As operations director at Dartmouth Medical School's Center for Evaluative Clinical Studies in Hanover, N.H., Fusca oversees the handling of nearly 7TB of raw medical data from the Center for Medicaid and Medicare Studies. Programmers aggregate and refine the data down to data-analysis sets that researchers use to publish some of the most comprehensive comparative medical research in the U.S.
Fusca isn't aware of any attempted or successful security breach involving personal medical information during his tenure at the center. But the Health Insurance Portability and Accountability Act (HIPAA) requires the center to safeguard patients' personal data, and ignoring the regulation could mean losing millions of dollars in research grants.
So two years ago, the center purchased two network appliance servers that keep data encrypted until researchers request the information on their secure desktops. The data is then sent on to backup tapes in an encrypted form.
"We want to ensure that we exceeded the levels of security required by HIPAA so we never place our funding sources in jeopardy," Fusca explains.
On the radar
Like it or not, encryption will become part of most data at rest.
Companies of all sizes are exploring encryption because of a real threat of losing data or having it stolen, and because of government regulations such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and HIPAA, which require protection of Social Security numbers, credit card data and other sensitive information. While encryption isn't required, it can provide an easy, blanket solution.
"First, we had the market leaders. Now, we're getting the midsize companies realizing that personal confidential information regulation is there to stay," says Eric Ouellet, a privacy and security analyst at Gartner Inc. Ouellet says he saw a tenfold increase in customer calls about encryption technology beginning in January 2005.
Security threats aren't confined to the backup tapes stored at off-site facilities anymore, though last year's highly publicized losses of tapes belonging to Bank of America Corp., Time Warner Inc. and Citigroup Inc. put a spotlight on the need for encryption. Laptops and databases need encryption too.
Still, organizations are reluctant to use encryption. In the Ponemon Institute's 2005 National Encryption Survey, only 4.2 percent of the nearly 800 companies polled said they have enterprisewide encryption plans. The primary reasons cited for not encrypting sensitive or confidential information were concerns about system performance (69 percent), complexity (44 percent) and cost (25 percent).
It's true that encrypting tapes using some types of backup software increases backup times, consumes more storage space and costs more money. But those arguments may be losing steam. A dizzying assortment of products were introduced last year, promising to make encryption better, smarter and faster. The bad news: A single encryption method can't be used in moving data from a laptop to off-site storage in most cases. The good news: Decryption has become simpler, and backup times have improved significantly, especially when using encryption appliances.
A successful encryption plan involves identifying the right data to encrypt, choosing only the encryption technologies that you need and managing encryption keys effectively.
"There is still no right way to apply encryption," says Jon Oltsik, an information security analyst at Enterprise Strategy Group Inc. in Milford, Mass. "It depends on what you perceive the risks to be and where the money is to solve the problem. Focus on figuring out one or two technologies that will take care of the biggest chunk of issues."
Here's a look at some of the newest encryption technologies.
Back-end appliances
Companies that want blanket encryption coverage on the back end before it goes to backup should consider appliances that sit between servers and storage systems and encrypt the data as it moves back and forth, says W. Curtis Preston, vice president of data protection at GlassHouse Technologies Inc., a storage services company in Framingham, Mass.
Specialized encryption appliances like Decru Inc.'s DataFort, which was acquired by Network Appliance Inc. last summer, and NeoScale Systems Inc.'s CryptoStor can run in storage-area network (SAN), network-attached storage (NAS), iSCSI and tape infrastructures. They encrypt data at close to wire speed, with little latency. Both vendors have also developed versions of their products that will encrypt backup tapes. Decru's offering encrypts NetApp storage, as well as EMC Corp., Hewlett-Packard Co., Sun Microsystems Inc. and IBM storage.
Fusca says encrypting and decrypting data goes unnoticed by users at Dartmouth. "When they get up on the analytical servers and start drawing data through either the tape library or the electronic storage through the DataForts, it is relatively transparent, and there are no discernable delays in accessing the data," he says.
Key management has been simplified. "Once we identify the appropriate client stations that are on the virtual private network that can draw requested encrypted data into their 'cryptainer' [a device that stores decrypted data on the desktop], it's relatively fast and painless for them," Fusca adds.
Appliances also trump software-based encryption at the database level when it comes to compression. Software-encrypted data can't be compressed, which is a tape-drive space savings of 1.5 to 1. "These hardware devices have a compression chip in them, so they compress before they encrypt," Preston says.
Library-based tape encryption
In the highly competitive microprocessor market, protecting intellectual property is a serious concern, especially when sensitive data goes to an off-site storage facility.
At Advanced Micro Devices Inc.'s Longmont Design Center, IS manager Tom Dixon has been evaluating the beta version of Spectra Logic Corp. 's BlueScale environment for three months. Spectra Logic is one of two library tape vendors that have recently incorporated security into tape drive and tape library hardware. Quantum Corp.'s proprietary DLTsage architecture also offers a tape security feature at the drive level.
"Library-based encryption is a good idea for firms that need to lower the risk associated with sending tapes off-site," wrote analyst Galen Schreck in a January report for Forrester Research Inc.
The Spectra Logic product performs data encryption within the library using an enhanced version of its Quad Interface Processor board. Three months into his evaluation, Dixon says the hardware was "fairly easy" to set up. "You don't have to do anything on the host," he says. "They set up the library, and you set up your keys. That's the biggest headaches. We haven't even talked about that yet."
The hardware's encryption keys are managed within the library and can be exported via a Universal Serial Bus flash drive or via an encrypted e-mail. The keys can then be imported into another Spectra library or used within a software decryption utility, in case no library hardware is available.
Library-based security has two big benefits over software-based alternatives, according to Schreck. First, there are no performance penalties. By embedding encryption in the tape subsystem, vendors can use encryption coprocessors to process the data stream at wire speed. Second, security functions are completely transparent to the software. To outside applications and servers, they behave like just a regular tape library. No external software or operating system support is necessary.
But it also means that the tape vendor is completely responsible for managing security. So customers should look for products with strong key- management features, like quorum-based recovery, integration with backup and recovery tools, and automated replication of keys to an escrow service or tape library at a disaster recovery site.
Laptop and 'edge' encryption
While encryption efforts focus on back-end and off-site storage tapes, Preston says fewer companies are implementing edge-level encryption methods, such as encrypting data on laptops. What's more, basic laptop encryption offers little protection.
"Most people use a Windows name and password. That becomes the key to encrypt the data. If someone actually stole your laptop to steal your data, that key would not stop them for very long," Preston says. A harder-to-crack, global key-management system for Windows exists as part of Microsoft's Active Directory infrastructure, "but not everyone uses it," he adds.
Laptop manufacturers like Lenovo Group Ltd. are incorporating encryption capabilities into their systems, and Microsoft Corp. will add encryption capabilities to the upcoming Vista version of its Windows operating system.
Don't encrypt everything
When it comes to assessing what constitutes "sensitive" data, most companies will find that there are only 8 to 12 bits of information per record, on average, that need encryption, says Gartner's Ouellet. Depending on the type of business, this can include Social Security numbers, credit card information, financial records, health information, intellectual property documents or information about sexual orientation.
"Once you've identified what those bits are, you can choose what solution gives you the biggest carpet covering over the area," says Ouellet. He offers the example of a large retailer that performs online and telephone transactions and holds a lot of credit card information. Within the database, the most sensitive data should be protected.
"Pick the most sensitive fields and encrypt those. Don't encrypt everything, because you're going to kill the performance on the database or have other issues with searching and access," Ouellet says.
Also, keep track of sensitive data elements as they move throughout the process. "They go from one database to maybe a smaller database," Ouellet says. "Is there a way you can leverage centralized storage, like a NAS or SAN, where both databases store their information in the SAN? There's replicated data, but at least it can be protected using an encryption appliance."
Few shortcuts for persistent encryption
Although encryption strategies exist for laptops, databases and backup tapes, transferring encrypted data from one storage level to the next remains a sticking point. In most cases, data must be decrypted and re-encrypted as it travels from one resting place to another.
"There are some solutions that bridge a couple of the different areas, such as laptop encryption and e-mail," Ouellet explains. "But as far as persistent encryption across the network -- not right now. "
A few vendors, including RSA Security Inc. and nCipher Corp., offer key management software that could exchange keys between applications from the same vendor. But that technology is in its infancy, Ouellet says.
Enterprise digital rights management (DRM) technologies have the potential to streamline this process. DRM offers persistent encryption and security, and rights activity that is defined as part of the file itself. "There's a tag that's assigned to the file. If I want to view or print the file, I have to validate that I have the proper access rights for that activity," Ouellet says. DRM becomes even more important if companies need to distribute protected documents beyond the enterprise. Microsoft and Adobe Systems Inc. are developing DRM products. Adobe plans to ship its LiveCycle Policy Server in the third quarter of this year.
"In five years, DRM is going to be the most pervasive way to protect your data," Ouellet says. "Until then, there is no hybrid right now that covers everything. You're going to have different areas that are covered with different types of technology."
Sidebar
How long will it be safe?
Even with all the new encryption technology, vulnerabilities still exist. Encryption keys once thought to be safe, like MD5, SHA-1 and SHA-256, were eventually cracked. How long will the current 3DES or AES 256-bit encryption keys last?
"With any encryption algorithm, at some point there will be enough number-crunching capacity to work through it," says W. Curtis Preston, vice president of data protection at GlassHouse Technologies.
Using the fastest computers on the planet, how long would it take to crunch these numbers and come up with the code? "With 40-bit encryption, the answer is a couple of weeks," Preston says. Some people believe that 256-bit keys like 3DES will become obsolete within five to 10 years. "But right now, it's fine," he says. "AES 256 goes an order of magnitude beyond that.
"As long as you're using something at or beyond 256-bit encryption," Preston adds, "you're fine."
Sidebar
Encryption decrypted
A glossary of common storage-encryption terms:
Sensitive data. Depending on the type of business, sensitive data can include Social Security numbers, credit card information, financial records, health data, intellectual property documents or information about sexual orientation. Most companies will find an average of 8 to 12 bits of data per record that need encryption. The difficulty is locating every place where that information is stored.
Encryption appliance. This hardware sits between servers and storage systems and encrypts data as it moves back and forth. Many of these appliances can run in SAN, NAS, iSCSI and tape infrastructures. They encrypt data at close to wire speed with very little latency. In comparison, encryption software on servers and in storage systems slows backups.
Library-based tape encryption. Security features embedded in tape drive and tape library hardware are often used when data is stored at an off-site facility. Encryption co-processors process the data stream at wire speed as it enters the library. Security functions are completely transparent to the software. No external software or operating system support is needed. But it also means that the tape vendor is entirely responsible for managing security.
Edge encryption. This includes encrypting data at the point of entry on laptops, handhelds and desktop PCs. Basic encryption that requires a username and password offers little protection, but it's better than nothing, say industry watchers. A global key-management system for Windows offers better protection. Some laptop manufacturers are incorporating encryption capabilities in new models.
Enterprise digital rights management. This is the next big thing in key-management technology. Still in its early stages, DRM offers the potential for persistent encryption and security as data travels from laptop to e-mail, database and storage tape by assigning access rights to the file. DRM becomes more important as companies distribute protected documents beyond the enterprise to partners and vendors.
Quorum-based recovery. This is one of three key-management approaches that companies should consider. Quorum-based recovery requires a group of three to five administrators to grant permission before encryption keys can be recovered. Encryption specialists also advise that tape libraries shouldn't have to maintain the mapping of keys to tape volumes. This method adds another point of management and complicates long-term key escrow. It's also important to automatically replicate keys to an escrow service or tape library at a disaster recovery site for fast data recovery in case the originals are lost.
Data compression. Appliances trump software-based encryption at the database level when it comes to compression. Software-encrypted data can't be compressed. Encryption hardware devices have a compression chip in them, so they compress before they encrypt, which is a tape-drive space savings of 1.5 to 1.
Collett is a Computerworld contributing writer. Contact her at stcollett@aol.com.
Chart
Backup bollix
Are you currently encrypting your backup data?
BASE: 300 companies surveyed
SOURCE: GlassHouse Technologies Inc., October 2005