Global key management systems are integral to securing the IT storage infrastructure.
By Steve Norall
July 13, 2007—The storage security market is at an inflection point similar to the inflection point that disaster-recovery and business continuance technologies went through earlier this decade. In the case of disaster recovery (DR), the events of 9/11 coupled with natural disasters such as Hurricanes Katrina and Rita underscored the importance of, and need for, serious disaster-recovery planning and business continuance technologies. As a result, IT moved with alacrity as CIOs asked the tough questions about how to protect their IT infrastructure against major catastrophes and outages. Similar conversations to those that happened around DR are now happening around storage security.
The major breaches and data thefts of the past 18 months at blue chip companies such as Bank of America and TJX have raised the consciousness and temperature around data security and the potential financial and reputation consequences of a breach. As a result, end users are beginning to recognize the vulnerabilities that exist and are acting on the need to secure data-at-rest. As with DR planning and adoption, the phenomenon is occurring in large enterprises first, but adoption of storage security and key management technologies is trickling down to small to medium-size businesses (SMBs) as the technologies become more broadly understood.
The Taneja Group's latest primary research on end users' storage security and key management attitudes, adoption plans, and challenges unequivocally shows that storage security has become of utmost concern for large enterprises. As part of that research initiative, we surveyed 116 IT professionals at large enterprises (companies with revenue of $500 million or more) about their company's storage security strategies and deployments. (A portion of the survey respondents were InfoStor readers.) These companies are still wrestling with the challenges of implementing, scaling, and managing a secured storage environment, but they have recognized that storage security and key management technologies are a necessity in regulated environments. The pump has been primed for adoption of new security technologies and products.
Results from the survey confirm that storage security is no longer a "nice to have" item in the spending and deployment plans of major corporations. The survey found that 61% of respondents indicated that regulatory legislation, such as SOX and HIPAA, is a major driver or influencer in their deployment decisions. Not far behind, the survey found that 57% of the respondents deployed storage security to protect against data privacy breaches and liabilities. Clearly, the press headlines and public embarrassments have had a dramatic effect on IT's thinking with respect to storage security and how IT protects a corporation's data.
Security spending priorities
Security spending has ranked at the top of IT priorities for the past five years. However, we wanted to understand how IT decision-makers weigh the relative importance of storage security compared to other security initiatives, such as protecting data in flight, fighting spam and viruses, and securing the network perimeter. Historically, other security initiatives and technologies have been more important than encryption and protecting data-at-rest.
However, in light of recent breaches and public events, we found that the priority and importance of securing data-at-rest has increased over the last 18 months. For example, 68% of the survey respondents indicated that storage security is now a top five spending priority compared to other security initiatives, and that they have funded budget to spend on storage security. We view this data as a sign that storage security has become an integral element of protecting and securing the IT resources of the corporation.
Security breach costs
To understand how respondents justified spending money on storage security technologies, we asked them to estimate how much a single storage security breach would cost their organization. About 57% of the respondents estimated that a breach would cost their organization more than $500,000. Moreover, 31% of the respondents indicated that a breach would result in damages in excess of $1 million. We interpret these results to mean that users are only estimating the hard dollar costs of a security breach. In fact, if users were to factor in soft costs, such as damage to reputation and brand, the cost of storage security breaches would easily run into the millions and even tens of millions of dollars for major corporations.
Given the high cost of a single breach, purchasing storage security products is analogous to purchasing insurance. Storage security—specifically, encryption—represents in users' minds the best approach to securing data-at-rest and protecting the corporation from legal liabilities and penalties imposed by compliance regulation and data privacy laws. The survey indicates that IT is having very little issue justifying storage security purchases in light of the high costs of a single security breach. Therefore, we conclude that storage security represents a "slam dunk" return on investment for most corporate IT decision-makers.
Users' storage security environment
The scope and scale of storage security deployments are expanding rapidly. Based on our survey results, end users in large enterprises already have deployed a significant number of storage security devices to protect both their tape and, to a much lesser extent, disk environments. For the purposes of this survey, we defined a storage security device as any endpoint responsible for encrypting data-at-rest. For example, a storage security device could be a tape drive or library with embedded encryption, a disk system with embedded encryption, a storage security appliance, a backup application using software encryption, a file system with native encryption capabilities, or a database using column-level encryption.
In the Taneja Group's user survey, 32% of the respondent indicated that they had deployed more than 250 storage security devices in their environment today, and another 21% stated that they had 100 to 250 storage security devices deployed. The repercussions for storage management are significant. Each storage security device has its own key management system with its own interface that must be learned by the storage administrator. Given the large number of storage devices deployed today, end users are already grappling with numerous, disparate key management systems that must be administered throughout their environment. This problem is only going to get worse as users continue to scale encrypted capacity in the future.
The repercussions for storage management are significant. Each storage security device has its own key management system with its own interface that must be learned by the storage administrator. Given the large number of storage devices deployed today, end users are already grappling with numerous, disparate key management systems that must be administered throughout their environment. This problem is only going to get worse as users continue to scale encrypted capacity in the future.
Heterogeneous security devices
We wanted to understand what types of storage security devices user have deployed and what types of storage security devices they are considering deploying in the future. Based on the data, we learned that large enterprises have deployed a wide range of different types of storage security solutions today. Respondents indicated that they have a fairly evenly distributed, heterogeneous mix of storage devices deployed in their environment today. Backup applications using software-based encryption was the top response, at 46%, but four other types of security devices (dedicated appliances, file system-level encryption, encryption at the tape library or drive level, and custom applications with software-based encryption) all had responses above 30%. Clearly, one size does not fit all for storage security.
Global key management
Storage poses unique security challenges. Unlike networking, where a session is transitory, the keys must be stored and maintained for the life of the data. In some cases with new compliance regulations, data must be retained for up to 21 years, or longer. Furthermore, given the mobility of data and third-party interactions present in storage workflows, keys need to be securely distributed so that they can follow the data. Therefore, key management becomes critical to not only protecting the integrity of the system, but also to ensuring a system that is flexible enough to conform to existing storage and IT procedures.
Key management combines the devices, people, and operations required to create, maintain, and control keys. The system contains operational practices that must be implemented to make it work effectively. The best way to think of key management is as an automated process that enforces security, but complies with existing IT procedures for storage.
Based on our survey results, there is a growing awareness in the user community regarding the challenges of managing disparate key management systems and the need to consolidate and centralize management of keys for data-at-rest. For example, 19% of the respondents indicated they had deployed a global key management system, while another 54% were considering deploying such a system over the next 12 months.
Drilling down on the data, we found that there is a high degree of correlation between the number of storage security devices currently deployed and the propensity to evaluate and deploy a global key management system. Clearly, there is a management scalability limit that is reached as end users deploy more and varied storage security devices. At this point, a single global key management system that can overlay and interoperate among the disparate storage devices can improve operational efficiency. Not surprisingly, users with more than 100 storage devices deployed in their environment were the most likely to have deployed or consider deploying a global key management system.
Global key management is a relatively new concept for the storage security industry. Even today, much of the discussion about storage security focuses on the efficiency and cost effectiveness of different approaches for encrypting data (backup software, file system, database, storage appliance, and tape drive, etc.) using standard algorithms such as AES. However, as heterogeneous encryption endpoints and key systems proliferate, the importance of a global key management system for enabling the continued management and scalability of a secured storage environment becomes paramount. As a result, vendors across the spectrum are increasingly collaborating to put in place industry-wide standards that outline the APIs and protocols for open, interoperable key exchange among disparate key management systems. This is good news for end users and a key pivot point for users as they scale and manage their secured storage environments.
NeoScale was among the first storage security vendors to respond to the challenges posed by heterogeneous storage security devices, each with its own key management system. With the launch of CryptoStor KeyVault in March 2006, NeoScale delivered an open, standards-based global key management system that provides a unified key management layer across disparate key management systems and heterogeneous storage devices. NeoScale continues to push for standards and interoperability within the storage security ecosystem.
Decru, a subsidiary of Network Appliance, is also a major player in global key management. In June 2006, Decru countered NeoScale with the release of its Lifetime Key Management appliance. At present, NeoScale and Decru remain the two main providers of open global key management appliances that can interoperate with disparate key management systems.
EMC remains the wildcard in the global key management space. With the acquisition of RSA Security in September 2006, EMC has access to RSA's powerful key management infrastructure and a broad portfolio of public cryptography and security products. To date, they have chosen to integrate RSA's capabilities into the Symmetrix product line for authentication and access controls, but not for encrypting data-at-rest. In fact, NeoScale remains a key partner for EMC in securing data-at-rest on EMC's storage systems.
Our end-user security survey confirms several hypotheses. First, compliance regulation and data privacy concerns are driving users to deploy storage security devices in increasing numbers—primarily for tape systems and, to a lesser degree, disk systems. Given the estimated cost of a security breach, the business case for storage security infrastructure is without question.
Second, the number of storage security devices is growing rapidly. However, end users have not standardized on a particular approach or vendor for securing data-at-rest.
In short, users are grappling with a heterogeneous environment of different encryption devices and key management systems that do not interoperate. As a result, end users, particularly those with more than 100 storage devices deployed, report increased frustration and management headaches in administering the keys and key management systems of these various devices.
With this environment in mind, global key management will evolve to become a non-optional element of any large enterprise's storage security infrastructure. Our recommendation to end users in charge of planning their storage security infrastructure is to carefully think through how they will scale and manage their tape and disk environments in light of the need to encrypt ever-increasing amounts of data-at-rest. Moreover, users should not be shortsighted and must consider how key management can be integrated into core storage workflows like disaster recovery. From our research, we believe that global key management will become an important fulcrum in end users' plans to ultimately scale and manage their storage environment effectively and efficiently.
Steve Norall is a senior analyst with the Taneja Group research and consulting firm.