Computerworld

Safe and sound

No matter how much you trust your staff, you can no longer take chances with personal information on clients, patients or staff.

Vincent Fusca is operations director at a medical centre for evaluative clinical studies where he oversees the handling of nearly 7TB of raw medical data. Programmers aggregate and refine the data down to data-analysis sets that researchers use to publish some of the most comprehensive comparative medical research available.

While he isn't aware of any attempted or successful security breach involving personal medical information at the centre, regulations mean the centre must safeguard patients' personal data. Any loss of information or ignoring the regulation could put millions of dollars in research grants at risk.

So two years ago, the centre purchased two network appliance servers that keep data encrypted until researchers request the information on their secure desktops. The data is then sent on to backup tapes in an encrypted form.

On the radar

And like it or not, encryption will become the norm for most data at rest.

Companies of all sizes are exploring encryption because of a real threat of losing data or having it stolen, and because of government regulations such as the Sarbanes-Oxley Act, which require protection of sensitive information. While encryption may not be required, it can provide an easy, blanket solution.

Eric Ouellet, a privacy and security analyst at Gartner says he saw a tenfold increase in customer calls about encryption technology starting in January 2005

"First, we had the market leaders. Now, we're getting the midsize companies realizing that personal confidential information regulation is there to stay," Ouellet says.

Security threats aren't confined to the backup tapes stored at off-site facilities anymore, though last year's highly publicized losses of tapes belonging to Bank of America, Time Warner and Citigroup put a spotlight on the need for encryption. Laptops and databases need encryption too.

Still, organizations are reluctant to use encryption. In the Ponemon Institute's 2005 National Encryption Survey, only 4.2 percent of the nearly 800 companies polled said they have enterprise-wide encryption plans. The primary reasons cited for not encrypting sensitive or confidential information were concerns about system performance (69 percent), complexity (44 percent) and cost (25 percent).

It's true that encrypting tapes using some types of backup software increases backup times, consumes more storage space and costs more money. But those arguments may be losing steam. A dizzying assortment of products were introduced last year, promising to make encryption better, smarter and faster. The bad news: a single encryption method can't be used in moving data from a laptop to off-site storage in most cases. The good news: decryption has become simpler, and backup times have improved significantly, especially when using encryption appliances.

A successful encryption plan involves identifying the right data to encrypt, choosing only the encryption technologies that you need and managing encryption keys effectively.

"There is still no right way to apply encryption," says Jon Oltsik, an information security analyst at Enterprise Strategy Group. "It depends on what you perceive the risks to be and where the money is to solve the problem. Focus on figuring out one or two technologies that will take care of the biggest chunk of issues."

Page Break

Here's a look at some of the newest encryption technologies.

Back-end appliances

Companies that want blanket encryption coverage on the back end before it goes to backup should consider appliances that sit between servers and storage systems and encrypt the data as it moves back and forth, says Curtis Preston, vice president of data protection at storage services company GlassHouse Technologies.

Specialized encryption appliances like Decru's DataFort, which was acquired by Network Appliance last year, and NeoScale Systems' CryptoStor can run in storage-area network (SAN), network-attached storage (NAS), iSCSI and tape infrastructures. They encrypt data at close to wire speed, with little latency. Both vendors have also developed versions of their products that will encrypt backup tapes. Decru's offering encrypts NetApp storage, as well as EMC, Hewlett-Packard, Sun Microsystems and IBM storage.

Fusca says encrypting and decrypting data goes unnoticed by users at the centre. "When they get up on the analytical servers and start drawing data through either the tape library or the electronic storage through the DataForts, it is relatively transparent, and there are no discernable delays in accessing the data," he says.

Key management has been simplified. "Once we identify the appropriate client stations that are on the virtual private network that can draw requested encrypted data into their 'cryptainer' [a device that stores decrypted data on the desktop], it's relatively fast and painless for them," Fusca adds.

Appliances also trump software-based encryption at the database level when it comes to compression. Software-encrypted data can't be compressed, which is a tape-drive space savings of 1.5 to 1. "These hardware devices have a compression chip in them, so they compress before they encrypt," Preston says.

Library-based tape encryption

In the highly competitive microprocessor market, protecting intellectual property is a serious concern, especially when sensitive data goes to an off-site storage facility.

At Advanced Micro Devices' Longmont Design Centre, IS manager Tom Dixon has been evaluating the beta version of Spectra Logic's BlueScale environment for three months. Spectra Logic is one of two library tape vendors that have recently incorporated security into tape drive and tape library hardware. Quantum's proprietary DLTsage architecture also offers a tape security feature at the drive level.

"Library-based encryption is a good idea for companies that need to lower the risk associated with sending tapes off-site," wrote analyst Galen Schreck in a January report for Forrester Research.

The Spectra Logic product performs data encryption within the library using an enhanced version of its Quad Interface Processor board. Three months into his evaluation, Dixon says the hardware was "fairly easy" to set up. "You don't have to do anything on the host," he says. "They set up the library, and you set up your keys. That's the biggest headaches. We haven't even talked about that yet."

The hardware's encryption keys are managed within the library and can be exported via a Universal Serial Bus flash drive or via an encrypted e-mail. The keys can then be imported into another Spectra library or used within a software decryption utility, in case no library hardware is available.

Library-based security has two big benefits over software-based alternatives, according to Schreck. First, there are no performance penalties. By embedding encryption in the tape subsystem, vendors can use encryption co-processors to process the data stream at wire speed. Second, security functions are completely transparent to the software. To outside applications and servers, they behave like just a regular tape library. No external software or operating system support is necessary.

But it also means that the tape vendor is completely responsible for managing security. So customers should look for products with strong key-management features, like quorum-based recovery, integration with backup and recovery tools, and automated replication of keys to an escrow service or tape library at a disaster recovery site.

Page Break

Laptop and 'edge' encryption

While encryption efforts focus on back-end and off-site storage tapes, Preston says fewer companies are implementing edge-level encryption methods, such as encrypting data on laptops. What's more, basic laptop encryption offers little protection.

"Most people use a Windows name and password. That becomes the key to encrypt the data. If someone actually stole your laptop to steal your data, that key would not stop them for very long," Preston says. A harder-to-crack, global key-management system for Windows exists as part of Microsoft's Active Directory infrastructure, "but not everyone uses it", he adds.

Laptop manufacturers like Lenovo Group are incorporating encryption capabilities into their systems, and Microsoft will add encryption capabilities to the upcoming Vista version of its Windows operating system.

Don't encrypt everything>/h2>

When it comes to assessing what constitutes "sensitive" data, most companies will find that there are only 8 to 12 bits of information per record, on average, that need encryption, says Gartner's Ouellet. Depending on the type of business, this can include credit card information, financial records, health information, intellectual property documents or information about sexual orientation.

"Once you've identified what those bits are, you can choose what solution gives you the biggest carpet covering over the area," says Ouellet. He offers the example of a large retailer that performs online and telephone transactions and holds a lot of credit card information. Within the database, the most sensitive data should be protected.

"Pick the most sensitive fields and encrypt those. Don't encrypt everything, because you're going to kill the performance on the database or have other issues with searching and access," Ouellet says.

Also, keep track of sensitive data elements as they move throughout the process. "They go from one database to maybe a smaller database," Ouellet says. "Is there a way you can leverage centralized storage, like a NAS or SAN, where both databases store their information in the SAN? There's replicated data, but at least it can be protected using an encryption appliance."

Few shortcuts for persistent encryption

Although encryption strategies exist for laptops, databases and backup tapes, transferring encrypted data from one storage level to the next remains a sticking point. In most cases, data must be decrypted and re-encrypted as it travels from one resting place to another.

"There are some solutions that bridge a couple of the different areas, such as laptop encryption and e-mail," Ouellet explains. "But as far as persistent encryption across the network -- not right now."

A few vendors, including RSA Security and nCipher offer key management software that could exchange keys between applications from the same vendor. But that technology is in its infancy, Ouellet says.

Enterprise digital rights management (DRM) technologies have the potential to streamline this process. DRM offers persistent encryption and security, and rights activity that is defined as part of the file itself. "There's a tag that's assigned to the file. If I want to view or print the file, I have to validate that I have the proper access rights for that activity," Ouellet says. DRM becomes even more important if companies need to distribute protected documents beyond the enterprise. Microsoft and Adobe Systems are developing DRM products. Adobe plans to ship its LiveCycle Policy Server in the third quarter of this year.

"In five years, DRM is going to be the most pervasive way to protect your data," Ouellet says. "Until then, there is no hybrid right now that covers everything. You're going to have different areas that are covered with different types of technology."

Page Break

How long will it be safe?

Even with all the new encryption technology, vulnerabilities still exist. Encryption keys once thought to be safe, like MD5, SHA-1 and SHA-256, were eventually cracked. How long will the current 3DES or AES 256-bit encryption keys last?

"With any encryption algorithm, at some point there will be enough number-crunching capacity to work through it," says Curtis Preston, vice president of data protection at GlassHouse Technologies.

Using the fastest computers on the planet, how long would it take to crunch these numbers and come up with the code? "With 40-bit encryption, the answer is a couple of weeks," Preston says. Some people believe that 256-bit keys like 3DES will become obsolete within five to 10 years. "But right now, it's fine," he says. "AES 256 goes an order of magnitude beyond that.

"As long as you're using something at or beyond 256-bit encryption," Preston adds, "you're fine."

Have a key-recovery plan

While encryption products can improve security, they also introduce additional management tasks, especially for companies using multiple encryption products. Always include a strong key-management approach, including quorum-based recovery.

"Encryption products that don't provide a means of recovering keys are asking for trouble, particularly in a disaster recovery scenario where files may be lost or disorganized," Forrester analyst Galen Schreck wrote in a January report. "Quorum-based recovery allows a certain number of parties ... to present their credentials and recover encryption keys."

Also, tape libraries shouldn't have to maintain the mapping of encryption keys to tape volumes. It adds another point of management and complicates long-term key escrow.

It's also important to automatically replicate keys to an escrow service or tape library at a disaster recovery site for fast data recovery in the event that the originals are lost, Schreck says.

And don't forget the human aspects of key management, says Eric Ouellet, an analyst at Gartner. "You may actually have controls that already exist that you can leverage, like better authentication or better separation of duties, or better access control" with databases or applications, he adds. "If you focus on those areas, then you don't necessarily need to deploy encryption everywhere."

Employee access and separation of duties should be a top priority. "Maybe the encryption technologies work fine, but does someone have access to a file that they shouldn't have access to? Or do they have a key to get access to that data? If so, you've just compromised your system," Ouellet says. What's more, systems administrators should not be system users, and auditors should not be able to grant themselves access or privileges. "Anything that would cause a conflict of interest would not be allowed," he says.

Page Break

Encryption decrypted

A glossary of common storage-encryption terms

Sensitive data: depending on the type of business, sensitive data can include credit card information, financial records, health data, intellectual property documents or information about sexual orientation. Most companies will find an average of 8 to 12 bits of data per record that need encryption. The difficulty is locating every place where that information is stored.

Encryption appliance: this hardware sits between servers and storage systems and encrypts data as it moves back and forth. Many of these appliances can run in SAN, NAS, iSCSI and tape infrastructures. They encrypt data at close to wire speed with very little latency. In comparison, encryption software on servers and in storage systems slows backups.

Library-based tape encryption: Security features embedded in tape drive and tape library hardware are often used when data is stored at an off-site facility. Encryption co-processors process the data stream at wire speed as it enters the library. Security functions are completely transparent to the software. No external software or operating system support is needed. But it also means that the tape vendor is entirely responsible for managing security.

Edge encryption: this includes encrypting data at the point of entry on laptops, handhelds and desktop PCs. Basic encryption that requires a username and password offers little protection, but it's better than nothing, say industry watchers. A global key-management system for Windows offers better protection. Some laptop manufacturers are incorporating encryption capabilities in new models.

Enterprise digital rights management: this is the next big thing in key-management technology. Still in its early stages, DRM offers the potential for persistent encryption and security as data travels from laptop to e-mail, database and storage tape by assigning access rights to the file. DRM becomes more important as companies distribute protected documents beyond the enterprise to partners and vendors.

Quorum-based recovery: this is one of three key-management approaches that companies should consider. Quorum-based recovery requires a group of three to five administrators to grant permission before encryption keys can be recovered. Encryption specialists also advise that tape libraries shouldn't have to maintain the mapping of keys to tape volumes. This method adds another point of management and complicates long-term key escrow. It's also important to automatically replicate keys to an escrow service or tape library at a disaster recovery site for fast data recovery in case the originals are lost.

Data compression: appliances trump software-based encryption at the database level when it comes to compression. Software-encrypted data can't be compressed. Encryption hardware devices have a compression chip in them, so they compress before they encrypt, which is a tape-drive space savings of 1.5 to 1.