Stolen data? No biggie

Storage encryption puts IT execs at ease about the threat of identity theft.

IT executives hoping to avoid brand-damaging thefts of stored data like those experienced by AOL, Bank of America and Citigroup are turning to an age-old security strategy: encryption.

Take Vincent Fusca. As operations director at the Center for Evaluative Clinical Sciences at Dartmouth College in Hanover, N.H., he is responsible for 7T bytes of Medicare patient information tied to more than $5 million in research grants.

"Under HIPAA compliance, we need to make sure that we have the most secure means possible to hold and utilize the data in support of research," Fusca says. "If I lost this data, I'd be roadkill."

As companies develop new data center architectures, they're increasingly focusing on secured storage. "Storage people have been so myopic on performance and availability that security hasn't been an issue. But they're starting to pay more attention," says Jon Oltsik, senior analyst for information security at Enterprise Strategy Group.

At Dartmouth, Fusca employs an encryption appliance from Decru to secure the information on his storage servers and back-up tapes. Such appliances, also available from vendors such as Kasten Chase Applied Research, NeoScale Systems and Vormetric, sit on the network, encrypting and decrypting data as it passes through from hosts and enterprise-wide storage resources. Fusca uses Decru's DataFort to convert raw files from Medicare into encrypted data silos for use by the center's researchers, analysts and programmers.

In the past, IT pros who wanted to secure stored data would have had to use software, says Andreas Antonopoulos, senior vice president at Nemertes Research. But that approach caused unacceptable performance slowdowns.

"Appliances use sophisticated ASICs and can achieve much better performance by doing all the encryption in the hardware," he says.

Limited encryption

Encrypting stored data - especially backups traveling offsite and out of an IT executive's physical control - is a good idea, Antonopoulos says. He points especially to companies that fall under compliance measures, such as California SB 1386, which specifies that state employees and customers must be notified within 30 days if a data breach involves information about them. "Encrypted data is exempt from this. Right there, you can save your brand," he says.

While the temptation might be to encrypt all stored data, what's best is to be selective about what data needs protecting, experts say. Dale Pickford, vice president at Ocwen Financial, a mortgage processor in West Palm Beach, Fla., says he only encrypts about 200T bytes, or 5%, of his stored data. Encrypting everything would be too expensive and time-consuming, he adds.

First encrypt external-facing data that contains potential identity theft material. "Name, address, Social Security Number, date of birth - basically any combination that lets you steal someone's identity," Pickford says.

Then secure second-tier information, such as details of loans, credit status or accounts. Lastly, he says, lock down "business-sensitive" material. "Secure what you really wouldn't like your competitors to find out," he says.

Managing the encrypted data

Once you've figured out what to encrypt, you must determine how and under what terms data will be decrypted.

Pickford, who uses Vormetric's CoreGuard encryption engine , suggests applying restrictive policies to data regarding how it can be viewed and by whom. "You have to be the right user in the right application using the right machine to access the right database - there's no way around it," he says.

He even applies the restrictive data-access policy to his staff members. "They might accidentally view things they shouldn't or not dispose of it carefully - I don't want to put that burden on them or have them faced with that risk," he says.

Dartmouth's Fusca separates his data into "cryptainers" with protocols dictating who can access what information. "We have four programmers, five analysts and six or seven research fellows all needing different views of this patient information. When they log on to the system, they can access only their portion," he explains.

IT executives need total control over key creation and management, Antonopoulos says. "If you don't have a significant key management system, you could lose all your data," he says. "Make sure you understand the implications and particulars of how a vendor's key management and key escrow functionality works," he adds.

And test the key system regularly. "If you have a disaster, you need to have made sure that you have a backup, as well as a way to recover keys and tapes. You need a backup strategy for encryption. The two go hand-in-hand as they fail at the same time," he says. "Run tests not just of the system, but the whole recovery process - where are the tapes, how do I get them, where are the keys?"

Encryption standards also require consideration, Antonopoulos points out. While some appliances offer support for multiple standards, others have settled on a single approach. Match the standards to your data storage needs.

"If you have something that has to remain confidential for a long period of time, you want Advanced Encryption Standard and large key sizes," Antonopoulos says. If the data is less important, then DES is good enough, he says.

The security-storage duo

Also important for successful storage encryption is including storage in security audits, Oltsik says. "You should do a full security audit that includes the storage infrastructure, personnel [accessing storage] and physical security. It doesn't matter if someone walks out with a data tape or hacks into your network - it's still data theft," he says.

Conduct a risk analysis to see how much overhead - in terms of cost and performance - IT groups can endure, Oltsik recommends. "Although there's minimal overhead involved, it's still overhead. And you'll accept that overhead if you need to secure the data," he says. "It only takes one Bank of America incident to realize that a $30,000 investment is worth it."

A sampling of storage encryption appliances
Decru's DataFort

Encryption appliances for use with iSCSI, tapes, NAS/DAS and Fibre Channel SANs.

Price: Starting prices range from $9,900 to $42,500 per appliance, depending on use (i.e., iSCSI).

URL: www.decru.com/products/datafort0.htm
NeoScale Systems’ CryptoStor erprise

Includes CryptoStor FC, CryptoStor Tape and CryptoStor SAN VPN to secure primary storage, tapes and links between data centers.

Price: Starting at $35,000 for CryptoStor FC, $17,000 for CryptoStor Tape and $40,000 for CryptoStor SAN VPN.

URL:www.neoscale.com/English/Products/CryptoStor.html
eloper

Kasten Chase Applied Research’s

Assurency family

Line includes Assurency SecureData Appliance and Assurency SecureData

Price: CryptoAccelerator. Starting at $27,950 for the appliance and $4,150 for CryptoAccelerator.

URL: www.kastenchase.com/index.aspx?id=3
e
Vormetric’s CoreGuard Starter Kit

Includes CoreGuard Security Server and one year of tech support.

Price: Starting at $25,580.

URL: www.vormetric.com/solutions/

Gittlen is a technology editor in Northboro, Mass. She can be reached at sgittlen@charter.net.

Learn more about this topic

Storage security firm times it right

03/14/05

Data defenders

06/16/03

Network World's Storage in the Enterprise newsletter

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.