Manage Learn to apply best practices and optimize your operations.

Storage encryption: How much is enough?

Seven steps to determine your storage security weaknesses are outlined, which can help you determine where you need storage encryption in your environment.

What you will learn: Seven steps to determine your storage security weaknesses are outlined, which can help you determine where you need storage encryption in your environment.

There's a lot of talk about regulatory and industry compliance these days -- especially when it comes to storage encryption. Pretty much every facet of IT is affected by this in one way or another and storage systems are no exception. Many well-intended IT professionals recommend encryption as the solution for everything, but the experienced storage administrator knows it's not that simple. The bottom line is, whether it makes good technical sense or not, storage encryption may be a viable -- if not the only realistic -- control available to lock down your sensitive information at rest.

Storage encryption information
How to manage storage encryption keys
Storage encryption tools

Compression, deduplication and storage encryption   
Before you do anything, including responding to management or auditor inquiries as to why you're not using storage encryption, you've got to determine exactly what's at risk in your storage environment and what's vulnerable when it's not encrypted. All too often, IT administrators jump on the "let's implement technical controls for the sake of security and figure out a good reason why later" bandwagon. Don't join the crowd. You need to look deeper and determine what sensitive information is stored, how it can be exploited in the storage environment (by internal and external attackers) and the consequences once it happens. A good place to start is with this related tip, Storage vulnerabilities you can't afford to miss, in which I wrote about general vulnerabilities associated with storage systems, as well as in two other tips on hacking techniques and niche tools that can be used to test for, and exploit, storage weaknesses.

Looking at your storage weaknesses using this method is the only reasonable way to determine what, if anything, needs to be encrypted. It's also a good way to justify budget and resources for buying and implementing new storage security technologies and provides a good source of documentation (aka CYA log) if you choose not to encrypt your information at rest.

So, you've got at least a seven-step process to go through to ensure everything's in check.

  1. Classify your information or, if someone else handles this process, review your organization's most recent classification documentation to ensure you know what's important and what needs the most attention.
  2. Determine where sensitive or otherwise "protected" information is stored in areas like your SAN/NAS environment(s), databases, local drives in servers and workstations, especially those susceptible to unauthorized access and theft like laptops, PDAs and other mobile devices, such as iPods and USB drives that can store large quantities of information.
  3. Determine which regulations affect this information, such as the Payment Card Industry (PCI) Data Security Standard, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) , the Sarbanes-Oxley Act (SOX) and any of the numerous international privacy regulations and state breach notification laws. Check with your compliance manager/officer for this information if you're lucky enough to have one.
  4. Assess your security to determine what information can be attacked and exploited with encryption not in place. Do it yourself internally or hire an outside expert that can have a fresh look at things.
  5. Determine other security controls that create a layered defense or could even replace encryption as a defense mechanism.
  6. Implement encryption controls where needed throughout your storage environment.
  7. Last, but not least, document what you've done to determine where storage encryption is/isn't needed and how you came to your conclusions. This safety net can make or break your job.

With a few exceptions, I've always believed that information in transit is much less susceptible to compromise than information at rest. I made a strong case for that in Securing data at rest vs. data in transit. If you come to the conclusion that you don't need storage encryption, you've probably overlooked something -- at least at the host level. There are tools available to allow anyone with physical access to a system (laptop, workstation, server, you name it) full control over the operating system and any information stored on it. This is something that I believe only encryption can solve.

Throughout this process, you'll likely determine that not everything needs to be encrypted -- at least I hope so for your sake. The only way you're going to know for sure and be able to make informed business decisions is to figure out where the weaknesses are by using tools and techniques that can get to bottom of things. Beyond this, if there's ever any doubt about whether something's at risk and storage encryption isn't a viable security control, see if you can keep the information off your systems altogether. Of course, that's easier said than done, but why not start asking tough questions like "Why does it need to be here?" and "How long do we need to keep it?" You may be pleasantly surprised and end up with some very good storage risk reduction techniques you never even thought you had.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at kbeaver ~at~

Dig Deeper on Primary storage devices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.