How to Protect Sensitive Data

Storage encryption helps prevent embarrassing and costly data security breaches.

Encryption

The data breaches suffered by Target and other major retailers have many businesses worried about the threats posed by hackers. The ongoing adoption of cloud computing and storage raises concerns about the security of data on third-party systems. And more and more employees are transmitting and storing sensitive information on mobile devices — devices that could be lost, stolen or compromised.

While there is no foolproof way to prevent a data breach, one technique comes very close: encryption. Encryption effectively “scrambles” data, which cannot be read without access to the correct encryption key. As a result, encryption can dramatically reduce, if not eliminate, the security risks associated with the loss or theft of stored data.

That has led a number of analysts to proclaim 2014 as the “year of encryption.” Experts predict that organizations will begin to encrypt data within the data center, on endpoint devices and at all points in between.

“Storage, backup and archival solutions are designed only to preserve data; they don’t protect against unauthorized access. Only data encryption can effectively safeguard so-called ’data at rest.’ As a result, organizations should consider incorporating encryption into their storage and backup environments,” said Michael Stenger, IT Director, Atlantic-IT.net.

“Strong encryption using 128-bit or longer keys make it impractical to try to decipher the text through brute force. A 2012 report by the National Institute of Science and Technology estimates that AES-128 encryption should be secure through to 2031.”

Growing Requirement

Organizations in certain regulated industries have very real incentives to encrypt data. The HIPAA Final Omnibus Rule requires covered entities to provide notice to affected individuals, the Department of Health and Human Services and in some cases the media if there is a breach of unprotected — that is, unencrypted — data.

The healthcare sector isn’t the only industry that promotes encryption. Under California’s Security Breach information Act and similar regulations enacted by more than 20 other states, companies must disclose even suspected security breaches to the media and all customers potentially affected. Encrypted data is exempt, however.

The Payment Card Industry (PCI) Data Security Standard mandates the encryption of stored data, including data on backup tapes — a rule that potentially impacts any merchant that accepts credit cards. Noncompliance can result in financial penalties ranging from $5,000 to $50,000 per month.

Regulatory requirements aside, the need to secure data is clear: a single data security breach incident costs $5.4 million, according to the Ponemon Institute. Still, the price tag for data protection can cause sticker shock for many companies.

In addition, many organizations have operated under the theory that encryption makes finding and retrieving information more difficult, increasing the complexity of storage and backup process. Indeed, traditional software-based encryption solutions required companies to make painful tradeoffs to achieve data security: performance degradation, operating system and application dependency or changes in workflow.

A Better Way

The good news is that today’s encryption devices can be so tightly integrated with the storage environment that they avert the unacceptable performance slowdowns of the past. Several vendors offer appliances that sit on the network, encrypting and digitally signing data on the fly. Because they sit “in-line” — that is, in the network data path rather than within application software or storage devices — they operate independently. They can be deployed with storage-area network (SAN), network-attached storage (NAS) or direct-attached storage (DAS) solutions.

These solutions also provide better key management than traditional storage encryption solutions. Encryption rules can be used to minimize the number of keys to be managed and master keys can be used to protect the encryption rules. Centralized security management provides user authentication and role-based privileges. Encryption appliances can also monitor the physical access to the device itself and automatically lock down all encryption keys.

According to the Ponemon Institute’s 2012 Global Encryption Trends Study, released early last year, about 35 percent of U.S. businesses had an encryption strategy applied consistently across the enterprise. Experts expect that proportion to increase dramatically due to the threats posed by hackers and malware, along with cloud and mobility risks. Encryption can help organizations meet regulatory requirements and prevent a costly and embarrassing security breach with little impact on IT operations.