The rise of storage security

gallery

Anyone who has had their hard drive die on them, only to discover their last back-up was made 18 months ago, has learned one important aspect of storage security. But back-ups are only part of an increasingly complex picture.

Our data now resides on a variety of media and devices - from the desktop PC, to the PDA, the email server, the USB drive and even a mobile phone. It also gets transferred across networks both inside and outside the organisation that owns it. The challenge is not only to ensure the data is not lost or destroyed, but that it does not fall into the wrong hands.

As a number of recent high-profile cases have shown - at Nationwide, and Marks & Spencer, to name but two - a lost laptop computer can cause major panic if important or confidential data is sitting on its hard disk. It not only exposes personal data to potential theft, but it also makes the company in question look slapdash and unreliable.

More to the point, an increasing amount of regulation and legislation is forcing companies to protect and preserve data more effectively. The rules cover everything from personal data protection, the archiving of emails and activity logs in case of litigation, and the encryption of credit card details.

Add to that the risk of a thief or disgruntled employee copying valuable or secret information on to a USB device or even a harmless-looking iPod, and the need for a more serious approach to storage security is clear.

The role of encryption

In the wake of various security breaches, many companies have seen encryption as a silver bullet for all their ills. They believe that by forcing users to encrypt the whole of their hard disk solves the problem, which it does, but only up to a point.

For a start, encryption does not come without its own problems. It may slow down the system, and if the key is lost, the data is lost too. Key management comes with an administrative overhead which some companies may struggle to master.

"All the database vendors are building in encryption features," says Alex van Someren, the former chief executive of security vendor nCipher. "Oracle is doing it, and Windows Vista has the BitLocker feature, which allows you to scramble everything on your hard disk and then use a combination of a TPM chip and/or a USB stick as a sort of ignition key, to let you unlock the files.

"But for a big company, turning on disk encryption on every PC is a helpdesk nightmare. If you do that, it means that anyone who loses their key has effectively shredded all their data. Powerful tools have powerful risks."

Encryption also does not solve the problem of the legitimate user with a grudge who wants to leak information to a rival company, for example.

So how should a company approach the problem?

A good place to start is by classifying data in much the same way the military does it. Decide which information is confidential or top secret and treat it with more care, restricting who can see it.

However, very few companies do this, according to Chris Gale, head of European business for storage security firm Decru. "We can sometimes spend months explaining the need for classification and definition of policies and procedures," he says. "But in nine times out of 10, it will only be after they have had a business risk or an exposure that they'll come back to us and want a rapid deployment. That's not good for us or them."

Email to a friend

Print this page