Storage Managers Struggle With Security Demands
ORLANDO, FL. Perhaps the biggest surprise at this week's Storage Networking World was just how central the role of security has become, as storage managers are increasingly pressed into service to plug data leaks and ensure compliance with data protection regulations (see Storage Becomes the Center of the Security Storm).
EMC boosted its storage security offerings, HP, IBM and Vormetric unveiled encryption key management products, and Seagate, IBM and LSI promoted disk drive encryption. And those were just a few of the announcements between this week's SNW and RSA conferences.
A tutorial at SNW by Roger Cummings of Symantec illustrated how storage managers can eliminate much of their vulnerability by using the right technologies for encryption. Cummings defined encryption as the conversion of plain text to encrypted text with access only by authorized users. He outlined a number of methods for protecting both data at rest and in flight, including encryption/decryption built into tape drives, and disks that encrypt data before storing it on media.
Cummings outlined a nine-step checklist for encrypting data at rest, beginning with understanding the reasons for confidentiality and working closely with legal counsel and company executives to identify regulatory obligations and develop IT strategic plans. Activating encryption is the last step, after classifying and inventorying assets, performing data flow analysis, encrypting as close to the source as possible, designing the solution with a focus on demonstrating the chain of evidence, and beginning data realignment to implement the solution.
Deploying fabric-based encryption was the recommendation of Roger Bouchard of Brocade, who said this approach reduces complexity by using a common method for encrypting all types of data residing on any storage device connected to the storage area network (SAN).
Consultant Richard Austin recommended that managers focus their storage security efforts on data leaving a storage manager's control, including data stored on removable media, in third party untrusted data centers that must be protected both in flight and at rest, and data transferred between trusted data centers that must be encrypted in flight. Austin maintained that encrypting data at rest is a measure of last resort, requiring careful planning and methodic implementation.
The importance of a key management strategy generated considerable audience interest in a session led by Walt Hubis of LSI. Hubis recommended a series of best practices to deploy key management, including limiting the use of data encryption keys, enforcing strict access controls, and disposing of keys when no longer needed.
SNW attendees also got hands-on practice in using a software approach to encryption, performing hardware encryption with keys provided by the backup application, and reading tapes encrypted by one drive in another drive.
Protecting data is also a top priority for storage managers because of the potential for stiff fines for failing to produce data in e-discovery cases, according to David Stevens of CMU. In a session on the December 2006 changes to the Federal Rules of Civil Procedures (FRCP), Stevens discussed the need to preserve to the best of a manager's ability all the details of the original electronically stored information (ESI), if not producing the original itself. He said a company (and its storage manager) may be requested to produce ESI even if it is not a party to the litigation.
He recommended creating and following a company's data/ESI retention policy, including auditing compliance with the policy, knowing where data resides, knowing how to preserve ESI, and maintaining a chain of custody for the data. Stevens reminded attendees that at least 37 U.S. District Courts now require compliance with specialized local rules, forms and guidelines addressing the discovery of electronically stored information.