There is a lot of buzz about the benefits of end-to-end data encryption. This approach seeks to protect specific classes of information, such as cardholder data, from the point at which it is captured (for example at the point of sale) right through to where the data leaves the system, for example as it is passed off to the global payments network.
This has significant benefits since the protection quite literally follows the data where ever it goes. It closes security ‘air-gaps’ along the way and ensures that whenever the data is stored on back-up media or even cloud-based storage it is protected by default. The challenge is that this level of end-to-end protection can be costly to implement and may even be disruptive to existing systems, further driving up costs. The industry has responded with ways to simplify deployment, such as tokenization, and format preserving/controlling encryption.
End-to-end protection is a good objective but few companies have the resources to protect all data, all the time, by encryption. We mustn’t lose sight of more straightforward encryption strategies that address only the biggest risks and that can be applied to virtually all data within the business. Good security has always been about layers and encryption can work the same way. Companies can deploy background protection for all data and add more layers of protection for the most important. These levels of security can be likened to the postal system – all letters are put into envelopes for default protection, however some go by regular mail (the least critical data), some by tracked express services (more important data) and some are hand delivered by bonded couriers (data which requires maximum security through end-to-end encryption).
There are a couple of default encryption strategies that are undisruptive to implement and that provide default protection against obvious risks. One such strategy is network level protection, for example SSL encryption for data flowing over the Internet. The other is storage encryption, for example when back-up media is sent off site to be archived or disk drives which need to be sent away for repair. Both of these approaches figure prominently in a host of data privacy mandates and are now at the point where they should be considered basic security requirements. IT consultancy Enterprise Strategy Group (ESG) issued a whitepaper in 2009 entitled “A Prudent Approach for Storage Encryption and Key Management” that recommends encrypting back-up tapes and states:
Active use of tape encryption technologies is a good start, but it does not go far enough; ESG believes that all backup tapes should be encrypted. Why? Backup operations and tape management is often more art than science where confidential and pedestrian data is intermixed on the same tape set of tape cartridges, aggregated in the same shipping boxes, and picked up by the same transportation companies.
Additionally, almost every publicly-disclosed data breach related to tape has resulted from lost, rather than stolen, tapes. A lost tape or box of tapes places a tremendous burden on IT operations to identify whether this media contained regulated data but since data, tapes, and boxes are usually consolidated during the backup process, it is often impossible to tell. Since regulations generally require companies to disclose if they suspect a breach, they are obligated to do so under these circumstances. Encrypting all backup media could preclude this situation by providing safe harbor, reducing the organization’s liability.
ESG’s assessment points out a very important truth that storage administrators must consider when debating whether to deploy tape-based encryption—the loss of unencrypted data on disk or tapes usually requires organizations to make the incident public to comply with industry and government regulations. What’s more there are usually significant costs associated with reporting the security breach, including fines, legal action, lost business and the subsequent cost of remediation.
Yet some organizations remain hesitant to encrypt information stored on back-up tapes, even though it is relatively simple to deploy, and the cost of deploying encryption is far less than the aggregate costs of dealing with a data breach.
For the most part, it comes down to confidence—storage managers are afraid they might misplace encryption keys and permanently lose access to information, so they simply do not encrypt. If tapes and other storage media go missing, a storage manager is unlikely to lose his job. But, if the encryption keys are lost and data cannot be recovered, the consequences for a storage manager are likely to be much more severe.
Fortunately, dealing with the fear of mismanaging encryption keys is not a new issue. Although encryption is a new topic in many industries, it is already well established in other sectors – most notably the payments industry. In this sector, best practices have already been established and standards-based technologies already exist to keep encryption keys under control through professional key management. The challenge for the encryption and key management vendor community is to promote this experience to a much wider audience. They must be able to help storage managers confidently deploy storage encryption and ensure that encrypted back-up tapes can be readily accessed when needed as well as reduce the overall cost of managing this technology.
The concentration of sensitive data in one place is another challenge that must be considered, particularly since sensitive data often gets more sensitive with time. For example, some classes of data may be unregulated when first stored but may then become regulated in the future due to new legislation. Consequently, it is advisable and increasingly practical to take a broad brush approach to storage level encryption and to establish it as a default layer of protection. Effective key management is critical to success, and a firm understanding of how automated key management works is essential for storage professionals when deploying encryption. By implementing the right key management technologies, storage managers can remain in control without becoming distracted or burdened with having to learn and manage differing key management systems.