Some day soon, storage disks with built-in encryption will be as ubiquitous as cars with built-in seat-belts. So say executives at disk manufacturer Seagate, which, as part of industry body the Trusted Computing Group (TCG), recently published the final specs for industry-wide, full-disk storage encryption standards.
"Encryption will become part of the definition of what a storage device is," the Seagate executives claim in a blog. "Just like seat-belts, expect to see business using fully-encrypted storage in the future to help deal with the growing stream of sieve-like data thefts and losses across the business landscape."
It's a bold prediction, but realisation is still a way off. Certainly, it's too distant for the many information security professionals struggling with the thorny problem of securing sensitive data held in corporate network-attached storage (NAS) and storage area network (SAN) environments, not to mention countless server-based shared folders and other document management systems.
"In the rush to accommodate growing volumes of sensitive stored data, too few organisations have consulted IT security staff at a sufficiently early stage in the procurement decision," says Mark Chaplin, a senior research consultant at the Information Security Forum (ISF).
"What has tended to happen is that a company is sold a SAN, its storage administrators get it up and running and only then are security staff brought in to decide how best to protect the data at rest that sits on devices on these huge storage networks. In effect, IT security staff are asked to retrofit security to an implementation and that's no easy task."
That approach won't impress the growing chorus of auditors, regulators, partners and customers who increasingly demand that organisations vouch for the full security of data at rest, fuelled by perfectly legitimate concerns over data loss, theft and inappropriate access.
And while many organisations have used tape as their preferred storage medium, there's a reason why most are focusing on disk-based storage for the long term, says Lynn Collier, EMEA solutions director at Hitachi Data Systems.
"The influx of data volumes means high-availability disk systems are the quickest and most effective way to store data, if still not the cheapest," she says. "Disk-based storage is future-proofed. Its long-term benefits outweigh short-term procurement costs.
Tape can degrade and managing data deletion in a tape environment has its own challenges. The long-term reliability and longevity of disk-based systems make them a far more attractive option for critical information archives," she says.
But before jumping into large and complex disk encryption projects, IS professionals face difficult choices as they wrestle with a range of approaches, many based on proprietary technology, says Eric Ouellet, an analyst with IT market research company Gartner.
They should make those choices with care, he says: "Encryption can be used to enhance and benefit an organisation's security posture and resistance to threats and common risks.
However, if deployed without adequate planning and understanding of the organisation's resources, existing controls and a clear approach to risk mitigation, the result can be that organisations are no better off than before applying encryption."
Choices, choices
Built-in hard-disk encryption does make sense, Ouellet believes. Already, he says, there are a number of offerings from companies including Seagate, Hitachi and Toshiba, although most products don't yet comply with the latest TCG standards. Built-in hard-disk encryption offers three compelling advantages: scalability, managed complexity and cost.
However, retrofitting a large, centralised storage environment would involve replacing drives and may represent significant cost, he warns. So built-in hard-disk encryption should be considered suitable only for new installations in organisations that hold significant volumes of sensitive data.
Fortunately, there are other options. One is appliance-based encryption, as demonstrated by storage vendor NetApp. In March, it announced that its DataFort and Lifetime Management Key applications had attained Level 4+ in the Common Criteria for Information Technology Security Evaluation, an international framework.
Both technologies were acquired by NetApp in its 2005 purchase of storage encryption specialist, Decru, and are now built in to NetApp's range of storage devices.
Issue: 277 | March, 2010