|
 |
|
General Information
|
Add To My Personal Library |
July 16, 2010
• Vol.32 Issue 15
Page(s) 29 in print issue
|
Implement Storage Encryption
Assess Your Environment & Choose The Most Appropriate Encryption Technology
|
| Key Points
• Choose policies that will protect the company in a legal discovery, especially those that prove the encryption process worked.
• Select your technology based on the needs of the organization, such as whether you typically do not want to do regular maintenance (with appliances) or prefer better key management (with software).
• Analyze worst-case scenarios for a breach to give you an idea of how much to spend on storage encryption and how to protect company assets. | | In an age of legal discoveries, breaches over wireless networks, and scams on Facebook, data encryption has become more vital than ever. According to research by the Ponemon Institute, the average data breach at a company level costs $6.75 million. That’s enough to send shivers down the spine of the most seasoned IT manager, but fortunately, the process of implementing storage encryption is not as complex as it might appear.
 Starting Out
According to Robert Fitzgerald, president of The Lorenzi Group (www.thelorenzigroup.com), companies should first prioritize data stores and determine what exactly should be encrypted. This can include laptop drives, thumb drives, smartphones, servers, and even home computers used by remote employees. The process should also include the location of all of these data repositories, not just the devices, and should be as comprehensive and detailed a process as possible.
Phil Ayres, founder of Consected (www.consected.com), says storage encryption technology is actually fairly mature, but companies should extend their surveys to include data backup systems, which may use an older form of encryption that is not compatible with existing technologies.
“Encryption is not so hard, since there have been many available file-system approaches (such as directory encryption in Windows NTFS and partition encryption in Linux LVM) for a while, but they have done a poor job of handling the issue of data backups,” says Ayres. “If you make a backup of the data, it’s often made in its original unencrypted form, which you then have to re-encrypt, or you have to keep backed up as a whole solid mass to ensure its integrity—and neither work particularly well.” Ayres says open-source tools are available that help you encrypt each data file individually, which helps with long-term data storage.
SMEs should also consider the policies they put in place. According to Michael Schultz, president of Message Infusion (www.messageinfusion.com), managers should go beyond just encrypting data with the latest technology product: They should also implement a process for encryption. This involves being able to demonstrate how and where data is encrypted in the event of a legal discovery.
“Be sure you look at the higher-level issues of compliance and safe harbor,” says Schultz. “Most storage encryption is put in place for the security benefits for those who understand hardware encryption, so it is best implemented for the performance benefits of moving encryption to the drive level. However, few are looking at the safe harbor issues of how to prove a drive was encrypted at the time of loss, theft, or compromise, which is what keeps organizations off the newspaper front pages.”
Some of the policies put in place should also deal with unstructured data, says Gretchen Hellman, vice president of marketing at Vormetric (www.vormetric.com), and not just the actual data stores. “Encryption must protect both structured and unstructured data stores that can include database and file server files, folders, documents, image scans, voice recordings, and logs,” she says.
Encryption Options
Once you have a good handle on the storage locations and policies required, the next step is to choose an encryption technology. According to Lou Branda, a storage technologies consultant with Accenture’s Data Center Technologies consulting practice (www.accenture.com), there are three main options: appliances that encrypt all data at the company, backup solutions, and software encryption technology.
“Appliances are turnkey solutions that are favored due to their strong key management platforms, ease of deployment and management, and ability to refresh the appliance hardware without worrying about the media type,” Branda says. “They generally sit between the disk and the target media (tape) and can be deployed in either an FC-based SAN, SCSI (direct attached), or NAS (IP-based) . . . and therefore are very adaptable to the many backup architectures. They also offer the highest speeds. Remember that encryption increases the amount of time it takes to complete a backup due to the extra processing.”
Tape systems such as LTO-4 can also encrypt data. “IT firms will find that they are constantly planning for hardware refreshes that require the consideration of maintaining these specific tape formats,” Branda says. “It basically means that no matter what, they either have to stick to the standard they have chosen or undertake a huge effort to migrate from older standards to newer or different standards. It also does not provide any ability to encrypt data to portable media.”
The third option is to use software encryption technology for storage mediums. This software is used between the backup media and the target server. Branda says this kind of encryption can lead to some slowdowns in backup time, but software has strong key management (for managing the encryption keys used to identify the data). Branda says some vendors have been slow to adopt open key standards, which would present a problem if you decide to switch from one encryption technique to another.
Costs Involved
Costs for rolling out storage encryption vary by the technology you choose to deploy, but the storage encryption appliances are generally considered cheaper in terms of long-term maintenance. Regardless of which technology you choose, Hellman says the primary consideration has to do with a risk assessment based on what would happen in the event of a data breach. That’s a good starting point, she says, because it helps determine how much a company should spend to protect investments.
“When considering encryption costs, it is crucial to take a risk-based approach by considering what data needs to be protected,” Hellman says. “Enterprises must ask ‘What are the costs if this information gets out?’ A recent Ponemon data breach disclosure report shows the 2009 average cost of a data breach $204 per record. Customer attrition is another important hidden cost of public data breaches. This far outweighs the cost of an effective encryption solution.”
That helps an SME avoid some of the most dangerous pitfalls, she says: lack of central management, poor control over encryption keys, and interruptions in system management and performance. 
by John Brandon
Top Tips
• Gretchen Hellman, vice president of marketing at Vormetric (www.vormetric.com), says to watch out for implementing too many encryption standards and strategies. “Avoid ending up with an exploding number of encryption products and all the related key management and policy management headaches that this will bring,” she says. “Selecting encryption solutions that have the broadest coverage over the largest number of potential systems will eliminate management headaches, as well as homogenize and consolidate data security policy management.”
• Lou Branda, a storage technologies consultant with Accenture’s Data Center Technologies consulting practice (www.accenture.com), says to avoid wasting resources encrypting data that does not need to be encrypted. “But do make sure important data is fully encrypted. Failure to do either could result in significant expenses related to data compromise or purchasing more equipment/licensing than necessary.” |
|
|
