Tape encryption not a security cure-all

By Kevin Komiega

—Thanks to a few high-profile incidents of lost backup tapes recently, data security has been boiled down to a simple solution by many vendors: tape encryption. However, the storage security problem can't be solved so easily. It's about the process...

Securing backup tapes is a critical component to any solid security strategy, but if you think tapes represent the only vulnerability in your storage environment, you are mistaken.

James Geis, director of storage solutions at Forsythe, a technology and business consulting firm, believes that there is not an easy answer to storage security. "It's a process and not a product," says Geis. "Just because you're encrypting something does not mean you're done."

Geis counsels end users on how to develop and implement security policies. The first step in the process of securing your data, he advises, is to identify the risk points beyond simple data encryption.

The starting point
Security threats to your data can come from anywhere. Geis says that the most critical security threats common to all networked storage environments are found in the storage management console, SAN switches, backup servers, and anything related to the backup process, including physical access to tapes. End users have to start by asking themselves a long, but important list of questions about responsibility, accountability, and technology.

Determining where the storage group's responsibility for security ends and the network group's begins is crucial. According to Geis, it's a myth that security falls on the shoulders of the backup or storage administrator.

"There's a fine line between storage security and information security," says Geis. "Whose responsibility is it if I break into a server through an application and can ultimately get to the SAN?"

Geis advises users to promote a convergence of several technology practices within the IT organization to overcome the obstacle of ownership. "It's an ugly situation organizationally and that's why you have to get all hands on deck to take the 360-degree view of how it affects every point of entry and every point of exit," he says.

Next is the process. What is the chain of custody for controlling sensitive information in your organization? Forsythe recommends a layered approach to managing data securely by instituting policies for data transport, management, applications, and device and file access.

Once responsibilities for data are clearly defined, the data itself needs to be classified. Identifying what types of data pools should be encrypted because of privacy issues or federal regulations, for example, is a good place to start.

Addressing the aforementioned issues is necessary and goes hand-in-hand with the technological approach to storage security. "It's about dividing out all of the data and determining what does and doesn't make sense for the business," says Geis, "and there is no easy answer."

Hardware or software?
Choosing your approach to storage security is a tricky proposition. And it's a decision that most organizations have not yet made.

"Some corporations are waiting to do something about it until they have to," says Geis. "There is still a wait-and-see attitude."

Geis says that purpose-built appliances are showing more promise than software-based encryption and security applications, despite end-user apprehension over adding another device to the data path. "There is a lot of uncertainty over where encryption should take place and what should be encrypted," he notes.

According to Geis, appliances have an advantage over software-based methods because they can work with different architectures regardless of transmission methods, while software-based encryption is subject to issues such as backwards compatibility.

Records management giant Iron Mountain recently lauded appliance-based encryption as the technology of choice for its customers after adopting Decru's DataFort storage security appliances for its internally generated backup tapes. Iron Mountain has been evangelizing the importance of tape encryption since the company lost a container of backup tapes belonging to its customer Time Warner in a heavily publicized mishap last May. Iron Mountain has subsequently taken to releasing periodic "alerts" to its customers about the importance of data security.

Decru was recently acquired by Network Appliance for more than $270 million. Other storage security appliances on the market include NeoScale Systems' CryptoStor family and the Assureon system from Nexsan Technologies, which is billed as a hybrid security appliance and fixed-content storage device.

There is a simple quiz available online from the Storage Networking Industry Association (SNIA) that can give end users a basic assessment of their level of storage security. The SNIA Storage Security Industry Forum (SSIF) offers a Risk Assessment Toolkit covering concepts and practices associated with SAN security best practices. The quiz can be found at www.snia.org/ssif.

This article was originally published on November 30, 2005