Is Stored Data Safe Data?

By Doug Bartholomew  |  Posted 2008-03-26

Chevron, the U.S. Department of Veterans Affairs, Bank of America, Time Warner, Marriott International, Northwestern University.

The list of companies, government agencies, and academic institutions that have suffered data breaches and data losses due to hacking, lost backup tapes, stolen laptops, and other data security mishaps goes on and on.

What’s surprising is not that these organizations suffered data breaches or losses. What’s surprising is that at most companies there persists an attitude of relative confidence that their internally stored data residing on servers or mainframes is secure.

But is "at-rest" data-- the kind residing on internal storage devices and not being sent across networks-- really secure? And in an Internet- and network-connected world, just how secure can that data really be?

With network, storage, and security becoming increasingly commingled in the enterprise, what measures can organizations take to improve the security of their internally stored customer, product and employee data?

To find out, Baseline enlisted a pair of leading data storage and security experts--  Benjamin Woo, enterprise storage vice president at International Data Corp., and Paul Proctor, research vice president at Gartner Inc.— to weigh in on some key questions on data storage and security for the enterprise.

Baseline:  Is data inside the firewall secure?

Woo:  Generally, I’d say yes. Basic directory services such as Active Directory and LDAP, for example, provide the necessary security measures for most companies to ensure that only the appropriate personnel can access the necessary information. LUN mapping provides a similar level of security for application security.

What it doesn’t address is data mobility. Once data is available to be accessed, it doesn’t stop users from taking it away with them on a thumb drive or by burning a CD/DVD. The only way to do that is to disable USB ports, and have diskless laptops and workstations. And frankly, that isn’t sufficient, because data can be emailed out of an organization.

This is perhaps the biggest hurdle facing the mobility of workers and the 24/7, anytime, anywhere access of data. Virtual desktop environments, such as VMWare’s VDI infrastructure and Citrix with Xen and other technologies, limit physical access, but this doesn’t address the email-ability of data.

Proctor:  There’s no such thing as ‘secure.’ It’s a question of whether it’s secure enough, and against which threats.

Organizations can’t protect themselves entirely, so they have to make good, defensible decisions so they have sufficient protection from reasonably anticipated threats. Based on the value of the data and the threats they are facing, this is going to be different for every organization. Most organizations recognize today that firewalls alone are not sufficient protection. 

Baseline:  What trends do you see evolving for keeping internal data secure?

Proctor:  Regulatory mandates like HIPAA, GLBA, and SOX and other demands like PCI prescribe several different types of controls to protect data inside the firewall. These include controls such as monitoring administrators, regulating access, segmenting the network, data loss prevention, stored data encryption, anti-virus, and having good policies, to name a few.

The major trends are focused on developing good governance and risk management. Organizations are improving the maturity of their programs so they can stop being reactive to security situations and become more proactive.  

Woo:  Existing data security measures continue to be the norm, although there is significant investment in time being made in taking a look at data encryption as an added form of security. I don’t see a trend toward mass adoption of encryption yet, although the desire to move that way is certainly very strong.

Baseline:  What should organizations do to ensure that their internally stored enterprise data is secure?

Woo:  The implementation of object- (read: file) based data encryption, augmented with enterprise-wide data access/mobility policies is the best form of protection. Greater efforts will be necessary by the industry as a whole to provide and enforce inter-enterprise policies.

Proctor: They should do a good risk assessment to determine the level of protection, identify threats and gaps, and develop a remediation plan. There is not one list of technologies that all companies should implement for all situations. They have to address the standard of due care and be able to pass their internal and external audits.    

Baseline:  Is encryption the best way to secure stored data, or is it overkill? What alternatives are available?

Proctor:  Encryption is a good way to secure stored data. But it comes at a great cost in many environments, at the expense of database/application performance, key management costs, and application development costs.

Encryption is not a panacea. In many cases enterprise-wide encryption is expensive overkill. Some alternatives would include classifying data and selectively encrypting high-value data, obscuring data in sensitive fields, managing access control, and monitoring administrative access.

There are dozens of possible controls. One of the more popular today is data loss prevention technology that can detect sensitive data-on-the-fly and encrypt it, or delete it as necessary.    

Woo:  Encryption can occur on many levels. In my non-network, non-security-oriented brain, object/file encryption is the best. However, it does come with severe costs: namely, that of key management. Alternatives such as full-disk encryption provide adequate protection, and at least in many of the implementations I’ve seen, require only minimal key management. The economic factor is not the cost of encryption, but rather the cost of not encrypting. If a file is encrypted, then by definition, it is inaccessible without the appropriate key(s). This approach is actually quite simple, but complex to implement. 

The most critical thing for our industry is that storage, network, and security functions are converging, and we must adapt to this convergence. The current virtualization trend only adds additional layers of sophistication and complexity.

There is no silver bullet in addressing this issue of data security. Each organization needs to do a loss analysis in order to properly ascertain the degree to which their data needs to be secured.