Storage encryption: How much is enough?

There's a lot of talk about regulatory and industry compliance these days -- especially when it comes to storage encryption. Pretty much every facet of IT is affected by this in one way or another and storage systems are no exception. Many well-intended IT professionals recommend encryption as the solution for everything, but the experienced storage administrator knows it's not that simple. The bottom line is, whether it makes good technical sense or not, storage encryption may be a viable -- if not the only realistic -- control available to lock down your sensitive information at rest.

Storage encryption information How to manage storage encryption keys   Storage encryption tools Compression, deduplication and storage encryption

Before you do anything, including responding to management or auditor inquiries as to why you're not using storage encryption, you've got to determine exactly what's at risk in your storage environment and what's vulnerable when it's not encrypted. All too often, IT administrators jump on the "let's implement technical controls for the sake of security and figure out a good reason why later" bandwagon. Don't join the crowd. You need to look deeper and determine what sensitive information is stored, how it can be exploited in the storage environment (by internal and external attackers) and the consequences once it happens. A good place to start is with this related tip, Storage vulnerabilities you can't afford to miss, in which I wrote about general vulnerabilities associated with storage systems, as well as in two other tips on hacking techniques and niche tools that can be used to test for, and exploit, storage weaknesses.

Looking at your storage weaknesses using this method is the only reasonable way to determine what, if anything, needs to be encrypted. It's also a good way to justify budget and resources for buying and implementing new storage security technologies and provides a good source of documentation (aka CYA log) if you choose not to encrypt your information at rest.

So, you've got at least a seven-step process to go through to ensure everything's in check.

1. Classify your information or, if someone else handles this process, review your organization's most recent classification documentation to ensure you know what's important and what needs the most attention.
2. Determine where sensitive or otherwise "protected" information is stored in areas like your SAN/NAS environment(s), databases, local drives in servers and workstations, especially those susceptible to unauthorized access and theft like laptops, PDAs and other mobile devices, such as iPods and USB drives that can store large quantities of information.
3. Determine which regulations affect this information, such as the Payment Card Industry (PCI) Data Security Standard, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) , the Sarbanes-Oxley Act (SOX) and any of the numerous international privacy regulations and state breach notification laws. Check with your compliance manager/officer for this information if you're lucky enough to have one.
4. Assess your security to determine what information can be attacked and exploited with encryption not in place. Do it yourself internally or hire an outside expert that can have a fresh look at things.
5. Determine other security controls that create a layered defense or could even replace encryption as a defense mechanism.
6. Implement encryption controls where needed throughout your storage environment.
7. Last, but not least, document what you've done to determine where storage encryption is/isn't needed and how you came to your conclusions. This safety net can make or break your job.

With a few exceptions, I've always believed that information in transit is much less susceptible to compromise than information at rest. I made a strong case for that in Securing data at rest vs. data in transit. If you come to the conclusion that you don't need storage encryption, you've probably overlooked something -- at least at the host level. There are tools available to allow anyone with physical access to a system (laptop, workstation, server, you name it) full control over the operating system and any information stored on it. This is something that I believe only encryption can solve.

Throughout this process, you'll likely determine that not everything needs to be encrypted -- at least I hope so for your sake. The only way you're going to know for sure and be able to make informed business decisions is to figure out where the weaknesses are by using tools and techniques that can get to bottom of things. Beyond this, if there's ever any doubt about whether something's at risk and storage encryption isn't a viable security control, see if you can keep the information off your systems altogether. Of course, that's easier said than done, but why not start asking tough questions like "Why does it need to be here?" and "How long do we need to keep it?" You may be pleasantly surprised and end up with some very good storage risk reduction techniques you never even thought you had.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at kbeaver ~at~ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Secure data storage Storage Decisions Chicago 2008 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (Chicago 2008) Legal toolkit for storage systems Atrato adds disk encryption, cozies up to Seagate SNW Notes: Encryption focus shifts to disk drives Storage vendors beef up security By the Numbers: Compliance, FRCP and ediscovery issues Data deduplication becomes primary candidate Iron Mountain digitizes documents to bolster security Storage standards: A progress report Data storage management Server virtualization may have big disaster recovery payoff SAN vs. NAS: What's the difference? How to make your storage greener RAID 6 vs. RAID 10 Top 5 storage management tips of 2007 How to mitigate the performance penalties of data encryption software Tutorial: Creating a tiered SAN architecture Avoiding storage-related bottlenecks in virtualized environments Ten reasons storage security is critical How to reduce risk with storage security policies Backup software-based encryption related information Secure iSCSI storage Best Practices Is encryption enough? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary hard drive shredder  (SearchStorage.com) Storage as a Service (SaaS)  (SearchStorage.com) storage encryption  (SearchStorage.com) storage security  (SearchStorage.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.