Ciphering Out Security

Recent headlines underscore the need for data encryption, and the idea is slowly gathering steam in businesses. Here's a look at various approaches taken by early adopters.

The past few months have seen a torrent of stories about corporate mismanagement of customer data. Backup tapes that were lost by the likes of Bank of America Corp., Citibank, Ameritrade Holding Corp. and Time Warner Inc. contained the personal data of millions of customers. Nobody wants that kind of press.

"Losing backup tapes would be highly detrimental to our organization," says Daniel Chow, systems and security administrator at Boeing Employees' Credit Union (BECU) in Tukwila, Wash. "The last thing you want is your name emblazoned on the front page for exposing customer data." To minimize the likelihood that data would be exposed if tapes were lost, BECU has adopted encryption technology from Decru Inc. (which Network Appliance Inc. recently acquired).

The logic behind such a move is straightforward. Experience makes it apparent that attempts to prevent data loss will ultimately fail. It's smart policy to make sure that data has been encrypted so it can't be read when it gets into the wrong hands.

But where should the encryption be done? It can take place within the application, in the database or at the file-system level via software encryption. But software-based encryption can add an overhead burden if done incorrectly. Alternatively, there are appliances you plug in and even hard disks that encrypt data as it's written on disk. Most business users appear to prefer the appliance approach for its convenience and performance advantages—and because it's a plug-and-play way to comply with regulatory requirements.

"Storage security is finally getting attention but still not enough," says Steve Duplessie, an analyst at Enterprise Strategy Group. "Privacy issues are going to ultimately mandate that all data be encrypted—and that will cause big issues all over IT."

The fields of storage and security used to be an ocean apart. Storage personnel were content to let their security colleagues deal with firewalls, intrusion detection and viruses and other external threats. But it's hard to ignore the headlines. So the storage industry has awakened to its huge corporate responsibility—the security of stored data is no longer somebody else's problem.

To date, that awareness has translated into trade magazine articles and conference briefings but not much budgetary action. Adoption of storage security technology and procedures remains low. Enterprise Strategy Group estimates that the entire storage security market totaled $50 million last year. It's expected to double this year, however, and be a substantial growth area for several years. The backup market, in particular, is driving the adoption of encryption technology.

The largest credit union in Washington state, BECU does nightly backups at its headquarters in Tukwila, as well as at a call center in Kent. The backups use Legato Networker software from EMC Corp. in Hopkinton, Mass., to transmit 6TB of data from BECU's storage-area network (SAN), which consists mainly of Hewlett-Packard Co. hardware and Brocade Communications Systems Inc. switches, to an HP ESL9000 tape library. Every morning, those tapes are transported off-site by Iron Mountain Inc.—the Boston-based third-party storage provider involved in some incidents of lost tapes. That trip on the open road raises red flags for some security experts.

"If you are sending your backup tapes by UPS truck, please stop," says W. Curtis Preston, vice president of data protection services at GlassHouse Technologies Inc., a storage consultancy and services firm in Framingham, Mass. "And if you really must ship tapes off-site, make sure they are encrypted."

BECU uses Decru DataFort appliances to encrypt all backup data before it goes off-site. "You can't blindly trust a third party, as you never really know what they are doing with [your tapes]," Chow says. "So we took it upon ourselves to ensure our data was safe."

BECU bought six appliances for $25,000 per unit. The two SANs at headquarters each have two appliances for redundancy, the Kent facility has one, and a disaster recovery site in Spokane has another. A license-key management server is also needed to manage encryption keys for all appliances. Chow says he gravitated toward hardware encryption because he wanted to avoid any performance hit. "We've experienced no overhead with the appliances," he says.

He's also sleeping better, since the system has worked well during audits and tests. For example, someone took a tape and attempted to extract a file, but the output was gobbledygook. Similarly, the audit department challenged IT to prove its ability to rapidly decrypt. A test restore passed with flying colors, Chow says.

While backup operations may be where most organizations start when adopting encryption, companies such as Payformance Corp. in Jacksonville, Fla., have decided to encrypt everything. Payformance offers software that allows companies to print laser checks, statements, invoices and other documents in-house.

"Our financial services and health care clients are very concerned about the security and privacy of their sensitive payment-related data," says George Betancourt, security officer at Payformance. "Personal health information has to be totally buttoned up."

Betancourt tested the encrypted file system built into Microsoft Windows Server 2003, but he wasn't happy with the performance of software-based encryption. He reports that a delay for encryption, even one of less than an hour, meant forcing customers to wait.

The company ultimately decided to use CryptoStor appliances from NeoScale Systems Inc. in Milpitas, Calif. Two units in fail-over mode are hooked directly into the fabric of the company's 2TB SAN using EMC CX500 disk arrays, Dell Inc. tape drives and McData Corp. Fibre switches.

"We ran SAN tests before and after and saw no performance hit," says Betancourt. "So it seemed simplest to encrypt everything."

Payformance uses another CrytoStor unit for tape encryption. Symantec Corp's Veritas Backup Exec 10 software sends data via the appliance to a Dell PowerVault 132T tape library. Those tapes are moved off-site for storage. Why no fail-over in the tape-backup architecture?

"If the appliance fails, we are prepared to stop tape backups for the short time required to have it repaired," says Betancourt. "But the SAN is different. We can't afford any downtime there."

Software Hybrid

The main storage-encryption vendors—Decru, NeoScale, Kasten Chase Applied Research Ltd. and Vormetric Inc.—all offer appliance-based products. However, Vormetric's tool differs from the others because it does software encryption while the appliance manages the keys involved.

Computer gaming middleware company Havok Ltd. uses the Vormetric CoreGuard Security System at its Dublin and San Francisco offices.

"A high-profile hack of Half-Life 2 made us stand to attention as our code is in that game," says Alistair Duff, director of IT at Havok.

Havok is selective about what data it safeguards. It protects only gaming code and other critical data residing on a couple of servers and desktops. Data can be encrypted at rest and in transit. If you're at a PC, when you access a file, it's decrypted as it passes across the network and appears on your machine as clear text, provided you have the required authorization level.

Access can be limited by application, user and host. Software is loaded on each protected machine, and there is an appliance for both offices. The system also gives Duff an added layer of defense against virus-borne threats. "If a Trojan comes in, it won't be installed and run, as it is not approved to run," he says.

Economics and Regulation

Economics may be the main reason why encryption hasn't really caught fire yet. At $20,000-plus per box or as high as $2,000 per software-encryption license, data protection doesn't come cheap. But then again, how much does it cost to repair the damage caused by exposure of customer data?

"Companies like Iron Mountain and [Bank of America] have lost some credibility due to recent events," says BECU's Chow. "The ROI equation is simple—what is the goodwill of the organization worth?"

Despite the high cost, encryption may soon be unavoidable. States such as California have passed laws that include painful sanctions for companies that don't encrypt data. Others are following suit, and a federal mandate is being discussed. While these laws don't typically demand encryption, California SB 1386, for example, requires companies to disclose security breaches to the media and all customers potentially affected—a public relations catastrophe.

"If the [Bank of America] tapes were encrypted, it would not have had to disclose the theft," says Enterprise Strategy Group's Jon Oltsik. "The time has come to stop talking about security and start dedicating budget dollars to address this business risk."


Encryption Options: Hardware Only

Encryption Options: Hardware Only

Encryption Options: Application/Column

Encryption Options: Application/Column

Encryption Options: Local Policy

Encryption Options: Local Policy

Robb is a Computerworld contributing writer in Los Angeles.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon