Problem solve Get help with specific problems with your technologies, process and projects.

Storage encryption prevents identity theft

The issue of encrypting stored information is surfacing again. However, using storage encryption technologies presents some challenges.

The issue of encrypting stored information is surfacing again, thanks to incidents like a recent theft at a large bank, in which four servers containing names, addresses and social security numbers of thousands of mortgage and student-loan customers were stolen. Such crimes aren't cheap: According to the Attorney General, identity theft alone costs the U. S. Economy an estimated $50 billion a year.

However, using storage encryption technologies presents some challenges. In order to deploy encryption of stored information, IT customers require several features:

  1. Secure storage and availability of keys used to encrypt stored data, perhaps for as long as ten years.
  2. Protection of stored data against unauthorized modification, or, at a minimum, detection of such modifications.
  3. Availability of software for decrypting the data, for the same period of time. By software, we mean the code of the algorithm that was originally used to encrypt the data. Some customers may also want to be assured that the software for decryption would indeed work 5-10 years later, thereby requiring frequent testing.
Let us review the difficulties to achieve the above goals. Consider the first goal for availability of secret keys. Companies undergo mergers and acquisitions. The system administrators, who are the likely custodians of the secret keys required for decryption, might change jobs during these transitions, or the organization itself might move around, and the servers change hands. A simple approach is to store the key in the server. However, that defies a key goal, since if the key is in the server, the attacker can steal the server and break the coded secret keys. The attacker can try brute-force attacks since he has almost unlimited time. An interesting approach is used in IBM's ICSF (Integrated Cryptographic Service Facility), which stores the "master key" in a secured hardware module in the mainframe. The module destroys the secret key if it is accessed in an unauthorized manner. The master key is used to encrypt other encryption keys.

The second goal can be accomplished by implementing a data integrity scheme. The third goal is more difficult. Encryption technologies are aging fast. Encryption algorithms are being retired quickly to prevent brute force attacks that may be accomplished in a short time. Last July, NIST announced that DES encryption was inadequate for use in software products sold to the government. The aging of encryption algorithms may inhibit the availability of decryption software at a later time.

So the choices for IT customers are difficult. Customers need complete solution for their storage encryption, before they encrypt their critical information. Encrypted information may become useless if it cannot be decrypted. So in the absence of a complete solution, IT customers have the following choices:

  1. Accept the above exposures, and deploy encryption with as many features that address above exposures. Implement strict processes and procedures that address above exposures. This option may be necessary if your data is highly sensitive.
  2. Implement best practices to protect clear-text data without encrypting it. Such practices may include stricter access control and authorization processes. This option may be deployed especially if deploying encryption is significantly more expensive than the best practices, and the data is critical but not highly sensitive.
Dr. Vijay Ahuja is the president and founder of Cipher Solutions Inc., a professional services company that assists its clients in implementing storage security and offers customized seminars on storage and network security issues.

Dig Deeper on Data center storage

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.