The time has come when the legislative mandates and cyber threats should prompt you to evaluate the security of your sensitive information residing in storage networks.
Traditionally, businesses have focused on securing "data in flight" as it traverses the open networks including the Internet. Technologies such as SSL (Secure Sockets Layer) and IPSec protect the sensitive data over open networks. When in storage, company confidential information resides for indefinite periods of time, thereby giving attackers almost unlimited time and opportunity to steal or corrupt stored data.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 includes a mandate to protect any individually identifiable health-related information. The U.S. Department of Health and Human Services published the final regulation in December 2000 which has a compliance date of April 14, 2003 (April 14, 2004 for small health plans). This rule covers health plans, health clearinghouses and healthcare providers who conduct certain financial and administrative transactions electronically. Covered entities must implement standards to protect and guard against the misuse of individually identifiable health information; failure may trigger civil or criminal penalties. Click here for details.
At the same time, identity theft is a fast growing cyber crime where attackers are stealing individual identities, then misusing the stolen credit cards or ordering news one. Details on this topic are available here. Last week, Canada experienced its biggest identity theft when records of 180,000 clients of an insurance company were lost.
So how can you protect sensitive data in storage?
Data in store can be secured against theft by storing it in encrypted format using a standard cryptographic algorithm. There are several storage security vendors offering encryption of stored data e.g. Neoscale, Decru, Ingrian and Vormetric. One of the complexities of securing data over extended periods (i.e. years) is the issue of key management. Vendors need to provide easy and secure ways to store and retrieve the encryption keys, while the stored data goes through company reorganizations and changes of system administrators.
The integrity of the stored information can also be assured by implementing hash schemes using digital signatures. The hash digest is stored and compared from time to time with new hashes to verify if there has been unauthorized modification of data. Tripwire offers such a solution.
So, if you feel you have sensitive information stored in your storage devices, you should first develop and implement a security policy that addresses the above exposures. While evaluating storage security technologies or products for the above:
1. Understand how the encryption keys are managed, so you can retrieve your original data at anytime over next 5-7 years.2. Ensure that you can secure your primary storage as well as backup (tapes, etc.). 3. Determine if you can also ensure integrity of data, with or without data encryption.
For more information on storage security such as encryption and data flight, check out Vijay's Ask the Expert category.
This was first published in February 2003