Storage encryption: Which UK compliance requirements need storage encryption?

UK organisations are often required to have storage encryption, but which laws and industry regulations require it and how do you build compliance into a data security strategy?

Storage encryption is a requirement of many laws and regulations in the UK that seek to enforce data privacy and security. But which laws require compliance in terms of storage encryption from UK businesses, and what happens when one set of regulations conflicts with another?

In this interview, Bureau Chief Antony Adshead speaks with Mathieu Gorge, CEO of Vigitrust, about compliance requirements for UK organisations that specify a need for storage encryption and the things you need to think about in a storage encryption strategy.

You can read the transcript below or download the podcast on storage encryption. Which UK compliance needs dictate encryption for enterprise storage?

Gorge: First of all, in the UK we need to consider the Data Protection Act and the FSA [Financial Services Authority regulations]. Essentially, the DPA says that information needs to be kept safe and secure, which is part of the eight principles of the act.

So, what do they mean by that? It means that if your organisation is storing information belonging to customers, it needs to do that in a safe and secure way such that the integrity and availability of the data is limited to authorised people.

On the other hand, you’ve got regulations like those from the FSA, which mandates that information needs to be recorded, such as any type of call made by a consumer into your organisation. So if you use a call recording system which is linked to your SAN or any storage function on your network, then you need to make sure such data is kept.

On the other hand, industry regulations like PCI DSS say that if you are keeping information pertaining to credit card data, then it needs to be rendered unreadable as per requirement 3.4. And that’s where things start getting very interesting for the storage manager because the FSA [regulation] might be in conflict with the requirements of PCI DSS. On the one hand, you’re asked to keep information related to calls, which means you have to store it. On the other hand, on those calls you may have credit card data which has to be rendered unreadable.

In practice what an organisation needs to do is to have a data classification strategy that will set out which data to archive and which data to store and that takes into account the legal requirements, the internal usage and will also be based on the CIA concept -- confidentiality, integrity, availability. The availability of data is [about] making sure the data is available to the right people at the right time. Integrity is achieved by looking at security solutions such as encryption for storage. What types of encryption can be used for enterprise storage, and how can organisations successfully manage encryption keys?

Gorge: I believe that most storage vendors will offer some level of encryption for the data that is being stored on them. Most encryption is based on triple-DES or AES, but the technology will move on and evolve, and that’s one of the things that organisations need to keep in mind.

The keys used to encrypt data are being changed on an ongoing basis so there’s an element of key rotation so you need to make sure that you have a key management strategy that allows you to access the data in the long term.

It’s very important that IT, security and legal people work together to define which data your enterprise needs to store, where it needs to be stored and the level of encryption that’s going to be used.

Moving on from that, looking at five or 10 years down the road, how will you actually access that information? Your keys will have changed, so you need to ensure that you plan for any e-discovery request that might be thrown at you [and that you can] decrypt the data and not just show that you have it. You may be legally required to access the data and decrypt the data to answer any type of legal request.

Key management is really important, [but] you also need to bear in mind that if you work in several countries you may have different legal requirements to keep data. So, for example, in France they are talking about having to keep data for up to 99 years. We don’t know now what the technology is going to look like in 99 years time, but we do know it will have moved on from triple-DES and AES so you need to ensure you’ll be able to access the data at any given time.

With this comes the idea of managing your storage environment, which also needs to evolve with the legal requirements for data discovery. So, it’s very important to make sure that if you use, for example, a trusted third party … that can manage those keys or the overall storage function of the enterprise for you, that you build into the contract a clause that forces them to manage the keys in a way that will allow you to comply with legal requirements in future.

Read more on Data protection, backup and archiving