The basic situation is that data to be protected is mushrooming, particularly file data, the great unstructured data mountain. It needs backing up and it needs to be assessed as some of it contains sensitive data that shouldn't be revealed to people not authorised to see it. There are two vulnerabilities in particular which both apply to data at rest.

First there is file data on disks. In a lot of cases the owning organisation doesn't know how much sensitive information it might be holding and where it is in its file estate. Anybody malicious getting inside the firewall can put this data at risk and adversely affect the business. Anybody putting such data on a laptop which is subsequently stolen or lost puts the business at risk and may expose thousands of customers to identity theft. Nationwide Building Society was just fined £980,000 by the FSA for just such a occurrence and its laggardly response to it.

Secondly there is data on tape. Tape cartridges can be mislaid or stolen and, once again, the owning business put at risk through inability to restore data and/or identity theft type issues. Our four companies, our gang of four, aims to do help their customers do something about these vulnerabilities.

Network Appliance

Network Appliance products hold many petabytes of file data. The company owns Decru and has an OEM relationship with Kazeon. It also has a good relationship with Iron Mountain.

Iron Mountain provides a vaulting service that can collect and store backup tape cartridges, or that can receive data to be archived off site over network links.

Decru provides encrypting appliances, the DataFort, that encrypt data at rest on disk or on tape, tapes that go to Iron Mountain vaults perhaps..

Kazeon's Information Server can scan a file estate, identify files containing sensitive data and move them to secure storage, storage that may be NetApp filers protected by Decru DataFort appliances for example.

Iron Mountain

Iron Mountain covered security matters amongst other things. Its collecting vans are prominently labeled as Iron Mountain vehicles and have GPS tracking devices so that if they go off-route they can be tracked and recovered. The company used to use un-marked vanilla white vans but one was stolen about three and a half years ago. All the tape reels inside were lost but that was not the target of the hi-jack. Instead the van was used in a ram-raid and later recovered. After that Iron Mountain found through research that a branded Iron Mountain van was far less likely to be stolen just so that the vehicle could be used for a criminal purpose.

If an Iron Mountain van collecting backup tapes gets hi-jacked then it's most unlikely that the hi-jackers will be able to get anything useful off the tapes. They are given uninformative labels and there is no indication of their format or what software backed up data to the tapes. Any Iron Mountain van stolen to order for its backup tape contents will possibly involve customer staff who know which tapes contain the sensitive data and not Iron Mountain staff who, by default, will not know anything about tape contents and what backup software was used.

Iron Mountain mentioned that responsibility for holding backup tapes will rest with it once the tapes are passed over to the driver of the Iron Mountain collecting van, according to the chain of custody. However, if anything untoward happens with those tapes - such as they get stolen - then it's the responsibility of Iron Mountain's client to tell the relevant regulatory authorities and not Iron Mountain.

Interestingly if a client is involved with regulatory or legal authorities then Iron Mountain can be required to keep all backup tapes it holds and not delete them or permit them to be over-written, even if that goes against the contract terms it has with its client.

Kazeon

Kazeon has an Information Server 1200 product that scans an organisation's file estate on network-attached storage and finds files containing sensitive information. Such files can be moved to secured storage according to customer-settable policies and the original copies deleted. Kazeon's UK country manager, Nigel Williams, talked about a information blind spot, meaning the information stored in file systems as the organisation will generally have little idea which files contain sensitive information that needs holding more securely.

The risk is that sensitive information gets inadvertently disclosed and puts the organisation at risk of bad PR, or financial penalty or both. Remember NationWide and its near million pound fine.

Kazeon product can scan your file estate - it discovers all the shares on the network using IP addresses - looking for sensitive data, such as credit card numbers, customer names and addresses, national insurance numbers, passport numbers etc - it is wised up to country variations in sensitive data items by the way - and then move them to more secure storage using customer set policies.

Williams was careful to point out that technology is not enough. The Information Server 1200 is not a silver bullet. When a sensitive file is moved (quarantined so to speak) there is no stub left behind so that the user or application can access it at one remove so to speak. Instead the processes involved have to be thought through so that a combination of technology and process is applied by an organisation.

After all, if an employee is storing customers' national insurance numbers on an un-secured local hard drive then that practice needs to change.

Part two of this feature is here.