Storage security becoming a priority

Storage administrators say that increased regulatory pressures and continued reports of security breaches are forcing upper management to look at new measures for protecting

Products meant to secure data have been available for years, mostly in the form of encryption available in standalone devices, software and, more recently, LTO-4 tape drives. But most users hardly paid attention until recent regulatory pressures prompted their organizations to focus on storage security.

"SOX [Sarbanes-Oxley Act] compliance was our priority first," said David Dulek, storage administration lead for Fastenal Co. Purchasing, a subsidiary of industrial and construction supplies manufacturer Fastenal Co. To become SOX-compliant, upper management must have detailed understanding of all IT procedures. Those processes exposed storage security to new scrutiny.

More on storage security
EMC's Coviello: 'Security vendors do not sell fear'

Startup accepts mission to destroy flash drive data

Cisco, EMC partner on SAN encryption

Storage switch startup burns out, turns to security
Fastenal is a medium-sized business taking its cue from larger companies that have been made headlines with data management and security snafus. These situations included losses of backup tapes at Citigroup and Bank of America Corp., and costly email retention blunders by Morgan-Stanley and Intel Corp. "If a handful of big companies start the trend, then smaller companies, like mine, take notice," Dulek said.

In the meantime, vendors keep churning out new data security products. This week, Hewlett-Packard Co. (HP) launched a key management system, the HP StorageWorks Secure Key Manager, a FIPS 140.2 compliant "hardened" appliance that includes active-active failover nodes, as well as path failover between the appliance and the network.

HP's marketing director, Patrick Eitenbichler, said that users have been reluctant to embrace the embedded encryption within LTO-4 tape products because of a lack of key management support to match. "Until very recently, encryption has been very easy, but decryption can be very hard," he said. "Until now, we've been almost recommending that our customers not start encrypting yet, given the situation with key management."

Users agree that key management has been a big factor in their failing to get on the encryption bandwagon, since "secure erase" and "unintentional deletion" of a file involve the same process -- losing or destroying an encryption key.

HP's key management system offers high-availability configurations and the keys can be backed up for extra protection. Still, Luke Kannel, senior Windows server specialist for information systems at a healthcare company in the Midwest, said he'd like to see more systems act like Microsoft Corp.'s Encrypting File System (EFS). EFS has a recovery agent set up for those "oops" situations.

HP said just backing up the keys is still the better approach. "An EFS-like recovery agent isn't necessary in the Secure Key Manager (SKM) solution -- the bottom line is, with either solution, once the key is lost the data becomes irrecoverable," wrote an HP spokesperson in an email to

For some users revisiting storage security, key management is moot. These users said they still aren't interested in security for security's sake. They're instead looking to improve processes and eliminate potentially risky technologies from their environments altogether, rather than adding a security layer to existing devices.

A user for a Fortune 50 company, who asked that neither he nor his company be named, said his organization had switched from off-site tape shipped via Iron Mountain Inc. to an internally managed EMC Corp. Clariion Disk Library and encrypted replication to a secondary location. This user shuns commercial prepackaged products whenever possible, relying instead on open source utilities or standards such as CHAP, a secondary layer of authentication for iSCSI systems supported by most IP SAN vendors.

Like so many other concepts in storage management, it all comes back to data classification -- identifying which data is at most risk and securing it accordingly. "I don't want to spend the money for the maximum protection on everything," Dulek said. "But that's where you run into the problem of knowing where data is but not necessarily what it is."

Tough as it may be, classifying data is necessary, said Enterprise Strategy Group analyst Brian Babineau . "IT people need to classify to cut up-front costs and identify the highest risk data," he said, and then they need to encrypt accordingly. "If there's human intervention in your data management process, there are going to be mishaps," he added.

Read more on IT for small and medium-sized enterprises (SME)