Standards would lock up data on disk, tape

Proposed standards for protecting data on disk or tape are gathering steam within the IEEE and could be supported in products as soon as next year, according to proponents.

The need to push through such standards has been made more urgent since high-profile companies such as Ameritrade and Bank of America earlier this year lost unencrypted tapes containing customer data.

"For businesses in regulated industries or that store personal financial information, encryption may very well be a requirement," says Stephanie Balaouras, a senior analyst for Forrester Research. "For other businesses it's a matter of managing risk, and encryption is one of many options that businesses must consider."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Proposed standards for protecting data on disk or tape are gathering steam within the IEEE and could be supported in products as soon as next year, according to proponents.

The need to push through such standards has been made more urgent since high-profile companies such as Ameritrade and Bank of America earlier this year lost unencrypted tapes containing customer data.

"For businesses in regulated industries or that store personal financial information, encryption may very well be a requirement," says Stephanie Balaouras, a senior analyst for Forrester Research. "For other businesses it's a matter of managing risk, and encryption is one of many options that businesses must consider."

The proposed standards for how data is encrypted on disk and tape are the IEEE P1619 (PDF) and P1619.1 (PDF) Standard Architecture for Encrypted Shared Storage Media. The IEEE's Security in Storage Working Group is fine-tuning the standards, hopefully for approval in months to come.

"We have a draft standard for disk that is three years in the making and is very close to being complete. We have a stable draft for disk and a very preliminary draft for tape," says Jim Hughes, Sun fellow and chair of the working group. "I expect both to be approved in 2006."

The standards would address encrypting data at rest on disk or tape, whereas protocols such as IPSec, SSL and Secure Shell (SSH) are used to encrypt data in transit. While some storage-product companies already support some type of encryption, having standard implementations could make it easier for customers to safeguard data across heterogeneous storage environments, standards supporters say.

The proposed standards define three encryption algorithms and a method of key management designed to ensure the compatibility and interoperability of different storage gear. For encryption on disk the specification proposes using the new Liskov, Rivest, Wagner-Advanced Encryption Standard (AES) cryptographic algorithm.

For tape encryption it proposes using the National Institute of Standards and Technology's (NIST) AES Galois/Counter Mode and AES Counter with Cipher Block Chaining-Message Authentication Mode (CBC-MAC) standards.