By Terry Sweeney
With Michele Borovac, director of marketing for Decru Inc., Redwood City, Calif. Decru is a vendor of networked storage security products, including its flagship line of DataFort storage security appliances.
This interview originally appeared in the IT Business Edge weekly report on Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit www.itbusinessedge.com.
Question: There's been a lot more focus on data storage and storage networks with the Sarbanes-Oxley Act and other new federal rules. How big is the vulnerability, given that archived and backup data is usually stored in the data center or offsite?
Borovac: Data stored in cleartext is highly vulnerable to unauthorized access. Period. Today's complex storage networks have grown to house terabytes of this data, making them a rich target for attackers. These networks have thousands of ports and access points with virtually no integrated security. Curious or malicious insiders, or an outsider who has slipped through a porous firewall via a VPN, can easily gain access to data. Additionally, organizations then make multiple copies of sensitive or regulated data for backup and disaster recovery purposes. Portable media like backup tapes pose unique security challenges. Tapes are small, easily concealed, and can contain gigabytes of data. They are frequently entrusted to a third party for offsite storage and management. Because of these concerns, organizations facing regulatory pressures are beginning to look at technologies like encryption to help strengthen their security models and build a strong foundation for compliance.
Question: Secure data storage is important, but companies also need secured and assured ways to delete or permanently expunge electronic files and records. How can this be guaranteed to everyone's satisfaction?
Borovac: Data written to disk is essentially indelible. Modern forensic techniques can easily retrieve deleted data, and current disk scrubbing methods can be time-consuming and expensive. Envision a situation where a company's financial records must be stored for seven years. During that time, they are written to a file server for central storage, snapshots are taken for backup, they are mirrored to another server at a disaster recovery site, and they are also spooled to tape and sent offsite. When the data retention period expired, the primary copy could be found and deleted, but until very recently, it was nearly impossible to trace all copies and make sure they were also destroyed. By ensuring that cleartext data is never written to disk or tape, and managing the encryption keys in a central location, the process for permanently deleting data can be simplified dramatically. By deleting the encryption key, all copies of a document are instantly and permanently deleted.
Question: Where can enterprise customers best spend their security budgets to secure storage networks this year?
Borovac: New encryption technologies can make the default state of the data secure. Companies evaluating encryption technologies should ask the following questions of any vendor they are considering:
- Does the solution support all the environments where my data is stored, including network-attached storage, storage area networks, direct-attached storage, and tape backup?
- Can the solution encrypt and decrypt data at wire-speed without impacting my users or applications?
- How are encryption keys managed? If you are storing your data for months or years, you want to make sure you can always decrypt it.
- Will the solution require me to install software on my clients or application servers? This can result in significant TCO issues when the time comes to upgrade operating systems or software.
- How secure is the solution? Are encryption keys stored in software? If so, this can lead to significant vulnerabilities.