ORLANDO, FL. — Enterprises are at a “critical intersection,” according to NetApp’s Tim Russell, as they balance the challenge of meeting data protection mandates while simultaneously keeping IT costs down and service levels up.
Speaking at a Storage Networking World session on Monday, Russell, vice president and general manager of NetApp’s storage security business unit, warned that the balancing act may only get tougher, since business and regulatory demands are both growing at a rapid clip.
As a result, companies must realize that “perimeter” security approaches no longer work — and that they must adopt technologies like data encryption.
“The perimeter was once just the firewall, now it is moving closer to the storage environment,” Russell said. “If you’re not doing security there, you’re going to have trouble because you’re all letting more people into your networks and giving them more data access, and security has to be in place.”
Russell said one recent study found that 75 percent of all data loss incidents are tied to human error. He also said IT is responsible for 30 percent of “inappropriate” data loss — ranging from misplaced memory sticks to failing to fully scrub data from laptops before disposal.
Data security was also cited as the top priority for 2008 by IT pros in a recent Enterprise Strategy Group study.
One reason that IT staffs have data protection on their minds is a growing number of security and data breach notification regulations that are forcing companies to shore up their efforts to safeguard data.
“We see research that clearly indicates security breach notification laws are working, and best practices in securing confidential data, whether it’s active or stored, is helping to keep security tight,” Russell said.
But, he noted, there is still a long way to go. Many enterprises aren’t even using encryption technology, which he described as the foundation of storage security.
State and national government here and abroad aren’t satisfied with company security approaches. Lawmakers in both the U.S. and the UK are pushing new mandates into the pipeline. A privacy commission in England wants criminal offense penalties to be unlimited in scope for companies that suffer repeated and egregious breaches.
Massachusetts, for example, recently adopted a new data breach law, making it the thirty-ninth U.S. state with such a regulation in place. When it goes into effect in October, the law will create new compliance obligations for companies when personal information about residents goes missing or improperly accessed or released.
Unfortunately, most businesses wait for a breach to happen before stepping up to the plate and protecting data, Russell said.
What many don’t realize, he told his audience, is that not only do they risk brand-name damage and potential customer loss, they’ll also pay more than just fines.
A Gartner study reports that a record breach can end up costing $90 per customer account — which can be a hefty sum when hundreds of thousands of data files go missing. A Forrester report pegs the cost even higher, at $305 per record. In comparison, Russell said, the expense of encrypting a customer data file is just $6 on average.
“There are significant costs for not protecting data,” said Russell. “Encryption is the key and it can be done many ways, from the application to the storage level.” Gartner, for one, recommends that enterprises combine database monitoring with media encryption.
Enterprises have to start asking themselves some serious questions, such as what are the internal and external risks, the potential damage if data were released, and when the last time was that access processes were reviewed.
Given the myriad of new rules expected, data protection and compliance programs have to be multifaceted with strong encryption and encryption key management in place.
“Our jobs will only be getting more difficult from a storage perspective. There must be a defense in depth,” Russell said in an interview.
Article courtesy of Internet News