High-profile scandals and regulatory compliance have created a fear-driven environment spurring on the encryption of data both in transit and at rest. But encryption is difficult and there is much disagreement about how best to implement it.
“The world’s credit card information can be stored on 1TB of tape. The equivalent of 20lb of paper can be put in your pocket. And yet companies send out tapes containing incredibly sensitive data in trucks with no security where they are open to theft and loss,” says Kevin Brown, VP of marketing at storage vendor Network Appliance.
Naturally, Brown’s warning is not made out of a sense of altruism: NetApp’s acquisition of storage security vendor Decru, which closed in August 2005, gives it technology it believes can alleviate those problems. But Brown is also aware that he can draw upon countless real-life examples to back up his perhaps self-serving argument.
High profile examples include : the ‘missing’ Bank of America back-up tapes holding 1.2 million customers’ (including 60 US Senators’) credit card details; CitiGroup’s loss of personal data for 3.9 million of its customers. The list, unfortunately, goes on.
Such incidents have catapulted encryption technologies into the corporate spotlight. If, the theory goes, storage media can be encrypted before it leaves the site, then it does not matter if it gets lost because no one will be able to read the data.
Safety in numbers
Data can be encrypted according to several standards, where the difficulty of breaking the encryption lies in the key length. While an 8-bit key allows only 28 (256) permutations, modern computers can crack the encoded material relatively quickly. Most encryption today uses the 128-bit Advanced Encryption Standard (AES) which has 2128 (340 undecillion, or 340 followed by 36 zeroes) possible permutations. Vendors are also beginning to market 256-bit AES encryption.
Clearly, such sophisticated encryption can be a powerful mechanism for encoding data, but Rich Mogull, analyst at research house Gartner believes that there are only three situations where encrypting data is necessary: when data is in transit, both physically and virtually; when legislation demands it; and where it can add an extra level of granularity to access controls. “Any other use is a waste of resources and won’t result in any security benefits,” he says.
While governments and the military have been encrypting stored data for many years, the practice has been largely ignored by business. Partly this is because the technology was focused on such intensive, high-end uses it was either too expensive or added too much latency into the storage process to be suitable for businesses.
At present less than a quarter of companies always encrypt the back-up data they store on tape.
At IBM they have been using encryption within the mainframe environment for the best part of two decades. “IBM encrypts right inside the system,” explains Doug Neilson an IBM senior eServer consultant. “There are processors that encode and decode and manage the keys.”
But encryption at the host level can introduce latency within the wider storage system, says Martin Warren, automated tape solutions business manager from storage tape maker StorageTek. “It is expensive and it is operating system-dependent.”
The issue of latency is primarily associated with data stored on disk. The vast majority of data that is stored on tape is accessed infrequently, so milliseconds of latency are less of a problem. Decru boasts it can encrypt 10GB per second. “We sit in the data path and if we are encrypting something someone wants we make them wait a microsecond, encrypt it, then send it back,” says Brown.
However, those fractions of seconds taken to encrypt data can have damaging consequences when it comes to back-up. Multinational organisations with centralised infrastructures frequently find that the back-up window is shrinking – additional seconds to encrypt data cannot be accommodated. Peter Dixon, VP for worldwide sales at storage security vendor Neoscale, says: “The main characteristic of primary storage is speed, and encryption cannot compromise that.”
For many businesses, the only solution is to encrypt data when it is being moved to a virtual tape library.
Further complications arise when organisations come to consider how they will manage data once it has been encrypted. For example, vendors disagree about the best way to manage the keys needed to encrypt and decrypt data.
“Do you store the data with the key or not? For ultimate security, keys should be kept separate, but then what if they get lost? And if keys are stored separately, where should they be? Should it be trusted to a third party? It all hinges on the level of paranoia,” says StorageTek’s Warren.
One method is to embed the key in the hardware – an approach favoured by vendors Decru and Neoscale. As Decru’s Brown explains: “If you encrypt in software, it’s likely you have the keys in Windows, which is unsatisfactory. There’s no point having the keys if they are not secure themselves.”
Both vendors use key management software to ensure that while the data is securely encrypted, the keys to decode it cannot be lost if the devices fail.
Key management can also be used to add additional value to data that needs to be stored for long periods of time, says Steve Terlizzi, marketing VP for storage management vendor Atempo. If different classes of data are encrypted using different keys, businesses can simply delete keys when they no longer want to retain the data. That means that all manner of data can be stored on a single tape, without company compliance policies being compromised.
The use of keys can also help businesses implement their compliance policies: if different keys are applied to different classes of data stored on the same tape, then organisations can delete those keys at the appropriate time, without having to wipe the other contents of that tape.
However Fred Moore from Horison Technologies believes that by focusing on encryption at the storage tape level, many vendors are missing the true potential of the the data encryption market.
“Most mobile data does not take the form of tapes in trucks, but of people carrying their PCs with them with 80-100GB of memory,” he says. “All the instructions to read the data are on the actual computer and the real explosion in the market will come when PCs start to be encrypted.”
Paul Howard, managing director of back-up encryption vendor DISUK is unequivocal about the reasons for the growing interest in encrypted data storage: “Investment at the moment is borne of fear.”
But such fears cloud some of the benefits that businesses can achieve from encrypting stored data, he says. As the insurance industry wakes up to the risks associated with storing data, companies will be able to lower premiums through encrypting data.
For now, legislation such as The California Senate Bill 1386 is also helping to increase awareness, obliging any company whose IT systems have been compromised to inform Californian residents if their personal data has been exposed, unless it was encrypted.
And as organisations look to drive out costs through the use of business process outsourcing, encrypted storage will grow in importance. The European Commission’s 1998 Directive on Data Protection prohibits personal data being stored in non-EU countries if they do not meet European standards for privacy protection. “Now,” says Decru’s Brown, “if you want to outsource to India you can do so knowing you control the keys, so there’s no nerves about having your source code there. It’s a good selling point to be able to set central control policies and then implement them globally.”
Ultimately, corporate use of encryption may become standard. Al-ready the Payment Card Industry (PCI) Data Security Standard for private industry says merchants should “encrypt transmission of cardholder and sensitive information across public networks.”
Indeed records management company Iron Mountain – itself the victim of an embarrassing loss of customer tapes – says encryption must become more widespread. “It is important to understand that unencrypted information stored on back-up tapes is difficult to read, but it is not impossible. Companies need to reassess their back-up strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy,” a company statement read.