Storage Becomes the Center of the Security Storm

Enterprise Storage Forum content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

ORLANDO, FL. — Enterprises are at a “critical intersection,” according to NetApp’s Tim Russell, as they balance the challenge of meeting data protection mandates while simultaneously keeping IT costs down and service levels up.

Speaking at a Storage Networking World session on Monday, Russell, vice president and general manager of NetApp’s storage security business unit, warned that the balancing act may only get tougher, since business and regulatory demands are both growing at a rapid clip.

As a result, companies must realize that “perimeter” security approaches no longer work — and that they must adopt technologies like data encryption.

“The perimeter was once just the firewall, now it is moving closer to the storage environment,” Russell said. “If you’re not doing security there, you’re going to have trouble because you’re all letting more people into your networks and giving them more data access, and security has to be in place.”

Russell said one recent study found that 75 percent of all data loss incidents are tied to human error. He also said IT is responsible for 30 percent of “inappropriate” data loss — ranging from misplaced memory sticks to failing to fully scrub data from laptops before disposal.

Data security was also cited as the top priority for 2008 by IT pros in a recent Enterprise Strategy Group study.

One reason that IT staffs have data protection on their minds is a growing number of security and data breach notification regulations that are forcing companies to shore up their efforts to safeguard data.

“We see research that clearly indicates security breach notification laws are working, and best practices in securing confidential data, whether it’s active or stored, is helping to keep security tight,” Russell said.

But, he noted, there is still a long way to go. Many enterprises aren’t even using encryption technology, which he described as the foundation of storage security.

State and national government here and abroad aren’t satisfied with company security approaches. Lawmakers in both the U.S. and the UK are pushing new mandates into the pipeline. A privacy commission in England wants criminal offense penalties to be unlimited in scope for companies that suffer repeated and egregious breaches.

Massachusetts, for example, recently adopted a new data breach law, making it the thirty-ninth U.S. state with such a regulation in place. When it goes into effect in October, the law will create new compliance obligations for companies when personal information about residents goes missing or improperly accessed or released.

Unfortunately, most businesses wait for a breach to happen before stepping up to the plate and protecting data, Russell said.

What many don’t realize, he told his audience, is that not only do they risk brand-name damage and potential customer loss, they’ll also pay more than just fines.

A Gartner study reports that a record breach can end up costing $90 per customer account — which can be a hefty sum when hundreds of thousands of data files go missing. A Forrester report pegs the cost even higher, at $305 per record. In comparison, Russell said, the expense of encrypting a customer data file is just $6 on average.

“There are significant costs for not protecting data,” said Russell. “Encryption is the key and it can be done many ways, from the application to the storage level.” Gartner, for one, recommends that enterprises combine database monitoring with media encryption.

Enterprises have to start asking themselves some serious questions, such as what are the internal and external risks, the potential damage if data were released, and when the last time was that access processes were reviewed.

Given the myriad of new rules expected, data protection and compliance programs have to be multifaceted with strong encryption and encryption key management in place.

“Our jobs will only be getting more difficult from a storage perspective. There must be a defense in depth,” Russell said in an interview.

Article courtesy of

Judy Mottl
Judy Mottl
Judy Mottl is an experienced technology journalist who has served as a senior editor, reporter, writer, and blogger for InformationWeek, Investors Business Daily, CNET, and Information Security Magazine, as well as other media outlets.

Get the Free Newsletter!

Subscribe to Cloud Insider for top news, trends, and analysis.

Latest Articles

15 Software Defined Storage Best Practices

Software Defined Storage (SDS) enables the use of commodity storage hardware. Learn 15 best practices for SDS implementation.

What is Fibre Channel over Ethernet (FCoE)?

Fibre Channel Over Ethernet (FCoE) is the encapsulation and transmission of Fibre Channel (FC) frames over enhanced Ethernet networks, combining the advantages of Ethernet...

9 Types of Computer Memory Defined (With Use Cases)

Computer memory is a term for all of the types of data storage technology that a computer may use. Learn more about the X types of computer memory.