Who's minding the data store?

Experts say encryption is a good idea for sensitive data at rest . . . and on the move.

Encrypting e-mail is a good start, but it doesn't address the security of data sitting on servers and back-up systems. And it doesn't protect data being transported to offsite back-up facilities, a lesson several companies learned the hard way this year when their tapes containing sensitive customer information were lost in transit.

That is one reason many analysts recommend that companies encrypt sensitive data wherever it sits on the network. According to Gartner analyst Rich Mogull, encryption makes sense for backup tapes, laptops, PDAs or other portable storage media containing sensitive information, as well as credit card numbers stored in databases.

Losing tapes is nothing new, says Dave Ellard, senior vice president of corporate development at GlassHouse Technologies. "We've been moving and losing tapes for 30 years, but we never had to issue press releases before when we lost a tape."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Encrypting e-mail is a good start, but it doesn't address the security of data sitting on servers and back-up systems. And it doesn't protect data being transported to offsite back-up facilities, a lesson several companies learned the hard way this year when their tapes containing sensitive customer information were lost in transit.

That is one reason many analysts recommend that companies encrypt sensitive data wherever it sits on the network. According to Gartner analyst Rich Mogull, encryption makes sense for backup tapes, laptops, PDAs or other portable storage media containing sensitive information, as well as credit card numbers stored in databases.

Losing tapes is nothing new, says Dave Ellard, senior vice president of corporate development at GlassHouse Technologies. "We've been moving and losing tapes for 30 years, but we never had to issue press releases before when we lost a tape."

In other words, the key difference today is regulations. Privacy regulations include legislation that either strongly encourages some form of encryption of sensitive data or, as is the case with the credit card industry's latest Payment Card Initiative (PCI) standard, formally prescribes the use of encryption.

Then there's California Senate Bill 1386, which requires that companies publicly disclose instances where they believe unencrypted personal information about California residents might have been compromised. The bill has led many companies to believe that encryption could keep them out of the headlines.

A 2004 Gartner report predicted that by the end of 2007, 80% of Fortune 1000 companies would encrypt most of their critical data at rest. "We've since updated this assumption and now predict that by the second quarter of 2006, 85% of large enterprises will have initiated encryption projects," Mogull says.

Slow on the uptake

Click to see: Scambled megs

Jon Oltsik, an ESG analyst, says companies underestimate the potential risk of a data breach and overestimate the amount of work and cost required to encrypt tapes. He also acknowledges that the sheer number of ways to encrypt data at rest contributes to slow adoption.

Chuck Hollis, vice president at EMC, says the decision about what data to encrypt should stem from a data classification exercise."If I had just one application that talked to credit card data, I might make the case of having that application encrypt the data. If all applications do that . . . you might want to go with a [storage-area network ]encryption alternative," he says.

Click to see: Tape delay