Users: Storage security becoming a priority

By Beth Pariseau, News Writer 01 Nov 2007 | SeachStorage.com

News and trends in the storage industry Digg This!     StumbleUpon     Del.icio.us

"SOX [Sarbanes-Oxley Act] compliance was our priority first," said David Dulek, storage administration lead for Fastenal Co. Purchasing, a subsidiary of industrial and construction supplies manufacturer Fastenal Co. To become SOX-compliant, upper management must have detailed understanding of all IT procedures. Those processes exposed storage security to new scrutiny.

More on storage security EMC's Coviello: 'Security vendors do not sell fear' Startup accepts mission to destroy flash drive data Cisco, EMC partner on SAN encryption Storage switch startup burns out, turns to security

Fastenal is a medium-sized business taking its cue from larger companies that have been made headlines with data management and security snafus. These situations included losses of backup tapes at Citigroup and Bank of America Corp., and costly email retention blunders by Morgan-Stanley and Intel Corp. "If a handful of big companies start the trend, then smaller companies, like mine, take notice," Dulek said.

In the meantime, vendors keep churning out new data security products. This week, Hewlett-Packard Co. (HP) launched a key management system, the HP StorageWorks Secure Key Manager, a FIPS 140.2 compliant "hardened" appliance that includes active-active failover nodes, as well as path failover between the appliance and the network.

HP's marketing director, Patrick Eitenbichler, said that users have been reluctant to embrace the embedded encryption within LTO-4 tape products because of a lack of key management support to match. "Until very recently, encryption has been very easy, but decryption can be very hard," he said. "Until now, we've been almost recommending that our customers not start encrypting yet, given the situation with key management."

Users agree that key management has been a big factor in their failing to get on the encryption bandwagon, since "secure erase" and "unintentional deletion" of a file involve the same process -- losing or destroying an encryption key.

HP's key management system offers high-availability configurations and the keys can be backed up for extra protection. Still, Luke Kannel, senior Windows server specialist for information systems at a healthcare company in the Midwest, said he'd like to see more systems act like Microsoft Corp.'s Encrypting File System (EFS). EFS has a recovery agent set up for those "oops" situations.

HP said just backing up the keys is still the better approach. "An EFS-like recovery agent isn't necessary in the Secure Key Manager (SKM) solution -- the bottom line is, with either solution, once the key is lost the data becomes irrecoverable," wrote an HP spokesperson in an email to SearchStorage.com.

For some users revisiting storage security, key management is moot. These users said they still aren't interested in security for security's sake. They're instead looking to improve processes and eliminate potentially risky technologies from their environments altogether, rather than adding a security layer to existing devices.

A user for a Fortune 50 company, who asked that neither he nor his company be named, said his organization had switched from off-site tape shipped via Iron Mountain Inc. to an internally managed EMC Corp. Clariion Disk Library and encrypted replication to a secondary location. This user shuns commercial prepackaged products whenever possible, relying instead on open source utilities or standards such as CHAP, a secondary layer of authentication for iSCSI systems supported by most IP SAN vendors.

Like so many other concepts in storage management, it all comes back to data classification -- identifying which data is at most risk and securing it accordingly. "I don't want to spend the money for the maximum protection on everything," Dulek said. "But that's where you run into the problem of knowing where data is but not necessarily what it is."

Tough as it may be, classifying data is necessary, said Enterprise Strategy Group analyst Brian Babineau . "IT people need to classify to cut up-front costs and identify the highest risk data," he said, and then they need to encrypt accordingly. "If there's human intervention in your data management process, there are going to be mishaps," he added.

Tags: Secure data storage,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure data storage Throwing caution to the clouds Storage encryption essentials Vendors take steps to lock down cloud storage services Encryption Special Report: Key management stumbling block to securing data What you need to know about storage encryption products Isilon targets enterprise NAS with Backup Accelerator, N+2:1 parity Storage Decisions Chicago 2009 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (Chicago 2009) Storage Decisions Session Downloads: Data Retention & Retrieval Track (Chicago 2009) Data on the brink

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary hard drive shredder  (SearchStorage.com) Storage as a Service (SaaS)  (SearchStorage.com) storage encryption  (SearchStorage.com) storage security  (SearchStorage.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary