There's a lot of talk about regulatory and industry compliance these days -- especially when it comes to storage encryption. Pretty much every facet of IT is affected by this in one way or another and storage systems are no exception. Many well-intended IT professionals recommend encryption as the solution for everything, but the experienced storage administrator knows it's not that simple. The bottom line is, whether it makes good technical sense or not, storage encryption may be a viable -- if not the only realistic -- control available to lock down your sensitive information at rest.
Looking at your storage weaknesses using this method is the only reasonable way to determine what, if anything, needs to be encrypted. It's also a good way to justify budget and resources for buying and implementing new storage security technologies and provides a good source of documentation (aka CYA log) if you choose not to encrypt your information at rest.
So, you've got at least a seven-step process to go through to ensure everything's in check.
- Classify your information or, if someone else handles this process, review your organization's most recent classification documentation to ensure you know what's important and what needs the most attention.
- Determine where sensitive or otherwise "protected" information is stored in areas like your SAN/NAS environment(s), databases, local drives in servers and workstations, especially those susceptible to unauthorized access and theft like laptops, PDAs and other mobile devices, such as iPods and USB drives that can store large quantities of information.
- Determine which regulations affect this information, such as the Payment Card Industry (PCI) Data Security Standard, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) , the Sarbanes-Oxley Act (SOX) and any of the numerous international privacy regulations and state breach notification laws. Check with your compliance manager/officer for this information if you're lucky enough to have one.
- Assess your security to determine what information can be attacked and exploited with encryption not in place. Do it yourself internally or hire an outside expert that can have a fresh look at things.
- Determine other security controls that create a layered defense or could even replace encryption as a defense mechanism.
- Implement encryption controls where needed throughout your storage environment.
- Last, but not least, document what you've done to determine where storage encryption is/isn't needed and how you came to your conclusions. This safety net can make or break your job.
With a few exceptions, I've always believed that information in transit is much less susceptible to compromise than information at rest. I made a strong case for that in Securing data at rest vs. data in transit. If you come to the conclusion that you don't need storage encryption, you've probably overlooked something -- at least at the host level. There are tools available to allow anyone with physical access to a system (laptop, workstation, server, you name it) full control over the operating system and any information stored on it. This is something that I believe only encryption can solve.
Throughout this process, you'll likely determine that not everything needs to be encrypted -- at least I hope so for your sake. The only way you're going to know for sure and be able to make informed business decisions is to figure out where the weaknesses are by using tools and techniques that can get to bottom of things. Beyond this, if there's ever any doubt about whether something's at risk and storage encryption isn't a viable security control, see if you can keep the information off your systems altogether. Of course, that's easier said than done, but why not start asking tough questions like "Why does it need to be here?" and "How long do we need to keep it?" You may be pleasantly surprised and end up with some very good storage risk reduction techniques you never even thought you had.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at kbeaver ~at~ principlelogic.com.
This was first published in April 2007