IT Management

In recent months, several major banks around the world have been hit with security breaches, requiring them to send their customers alerts and, in some cases, new debit cards. Whether due to hacking, disgruntled employees or simple loss of data tapes in transport, recent news stories have made it abundantly clear that most organizations aren’t doing enough to safeguard sensitive information. And financial institutions aren’t the only ones at risk. The Justice Department is the latest example of increasing security horror stories. 

Surprisingly, many companies are still perfectly comfortable handing their precious data tapes off to a low-wage worker, who transports them, along with hundreds of other clients’ tapes, to a huge offsite storage facility—leaving plenty of room for misplacement, loss, or sabotage. 

To alleviate fears of tape loss or theft, many companies now use a data vaulting approach whereby data is transmitted to a disaster recovery site over TCP/IP, eliminating the handling of physical tape. This transmission can be performed over public or private networks. In both instances, data should be compressed to reduce transmission cost and encrypted to prevent unauthorized persons from viewing the data if the transmission was hacked. 

Companies often prefer the encryption method because the data is immediately available at the disaster recovery site. If you have to wait for a records management company to retrieve the physical tape, the data may already be stale by the time you receive it. Restoring from virtual tape is also considerably faster than with physical tape. An added advantage of this approach is that if the disk sub-system at the primary site is completely lost, the data at the secondary site can be easily accessed from the primary site. 

To avoid these problems, companies have started to embrace virtual tape backup technology for replicating their data to a secure location. This elimination of physical tapes prevents data from being lost or stolen. However, to be truly secure, the data must be encrypted while it’s in transit and at rest. 

In a mainframe environment, where most of the critical data for major corporations reside, data encryption needs are magnified because they are typically used in OLTP applications that utilize sensitive information such as social security or credit card numbers. Virtual tape systems that use a tape-on-disk approach can encrypt data in-line as it’s recorded to disk. This prevents unauthorized access by disgruntled employees, as the data is at rest within the disk sub-system and while it’s being replicated to the disaster recovery site. 

There are several methods for securing data: Networked storage helps enterprises speed access to data and reduce administrative overhead, but can leave critical data vulnerable. Without the physical separation provided by traditional direct-attached storage, data assets become commingled in both Network-Attached Storage (NAS) and Storage Area Network (SAN) environments, putting them at much greater risk for unauthorized access, theft, or misuse. Of course, the need for encrypting information is magnified when using public IP networks because of the potential of someone intercepting the transmission. 

Technologies such as firewalls and intrusion prevention systems seek to secure enterprise assets by protecting the perimeter of the network, but these approaches leave data at the storage core, dangerously open to both internal and external attacks. According to a study by the FBI, an estimated 70 percent of these network breaches originate from within a company, making it all the more critical to protect sensitive information from all prying eyes—both inside and outside the company. 

A more logical solution is to utilize a combination of secure access controls, authentication, storage encryption, and secure logging to protect sensitive stored data. With these methods in place, even organizations that outsource IT management can be sure their data assets are secure. 

Issues to Consider for Securing Data 

  • Choose technology that meets industry certifications, such as FIPS 140-2: Companies doing business with the federal government, for example, must comply with FIPS 140-2 standards developed by the National Institute of Standards and Technology (NIST), specifying security requirements for cryptographic modules used in protecting unclassified information within computer and telecommunication systems. Likewise, many commercial standards used by the financial industry require that data be protected through security measures such as cryptography. It’s likely those in the financial community will soon require higher levels of FIPS 140-2 certification for all cryptographic products. NIST authorized testing labs certify vendor devices to verify they meet specific security requirements.
  • Choose a vendor-neutral method for unlocking data: Avoid locking in to any given vendor with proprietary key management. Mixing and matching equipment lowers the risk of obsolescence.
  • Encrypt data with 256-byte encryption algorithms: 256-byte AES encryption algorithms are universally accepted, and thus the best choice for securing your data.
  • Encrypt mission-critical data first: If encrypting all your data seems like a daunting task, take a hierarchical approach. Begin with the most sensitive data and then expand as your needs dictate. Ensuring your mission-critical data is secure should be the first priority, and then move on to your secondary information. Also, encrypting data in project cycles will significantly cut down on costs and resources, while making sure mission-critical data is secure and protected from the start.
  • Consider different methods of encryption: There are a variety of options for how and when to encrypt your data. Depending on your needs, you may choose to encrypt data in line, where data is encrypted in the data center; encrypt data via manual keys during transmission; or encrypt data via a hardware device that resides between the server and an external storage device. Companies that aren’t concerned about internal threats, for example, may only back up data tapes before they leave the premises, whereas financial institutions seek to protect data internally as well. Ultimately, it’s better to encrypt data from both internal and external threats. Surprisingly, it’s not much more expensive to do so than simply encrypting the information prior to transmission. In line encryption safeguards sensitive information from both external menaces and in-house hacking or even inadvertent release of sensitive information due to carelessness.
  • Protect data at rest and in transit: Sensitive data should be well-protected, particularly when it’s in transit, as that’s when it’s most vulnerable. Moreover, businesses need a way to secure information from both internal threats, such as disgruntled employees, and external threats, such as competitors or hackers. Applying end-to-end encryption safeguards data against corruption and exposure both inside and outside the enterprise.
  • Decide whether to apply manual or automatic key management: This decision depends on how much control you want over data encryption. If you prefer a hands-on approach, manual key management would be best. Manual key management is commonly used for securing data that’s accessed very infrequently. Alternatively, businesses use automatic key management for more current information. This is performed via Application Program Interface (API) calls from a separate server that manages the encryption and decryption of data without human intervention. This has obvious benefits in terms of reducing labor costs and eliminating human error. In addition, automatic key management is fully auditable, so organizations can trace back to whom, how, and when access was granted.
  • Take a prudent approach to security policies: This includes making sure all data tapes leaving the premises are encrypted. This way, if the tapes fall into the wrong hands, you know that confidential information won’t be compromised. Likewise, the end game is to universally encrypt all data.  

—J.O.