The assumption that firewalls, file permissions and passwords provide enough security without the additional overhead of storage encryption is no longer true. There are plenty of opportunities for secure storage systems to be compromised by forces both outside and inside your organization. Storage-area networks (SANs), network-attached storage (NAS) and direct-attached storage (DAS) systems are goldmines of sensitive information waiting to be exploited.
Here are some tips to help you begin a storage encryption project in your organization.Getting started: Identify your weaknesses
There a few things you need to think about before you get started with storage encryption. First, determine your current data storage weaknesses -- you can't protect what you don't acknowledge. Storage vulnerabilities can only be determined by using good security tools and a trained eye. Keep in mind that not all information will have to be encrypted. It all depends on context and risk.
Second, look at technical solutions that address each of your risks, including information classification, permissions, cryptography and key management. Focus on all-in-one technical products and reasonable processes that can provide centralized visibility and control into the encryption process. Don't forget about technical controls and storage-related operations when your next security assessment or audit rolls around. Finding out where the flaws are is the only way to know where things stand and whether your investment will pay off.
Perhaps most importantly, think long-term and make sure the controls and processes you're investing in and rolling out will carry you through the long haul.
Determine which encryption technology meets your needs
While vendors want to make it seem simple, don't assume you can throw a basic encryption appliance into the mix and instantly secure your data storage. There are lots of factors that determine which technology will best suit your needs, including:
- Key management: Whether it's standalone or having the ability to integrate across your network with other encryption systems, this is perhaps the biggest factor to consider.
- In-house expertise: A vendor's engineers can make stuff look easy, but once you're on your own, ongoing administration can become quite a hassle.
- "Plain vanilla" encryption vs. extended features: You can choose between plain vanilla encryption (often called inline encryption) and systems that have more extended features such as granular access controls and separation of duties. The one you choose depends on your network configuration and specific risks.
Your goal is to find a streamlined storage encryption technology that solves more problems than it creates. Every storage environment is different, as is every organization's business needs, so don't fall for a one-size-fits-all marketing allure.
When speaking with prospective storage encryption vendors make sure to ask questions such as:
- How will the product interact with your firm's existing technologies?
- Will it be transparent to applications and end users?
- Will the product's reporting help your business get a snapshot of current security and/or compliance status?
- Does the vendor support virtualization?
Above all, never rely on storage encryption 100% of the time. It's a great last line of defense, but there are plenty of ways to circumvent its protection if it's not implemented and managed properly.