Encryption: the future of storage

By on
Encryption: the future of storage
Page 2 of 2  |  Single page

This kind of integration greatly simplifies encryption and decryption efforts and also centralises key management, without the performance impact typically associated with such endeavours, says John Rollason, product marketing manager for EMEA at NetApp.

"Very, very secure encryption - as defined by the Common Criteria - is something customers are looking for," he says. "Traditional security technologies focus on securing assets by protecting the perimeter, but that doesn't address secure storage, leaving data at rest vulnerable to attacks.

"Once these barriers are breached, data assets may be fully exposed - but not if they're encrypted. By making encryption easier, we're making storage security easier," says Rollason.

Other approaches include: hard-disk driver controller encryption, from suppliers such as PMC-Sierra and packaged within storage environment solutions from vendors such as EMC, HP and Sun; and switching fabric-based encryption, increasingly offered by networking companies such as Cisco and Brocade.

Both approaches have only been deployed in a few production environments, warns Ouellet.

The first approach is useful in document management environments where security professionals are concerned about the threat of hard-disk drive media theft; the second should be put on hold until "2008 road maps become 2009 deployable realities and the base of live customer deployments grows beyond mostly test sites and early adopters."

 Classification is key

The message is clear: encryption services that are built-in or integrated and require minimal administrative or user interaction, tend to be the most effective.

But none of these technologies is likely to be successful in deployment without a strong policy of data classification, warns Stuart Okin, UK managing director of IT security specialist Comsec Consulting.

"Organisations need to have a much clearer idea of the data they hold, its risk profile and what controls should be applied to it," Okin says.

"It may not be necessary to apply encryption to every piece of data in order to provide good security. Effective authentication and access control will be sufficient, in many cases, to limit access to sensitive data," he adds.

Think in terms of an attacker, he advises, and act accordingly. "What are the primary assets in your storage systems that might be important from an attacker's perspective - whether it's intellectual property or customers' credit card details? What would be their motivation to attack and what might be their likely entry and exit points into targeted components?"

What an information security professional should end up with by going through this ''threat modelling'' process, Okin says, is a good idea of where their organisation's key vulnerabilities lie and what needs to be done about it.

"Organisations that initiate data encryption projects and fail typically do so because they do  not have an effective data classification program," agrees Ouellet.

He says they should also remember that individuals who have authorised access to a system or files are also - under most deployment scenarios - automatically granted access to the cryptographic keys needed to decrypt them.

A data classification scheme, Ouellet says, should only be "as simple or as complex as warranted by the associated risks and value of the data". In other words, oversimplifying or overcomplicating a data classification policy will not provide adequate controls to mitigate the risks that face an organisation.

"The oversimplification of the classifications scheme often leads to inappropriate set controls being applied to mitigate risks. However, an overly complex classification scheme usually means the end-user will require extensive or enhanced training to effectively apply it," Ouellet says.

Finally, there's another key area to bear in mind, he says, as companies move to an era of disk-based information archive. That issue is digital shredding - a relatively new concept in non-military and government organisations, but one  gaining traction elsewhere.

At a high level, it describes several product categories, encompassing both appliances and applications, that erase specific data using scrubbing and "zeroisation" techniques, and also the practice of encrypting data and subsequent erasing of all copies and records of the cryptographic keys used.

"The term 'digital shredding' is very much a new concept that is rapidly becoming popular, particularly in environments planning on adopting hard-disk drives with built-in encryption capabilities," Ouellet says.

"When considering digital shredding, organisations need to develop stringent access control and audit policies regarding cryptographic keys, to ensure all copies are accounted for and destroyed during the shredding process; otherwise, the data may still be available to be read and may result in a disclosure incident similar to those associated with improper control of media containing sensitive information." And that, after all, is an issue no data-sensitive organisation can afford to ignore.

Previous Page
1 2 Single page
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
data centre encryption future of servers & storage storage the

Partner Content

Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program

Sponsored Whitepapers

Dropsuite
Dropsuite
Avepoint
Avepoint
Aussie Broadband Wholesale
Aussie Broadband Wholesale
Superloop Partner Hub
Superloop Partner Hub
F5’s 2025 Report: Unlocking AI Success by Conquering App & API Complexity
F5’s 2025 Report: Unlocking AI Success by Conquering App & API Complexity

Events

techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025
techpartner.news Benchmark Security Awards 2025
techpartner.news Benchmark Security Awards 2025

Most read articles

Victorian NFP Trust for Nature hunts for MSP

Victorian NFP Trust for Nature hunts for MSP
ASIC sues financial services firm Fortnum, alleging inadequate cybersecurity measures

ASIC sues financial services firm Fortnum, alleging inadequate cybersecurity measures
How to choose once and choose right as Microsoft’s new CSP rules change the game

How to choose once and choose right as Microsoft’s new CSP rules change the game
Fair Work Ombudsman takes Microsoft Dynamics partner to court

Fair Work Ombudsman takes Microsoft Dynamics partner to court

Log in

Email:
Password:
  |  Forgot your password?