Data Breaches Keep Piling Up. Does Anyone Care?
Leaks, spills and hacker attacks It seems hardly a day goes by without some major data loss incident affecting the IT community.
According to Fred Moore, an analyst at Horizon Information Strategies in Boulder, Colo., more than 54 million identities have been stolen to date and an estimated 19,000 more identities are stolen each day. Companies on average are spending 1,500 hours per incident at a cost of $40,000 to $90,000 per victim, he says.
"Recent news coverage has shown how confidential customer information can be seriously compromised when unencrypted data is lost or stolen, either by physical media loss or from malicious spyware," says Moore. "The increasing number of data loss causes has taken data protection, data security and DR technology to unprecedented levels."
For a real eye-opener, take a look at the roster of data loss incidents at www.attrition.org/dataloss. This list gives the specifics of the millions of stolen identities Moore mentions. And the pace of these incidents seems to be accelerating, if the start of this year is any indication. According to Attrition.org, about 2.2 million records were compromised in January 2007. That included more than a million by the Chicago Board of Elections.
Yet the more such stories break, the more they appear to be taken in stride. That has caused some to wonder: Is the industry waiting for the storage equivalent of an Exxon Valdez or Chernobyl before it takes comprehensive action?
"We have yet to see major denial of service or virus attacks on storage infrastructures to the point where information access is crippled," says Ashish Nadkarni, a consultant at GlassHouse Technologies. "Storage is still treated as the 'dumbest' piece of the entire stack, so even if information is stolen from databases, it is often done so by exploiting weaknesses at the application layer."
Nadkarni believes that only when the world of storage receives such a large-scale exposure will we see storage vendors rolling out products that incorporate security features that are over and above the existing stack. Such products will likely introduce an access, authentication and authorization layer between the storage and server resources.
"This will result in the redefinition of the word 'trusted' in the same manner that a server or user is trusted on the internet," says Nadkarni. "The technology is there, just not implemented. For example, EMC's acquisition of RSA enables them to use RSA's patented algorithms."
So what technologies and processes are companies adopting/considering to make stored data more secure?
"The two I see are tape encryption and improved access control for storage administrators," says Jon Oltsik, a security analyst at Enterprise Strategy Group. "Disk encryption is a niche and will continue to be."
He points to the recent EMC Symmetrix security announcements as an example of access control upgrades being implemented by vendors.
Moore, though, has a slightly different take.
"The latest systems will use hyper-firewalls, advanced encryption and, eventually, biometrics," says Moore.
Moore and Oltsik both highlight encryption as a vital technology to deploy. This is supported by a recent study by the Ponemon Institute of Elk Rapids, Mich. In addition to calculating the average cost of a data breach at $182 per compromised record, or an average total of $4.8 million per incident, the study also looked into the degree of deployment of encryption in organizations.
The survey found that 66 percent of respondents had some type of encryption strategy, and 16 percent had enterprise-wide strategies. In addition, organizations are seeking a platform approach. A platform enables organizations to centrally manage and deploy multiple encryption applications with consistent policy enforcement.
"As expected, leading IT organizations with the most effective security programs are those at the forefront of strategic planning and use of encryption," says Larry Ponemon, chairman of the Institute. "Such organizations are significantly more interested in a platform approach to enterprise encryption."
PGP Corp. of San Francisco, for example, offers the PGP Encryption Platform. This provides automated encryption services across multiple functions such as e-mail and disk lock down that can be managed centrally.
Another major player in encryption is NetApp's Decru unit. It has been working to expand its technological capabilities, and has also been at work on storage security standards. Kevin Brown, vice president of marketing at Decru, reports that most of the specific vulnerabilities for encrypting stored data relate to patterns that remain across multiple data blocks or files. Decru DataFort appliances now use AES-256 encryption algorithms. These are more secure than alternatives and are approved for use in high-level government installations. A technique called "tweaks" is applied to ensure that any two blocks or files with the same cleartext data will produce different ciphertext.
"This helps prevent a range of attacks unique to data at rest, such as 'cut and paste' or 'chosen text' attacks," says Brown. "Decru contributed a number of these ideas to the IEEE's Security in Storage Workgroup (SISWG)."
Decru has also been working with the American National Standards Institute's (ANSI) T10 group on mechanisms for handling encryption keys within the SCSI storage protocol. The basic idea is to enable communication with simple storage devices that speak the SCSI protocol, but may not have out-of-band connectivity such as Ethernet. Early drafts of an encryption standard proposed the transmission of keys in cleartext across the network, which opened up security holes. Decru made an updated proposal, including secure key transmission mechanisms, which was recently accepted as an addition to the T10 draft.
While Decru and other vendors work with standards bodies that will make it much easier to hook storage security tools together within a heterogeneous storage infrastructure, Brown cautions that complete interoperability may be a long way off.
"Keep in mind that the standards process lags several years behind market requirements and vendor implementations, and even the combination of all major standards efforts will only cover a subset of the required functionality," says Brown. "Ultimately, it will take partnership and alignment among leading vendors to produce the first generations of interoperable products."
Security Above All?
Moore concludes that data security is a primary requirement across the board for IT environments. Two aspects of security confidentiality and protection from data theft are provided by encryption technology. But a wealth of other technologies must be utilized to completely secure the entire storage infrastructure.
"Data protection has become the most critical piece of most IT strategies," says Moore. "This will make the data security business much larger than the disk and tape industry combined by 2008."