Stolen data? No biggie

Managing storage, new data center style The virtual answer Stolen Data? No biggie Archiving made easier The sky's the limit All about the info The human touch

IT executives hoping to avoid brand-damaging thefts of stored data like those experienced by AOL, Bank of America and Citigroup are turning to an age-old security strategy: encryption.

Take Vincent Fusca. As operations director at the Center for Evaluative Clinical Sciences at Dartmouth College in Hanover, N.H., he is responsible for 7T bytes of Medicare patient information tied to more than $5 million in research grants.

"Under HIPAA compliance, we need to make sure that we have the most secure means possible to hold and utilize the data in support of research," Fusca says. "If I lost this data, I'd be roadkill."

As companies develop new data center architectures, they're increasingly focusing on secured storage. "Storage people have been so myopic on performance and availability that security hasn't been an issue. But they're starting to pay more attention," says Jon Oltsik, senior analyst for information security at Enterprise Strategy Group.

At Dartmouth, Fusca employs an encryption appliance from Decru to secure the information on his storage servers and back-up tapes. Such appliances, also available from vendors such as Kasten Chase Applied Research, NeoScale Systems and Vormetric, sit on the network, encrypting and decrypting data as it passes through from hosts and enterprise-wide storage resources. Fusca uses Decru's DataFort to convert raw files from Medicare into encrypted data silos for use by the center's researchers, analysts and programmers.

In the past, IT pros who wanted to secure stored data would have had to use software, says Andreas Antonopoulos, senior vice president at Nemertes Research. But that approach caused unacceptable performance slowdowns.

"Appliances use sophisticated ASICs and can achieve much better performance by doing all the encryption in the hardware," he says.

Limited encryption

Encrypting stored data - especially backups traveling offsite and out of an IT executive's physical control - is a good idea, Antonopoulos says. He points especially to companies that fall under compliance measures, such as California SB 1386, which specifies that state employees and customers must be notified within 30 days if a data breach involves information about them. "Encrypted data is exempt from this. Right there, you can save your brand," he says.

While the temptation might be to encrypt all stored data, what's best is to be selective about what data needs protecting, experts say. Dale Pickford, vice president at Ocwen Financial, a mortgage processor in West Palm Beach, Fla., says he only encrypts about 200T bytes, or 5%, of his stored data. Encrypting everything would be too expensive and time-consuming, he adds.

First encrypt external-facing data that contains potential identity theft material. "Name, address, Social Security Number, date of birth - basically any combination that lets you steal someone's identity," Pickford says.