The emergence of laws and regulations requiring data protection and retention have spurred the adoption of storage technology in recent years. The twin regulatory requirements of long-term record storage and rapid discovery of relevant records have been the primary drivers, and e-mail archiving solutions and SATA magnetic WORM arrays have been the technologies to answer the call.
Just as high-profile accounting scandals and stiff fines for missing e-mails brought these requirements home to IT professionals, the current buzz over identity theft and misplaced consumer data is likely to make data security a growing concern among regulators and storage professionals in industries that collect consumer data. Indeed, Congress and some 28 states are currently weighing tougher data security laws.
Security holes are security holes, whether they violate regulations or not. But in any evaluation of risk, the possible exposure of regulated data has to count as a more expensive proposition than the exposure of the same data were it unregulated.
Jon Oltsik, senior analyst at Enterprise Strategy Group, sees vulnerabilities in corporate storage being addressed, but perhaps with the help of added regulatory and legal incentive. Vulnerabilities, says Oltsik, "will be closed either by sound practices and sound policies within the corporate environment, or by legislation."
Don't Wait for Mandates to Plug Holes
Oltsik urges a heads-up approach to data security, even in the absence of compliance demands. Says Oltsik: "In the short term, it's important that companies do storage security assessments, understand where their vulnerabilities are, and close those vulnerabilities as soon as they can."
Ed Valdez, Sun's vice president of solutions marketing, sees a positive impact on data security practices brought about by customers' awareness of security and privacy issues. "Regulations, Sarbanes-Oxley and others, have made data more secure," he says.
Valdez's co-worker, Marci Weatherford, Sun's compliance solutions marketing manager, sees the positive impact, but also describes an industry in transition. "With some of the deadlines, specifically around Sarbanes-Oxley, a lot of [companies] were very reactive, very tactical in their approach," she says. "What we're seeing now is a coming up for air, a desire to be more strategic, to be more inclusive in their strategy." And high on the list of strategic concerns is data security.
Encryption appliance maker NeoScale has a customer base that reflects the impact of regulatory compliance on data security. According to Dore Rosenblum, vice president of marketing at NeoScale, virtually all of the company's customers have compliance concerns. Government customers excepted, "100% of our enterprise customers are probably dealing with some sort of regulation, be it HIPAA, GLBA (Gramm-Leach-Bliley), Sarbanes-Oxley, or something like that which is driving some of the need for our solutions," says Rosenblum.
California Crafts a Compliance Template
The regulations Rosenblum cites have privacy and access control components, but none of these regulations explicitly require encryption. The law that goes the furthest toward that end may be California Senate Bill 1386, which requires the protection of personal information. SB 1386, also known as the California Database Breach Act, requires that California state agencies, and all companies which store personal information of California residents, promptly disclose any unauthorized access to this information. Companies that encrypt this data are exempt from the potentially damaging disclosure.
Peter Gerr, senior analyst at Enterprise Strategy Group, calls SB 1386 "a regulation that has wide-ranging implications." Gerr adds, "I would view SB 1386 as a precedent, as a blueprint, and not unlike other regulations that affect the commercial markets, but one that now has drilled down to the individual consumer level."
SB 1386 already has national implications, as it applies to any company that conducts business in California and stores the personal information of California residents. It's hard to imagine a large corporation doing business nationally that wouldn't meet this criterion. But the national implications may some day become explicit.
Sen. Dianne Feinstein (D-Calif.) has repeatedly introduced legislation that would apply the privacy protections of SB 1386 on a national level. Feinstein's latest identity-theft bill — introduced on Monday — is tougher than SB 1386 and removes protection for encrypted information. Were this version to become law, compliance efforts might see a shift in focus from data encryption to stronger access control.
As with SB 1386, the national act would require government agencies or businesses to notify individuals if their personal information was compromised, but this time, encrypted data wouldn't be exempted. The national law would carry with it financial penalties, up to $50,000 per day. This is unlike SB 1386, which relies primarily on the threat of civil suits to keep companies in line.
Oltsik thinks that some national adoption of SB 1386 is likely, "I do believe that that model will be replicated. If not in a standalone regulation, then it will become part of HIPAA, become part of GLBA."
Encryption of Data at Rest
Indeed, just weeks ago, banking regulators approved rules that require U.S. banks and other financial institutions to notify customers when personal information may have been subject to unauthorized access. Those rules don't explicitly exclude encrypted data, but they do have a provision that allows banks to forego notification if they conclude that misuse is not "reasonably possible," which would presumably include data protected by strong encryption. It's instructive to note that the agency guidance includes numerous references to SB 1386 made in comments.
Regulatory focus on the protection of personal information translates to increasing interest in encryption of data at rest. The nature of the information causes a shift in data security strategy, according to NeoScale's Rosenblum. The emphasis, says Rosenblum, is "moving from [protecting against] traditional attack, where I was worried about the outsider coming in and getting to my data, to one where everybody's an outsider, and I'm needing to protect the information."
Gerr expects that data-at-rest encryption will eventually find its way into major regulations. Acknowledging the securities industries lead on compliance issues, Gerr says, "the SEC and the NASD are at the forefront of regulatory bodies in terms of enforcement of regulations. But one thing they missed is the threat to information at rest."
Vendors aren't waiting for further regulations. IBM recently brought encryption to its DR550 archive by bundling Tivoli Storage Manager V5.3. Kasten Chase rolled out an encryption solution for CAS archives such as EMC Centera.
But data security is a many-layered issue, and ultimately, responsibility lies in the hands of those that deploy these devices. Once the data on the disks is encrypted, keys must be maintained.
Says Al Stuart, chief strategist for IBM Compliance and Data Retention Solutions, "To do encryption at rest, the big issue is who's going to do the key management?" And if keys are maintained on the device, what if someone wheels the unit out the door? Cautions Stuart, "If the customer does not provide some physical security for these devices, then [they] could easily be non-compliant."
Encryption does not necessarily have to be applied on the archiving device. It can be part of the application, or a function of the database server. "There will be an increasing penetration of encryption technology," says Oltsik. "I just can't say that it will be at the storage tier vs. other tiers of the technology stack."
Wherever they're implemented, encryption and other data security strategies are likely to become more important, as regulators inevitably seek to better protect consumer data.
For more storage features, visit Enterprise Storage Forum Special Reports