Cyphers and Storage

Every time a lost backup tape sends headlines screeching “data breach”, the market for security-conscious storage grows a little larger. But where do storage resellers start their security pitch? And how can they help protect their customers’ data?

There are numerous entry points for selling storage-related security, from password-protected hard drives to locks on the data centre door. However, for CEOs worried about making headlines for all the wrong reasons, there is an easy answer to safeguarding data: encryption.

Encryption bridges the gap between the two disciplines of storage and security, and is sold by resellers on either side. The technology has matured to the point where adding it to a customer’s infrastructure can be as simple as dropping in a single appliance, or it can involve a full analysis of information creation and workflow processes.

For resellers, encryption can be seen as a useful way of ratcheting up extra points on a hardware sale. But it also offers the opportunity to work closely with a customer on every part of their business, from content management through to HR.

Outside of government and finance, encryption has been slow to take off in Australia and is still in its early days. Despite some interest and several pilots, “there hasn’t been a huge number of companies doing (encryption),” said Mark Heers, product marketing manager at Network Appliance.

The situation is likely to change soon and rapidly, as credit card companies coerce their merchants into adopting greater levels of protection of credit card data.

Many Australian SMEs may be forced into upgrading their security requirements for data storage within the next 12 months. Storage resellers, especially those focusing on backup, need to decide whether to sell encryption themselves or leave it for the security specialists.

One driving force behind storage security in 2007 is the Payment Card Industry Data Security Standard (PCI DSS). Although four years old, the standard received a serious boost with establishment of the PCI Standards Council in September last year, and credit card companies are pushing for compliance among the larger merchants.
(See breakout.)

If the banks and the credit card companies aren’t convincing enough, the federal government may remove choice altogether. Legislation is under consideration that would require financial data to be encrypted when stored off-site.

“It creates a whole market to comply with overnight,” said Shane Moore, product marketing manager at EMC.

There are two types of customers for encryption, said Heers. Those forced by regulation, such as finance, large retailers and government, and those with valuable intellectual property. The second set is a more complicated sell, as encryption needs to happen internally with a wider amount of data, not just for backup tapes moving offsite.

The pharmaceutical industry is particularly aware that staff can walk out the door to a competitor with trade secrets on a USB drive. But a surprisingly broad number of companies fall in this category, including manufacturing and software, and few have adopted the necessary security to avoid a breach.

Encryption is a fairly straightforward sell for storage resellers who can pitch it as another value-add feature, said Heers. However, to date, security resellers have had greater success at pitching the technology.

Heers said he believes there is a big space for storage resellers in tape backup to step in and make the encryption space their own. Services required include analysis of the data process as well as installation and configuration.

Studying the full data cycle then leads to other discussions about backup and disaster recovery.

Or, Heers said, storage resellers can sit back and wait for the legislation or a change in market behaviour over the next couple of months. Either way, Heers advises against dabbling.

“You can’t fit halfway in between,” he said.

Encrypting tape backup is a fairly simple process. Network Appliance’s Decru Datafort appliance sits in the data path between server and tape and encrypts everything that passes through it, according to rules determined by user and application.

The technology doesn’t come cheaply. A single appliance starts at $20,000 but can easily cost more than double that, and most companies buy in pairs for redundancy. Some larger financial institutions have bought tens of appliances, said Heers.

EMC encourages a more holistic approach based on digital rights and identity management software. A reseller implements a content management system that assigns rights to documents so that even if they leave the organisation’s network — such as by email to an outsider — the files can only be read by those intended.

This type of content management “is what most organisations are actually looking for”, said Moore.

Through its acquisition of RSA, EMC has a range of software that encrypts individual files or even certain fields within a database. A spreadsheet of employees could still be readable, but their payroll details encrypted.

Vectra is a security reseller that has been providing PCI compliance services over several years as one of a handful of qualified assessor companies under the PCI standard in the Asia Pacific. Its main business has been in network scanning services and network security, as well as managed security services around encryption such as key management.

Mike Ryan, Vectra’s director of corporate development, agrees that it is still early days in the encryption game, but that the focus has already changed.

In the past, the market for encryption was more concerned about data transmission over public networks. “The area that’s not had attention is the encryption of data from a storage standpoint,” said Ryan.

Encryption is a difficult sell for a number of organisations as the solutions aren’t expensive, said Ryan. A second factor is that credit card data can be stored on disparate systems, including mainframes, servers and desktops, which can complicate the job.

But the biggest difficulty is that encryption carries no competitive benefits from a business standpoint, said Ryan. “And that’s
a challenge.”

“There hasn’t been a huge number of companies doing (encryption).”

“The area that’s not had attention is the encryption of data from a storage standpoint.”