Built-in encryption is key to ending data leaks
- 18 May, 2007 15:21
It hasn't happened to me so far (fingers crossed), but I imagine there are very few things more disturbing than having your personal information put at risk because someone lost or misplaced a tape cartridge or a laptop.
The remedies when something like this happens -- and unfortunately, it happens often -- have so far been inadequate, to say the least. Quite frankly, a year of free credit watch service wouldn't do much to appease me if my Social Security number had been thrown to the dogs.
How big is this data-breach phenomenon? It's hard to put it into some kind of metric, but to get a feel for its breadth, take a look at this chronological table of past data breaches.
I don't know if that is an all-inclusive list, and it really doesn't matter -- there are more than enough incidents reported on that page to make anybody's blood boil with indignation. What's more irritating is that almost all of those disclosures could have been prevented by using data encryption on sensitive data, especially when that data flows to mobile devices or removable media.
Why, then, are companies not implementing encryption whenever possible and appropriate? Is it because they can get away with just having their hands slapped when a disclosure occurs? Perhaps, but it's also true that implementing and managing encryption is a big pain in the neck.
Software encryption tools abound, but they add an overhead in processing time and human labor that many companies just can't absorb. Thankfully, the previously rare solutions that implement encryption via hardware chips are becoming more numerous, which should help make your encrypted data fly as fast as clear data. For example, vendors such as Seagate and, more recently, Hitachi Data Systems have started to include encryption technology in their disk drives.
Why is that good? Let me answer by quoting the blog of Chris Parkerson, senior product marketing manager for RSA:
"I personally believe that the best security for businesses is going to come from a security infrastructure that is built right into the devices, computers, and major software applications that they buy. It just makes sense!"
Indeed it does, but what happens when you have tens -- if not hundreds -- of devices in your datacenter, each with its own proprietary encryption system? How many touchpoints will you have to manage to encrypt data on every tape drive, library, and storage device? Probably too many to keep your sanity.
To be clear, I like having devices that deliver data encryption right where it's needed, but you would gain a lot more flexibility and scalability if you could centralize those tasks if and when necessary. Considering that most of the customers who need more protection for their data are on a SAN, why not make encryption a network service, delivered from the far--reaching but easily managed fabric switch?
If you follow our Test Center Daily blog, you may already know that CipherMax was the first vendor to come to market with a flexible line of products that can either combine switching and encrypting services in the same box or complement existing fabrics with encryption alone.
I like the concept of switch--centric encryption, and if you do as well, knowing that Cisco is also headed in that direction should be reassuring. There is no product announcement quite yet, but judging by a conversation I had this week with Doug Anderson, software product manager at Cisco, encryption modules for the MDS 9000 line should become available before year's end.
The name of the new technology is may be a predictable acronym (SME, for storage media encryption), but it should deliver wire-speed, strong encryption for data traveling between any server port-LUN pair that you choose. The new features will be fully integrated with existing management tools, including Fabric Manager and CLI.
In a first release expected in the next semester, SME will focus on tape encryption. Disk encryption, an extension that should help close the door on many of the security breaches in that list I mentioned earlier, should follow shortly.
According to Anderson, adding the magic touch of encryption with SME will not require much change, if any at all, in network topology or configuration. It should also work seamlessly across VSANs (virtual SANs).
Together with tape encryption, Cisco will also make its API for key management available to third parties, a not-so-subtle invite to key management solution providers to embrace SME. Obviously, Cisco's expectations are that SME will have to coexist with other encryption products in the datacenter, including, as RSA's Parkerson suggests, computers and major software applications.
Solutions such as SME may help reduce the encryption burden, but a universal, standards-based approach to managing encryption keys becomes more necessary every day. Have you seen one yet? I haven't, but I'll keep looking.