According to the Identity Theft Resource Center, there were 656 known data breaches that exposed nearly 35.7 million records last year. These breaches occurred at businesses, financial institutions, medical facilities, educational institutions and government agencies.
The main cause of the breaches? According to ITRC, only 2.4 percent of the organizations that experienced a breach had encryption or other strong protection methods in use, and only 8.5 percent of the breached information was password protected.
So why aren’t more organizations password protecting and encrypting data? Some are complacent, while others falsely believe their data is already properly protected. Another is that some organizations fear having to spend large sums of money and time on new software or hardware to properly encrypt data.
Yet increasingly the monetary and public relations cost of having — and having to report (now required by law in most states) — a breach is so high that it behooves organizations to implement rigorous data protection policies and standards. And these policies and standards needn’t be complex or expensive.
So while data storage vendors like Sun (NASDAQ: JAVA), EMC (NYSE: EMC), HP (NYSE: HPQ) and IBM (NYSE: IBM) debate encryption key management standards, here are some steps you can take to protect your data now.
Start With a Good Data Protection Policy
Indeed, security expert Adam Levin, chairman and co-founder of Identity Theft 911, argued that a good data protection policy involves just five things:
- Instituting good security and privacy policies for collecting, using and storing sensitive information.
- Using strong encryption when storing information on computers and laptops.
- Limiting who has access to sensitive information.
- Safely purging old or outdated sensitive information.
- Having an incident response plan in case a breach occurs.
In addition to the above, Levin also suggested that organizations have firewalls, anti-spyware and antivirus protection in place and kept up to date; refrain from using wireless networking technologies (WiFi); and truncate data so that sensitive information is not used where it is not needed.
But the most important thing, he reiterated, was to “make sure you have secure, encrypted ways of obtaining and storing sensitive information — and employ encryption protocols and encrypt all sitting data.”
Encrypt, Encrypt, Encrypt
The Trusted Computing Group (TCG), an industry organization that develops specifications for computing security across the enterprise, also believes that good encryption is essential for properly protecting data. Data protection vendors have taken note and are busy developing new and improved software- and hardware-based encryption solutions, on both the client (such as laptops and USB drives) and enterprise level.
In December, BitArmor, for example, announced the release of its BitArmor DataControl software version 3.2, an information-centric security solution that uses full disk encryption and persistent file encryption to directly protect data rather than the devices or network used to access it. Last month, the company pledged to refund the entire purchase price of its software if BitArmor-protected data was breached (though not necessarily the costs involved with any lost or breached data), it was so confident in its approach.
“Full disk encryption is important front-line protection,” stated Patrick McGregor, the co-founder and CEO of BitArmor, especially with more and more employees using laptops and USB drives, which are easy to steal or lose. And while you can use self-encrypting USB drives to protect that data, those drives can be expensive, said McGregor. That’s one of the reasons why BitArmor took a software-based approach.
Instead of deploying separate data protection solutions for PCs, laptops, USB drives, e-mail attachments, application servers, storage servers and various networks, BitArmor says its software lets organizations protect and manage all data with one product, eliminating the need for multiple point solutions for data security and data management. With this approach, data doesn’t have to be decrypted and re-encrypted as it passes from device to network and vice versa. And because it is now centrally managed, data can be more easily tracked throughout the enterprise.
— Jon Oltsik
BitArmor’s approach has already attracted at least one fan in the analyst community. “BitArmor approaches the data protection problem in a unique way, i.e., by embedding protection policies with the data itself, and not by protecting just the devices where data resides,” said Jon Oltsik, senior analyst at Enterprise Strategy Group. “I strongly believe this information-centric approach is the future of data protection.”
Yet BitArmor’s is far from the only approach.
The Encrypt Keeper
In late January, the Trusted Computing Group released final versions of three storage specifications — one designed for PC clients, one designed for data center storage, and one that focuses on interactions between storage devices and underlying SCSI and SATA protocols — that it said would “enable stronger data protection, help organizations comply with increasingly tough regulations and help protect important information from loss and left.”
These new specifications are important, said Robert Thibadeau, the chair of the Trusted Computing Group Storage Work Group and chief technologist at Seagate Technology (NASDAQ: STX), because they “give vendors a blueprint for developing self-encrypting storage devices (such as hard drives) that lock data, can be immediately and completely erased, and can be combined with the Trusted Platform Module … for safekeeping of security credentials.”
And already several vendors, among them Seagate, Hitachi and Fujitsu, are busy developing self-encrypting hard drives for both the client and the enterprise.
The advantages of using self-encrypting drives (built around the TCG’s Enterprise Security Subsystem Class Specification for data center storage) are manyfold, said Thibadeau. One, the drives can be easily slotted into RAID units or SANs, and also used on the client level in laptops. Two, “the concept provides an enormous increase in the transparency and ease of use around encryption.” And three, “by pushing encryption into the drive, you never have to actually manage encryption software or an encrypting controller, and have simplified and greatly reduced the total cost of ownership around putting encryption into the data center.”
The drives also solve the problem of protecting data at rest (when drives are unplugged or powered down) as well as the need to safely destroy data.
The Data Destruction Dilemma
On the topic of safely destroying data, what Thibadeau refers to as cryptographic erase, not only can self-encrypting hard drives make the process easier, it can make destroying data faster and also more cost-effective.
“A lot of data centers have gotten used to full-out destruction of drives,” said Thibadeau. “They’ll just put the drives into a macerator and grind them up into little particles when they want to decommission a drive. With the cryptographic erase, they don’t have to do this. They can repurpose the drive. And the time it takes to erase the drive is on the order of milliseconds, as opposed to a couple or three hours.”
But what about the cost of purchasing self-encrypted drives? According to Thibadeau, the costs are relatively small. “If you go to TigerDirect and type in ‘Black Armor,’ for $60 you can get a 160GB self-encrypting drive from Seagate,” he said. “And if you’re repurposing drives, you don’t have to buy new drives.” So right there is a potentially large cost savings.
And for those administrators concerned about a performance hit, Thibadeau said there isn’t one. “Unlike most of the other solutions you’ll see out there, the I/O speed of the drive is unaffected by whether it’s encrypting or not. The drive’s just reading and writing just like a normal drive that’s not encrypting, though in fact it is.” That’s the beauty of it, he said. “It acts just like a regular drive, unless a thief gets a hold of it.”
And if, by some chance, a thief does get a hold of it? “Without a good cryptographic key that unlocks it, the likelihood would basically be zero” that someone would be able to unlock the data, he said. “It’s impossible to do it. Even at Seagate we don’t know how you would do it.”
The real problem with encryption, at least in the past, Thibadeau said, was the management of it. The more difficult a system or data is to manage, the greater the chance a mistake will be made and information exposed.
“If the world were perfect and everyone was doing everything perfectly, things like software encryption and controller encryption would work,” Thibadeau said. But “people make mistakes.” And if organizations don’t use self-encrypting drives, when somebody swipes a drive from a data center, truck or laptop, the information is exposed. Whereas if the data has been stored on a self-encrypting drive, the information is useless if stolen. It can’t be decrypted. The self-encrypting drive makes the problem of properly encrypting and destroying or erasing data go away.
As for availability, vendors are currently only shipping client-level drives, typically with laptops. However, Thibadeau expects that a number of major vendors will be announcing the release or availability of enterprise-level drives in the next three to six months.