. "I had [three vendors] pointing fingers at each other" when the system had problems, she adds.
Protecting stored information is the next wave in data security. "We're starting to see more emphasis on data at rest," says Robert Rosen, former president of IBM user group Share and CIO at the National Institute of Arthritis and Musculoskeletal and Skin Diseases in Bethesda, Md. "It's kind of a no-brainer. If you've done it, your [data is] protected and you don't have to worry about it."
As companies upgrade their storage equipment, many are taking advantage of technological advances such as tape drive encryption, tape library encryption and enhancements in the way encryption keys are managed. There has also been progress in adopting the disk and tape encryption specifications of the IEEE P1619 standard, says James Damoulakis, chief technology officer at storage services provider GlassHouse Technologies Inc. "Still, it's fair to say that [storage security] has lost some momentum " because of policy and process limitations, says Damoulakis, who is a Computerworld columnist.
"There's a feeling that [data in storage] is a locked door -- so it's not a high priority," Rosen says. "But I think that's ultimately going to change with the turnover of equipment."
"Unfortunately, most companies wait until the problem exists before fixing it," says Ari Kaplan , a senior consultant at Datalink Corp. in Chanhassen, Minn., and former president of the Independent Oracle Users Group.
With data security breaches now costing companies $202 per compromised record, according to the Ponemon Institute, it's time to start locking down data at rest. Here are three techniques for protecting stored data.
Gartner Inc. has found that companies that encrypt stored data do so because they have to, not because they want to. "There are regulatory compliance pressures -- PCI or HIPAA," says Gartner analyst Eric Ouellet, referring to the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act. "Or it's the fear that the tape will fall off the back of the truck and you'll have a disclosure issue."
What's more, most encryption systems can get pricey. "When you're looking at the cost associated with this, whether it's the time to deploy or the amount of [labor] or the actual cost in dollars of the solution -- these things are not cheap," Ouellet adds.
A less expensive way to add encryption is to use the capabilities that come built into many applications, Ouellet advises. "You'll have to pay for it, but it's needed, and as far as integration is concerned, it's not going to take an inordinate amount of time," he says.
Looking for an ultracheap approach? Ouellet suggests buying a hard drive with built-in encryption . Seagate, Toshiba and Hitachi are among the vendors introducing self-encrypting drives. "It costs only a few bucks more to buy a drive with encryption," Ouellet says. "The applications aren't even aware there's any encryption. It's all in the background at the low-level driver level."
But keep in mind that self-encrypting drives address only storage issues, Ouellet warns. "As far as the application is concerned, once it reads the data off the drive, it's in clear text -- and in a backup, it's in clear text," he says. "Only in the storage environment is it safe."
On the bright side, self-encrypting drives will be helpful down the road when you have to dispose of a drive, Ouellet adds. "I can just lose or dispose of the key that was on that drive. Then the data is gone."
On the Desktop
Data at rest now includes data on the desktop. The NIH's IT department is moving to desktop-level encryption. "Unfortunately, thefts occur inside, too," Rosen says. "Encryption is a fairly simple mechanism. The performance impact is minimal."
Children's Hospital Boston also encrypts data on the desktop says Paul Scheib, director of operations and chief information security officer. "We do laptop encryption, and we try to limit what data can be stored on local machines," he says. "We don't have a sure way to stop people from writing from a CD drive, because they do have a business need to do it. The best you can do is put policies in place and educate people."
But desktop encryption resolves only one security issue, Ouellet says. "A lot of organizations have an onion-layer approach. To be able to get onto the storage environment, you have to go through a bunch of gates and barriers," such as ID management and network firewalls, he says. "That may, in fact, be good enough -- it solves the external data problem. But your storage environment is not addressed that way."
For years, encryption users have been calling on security and storage vendors to offer better interoperability when it comes to managing the keys that actually control the encryption. In response, companies such as Microsoft Corp. now allow users to store the encryption keys for data held on other vendors' key management systems.
But key management will become more complex, experts say, as encryption finds its way into more and more storage devices, creating an avalanche of keys to manage.
Some industry standards are being developed, such as IEEE P1619, but they address tape encryption and not the storage environment. "We're seeing that move over to the self-encrypting drive [systems], but as far as the databases are concerned, they don't quite have a standard," says Ouellet.
For now, companies such as IBM and RSA Security Inc. provide some form of key management for external services, Ouellet says.
Industry watchers say that although companies aren't clamoring for encryption and storage security, adoption will remain steady. "There's a finite amount of resources available," Rosen says. "There won't be a huge rush to it -- but with [new hardware], everything is going to be encrypted."