Data security is a major concern for all CIOs. This has been addressed from access and identity controls through encrypting data in transmission through to securing data at rest, on disk or on tape.
The difference today is that threats are more sophisticated and business practices are more dependent on IT practices that span each organisation from individuals through to the data centre. The requirements for sound information governance include company practices, as well as financial reporting standards and legal issues, such as the Data Protection Act.
Penalties for poor practice can be significant, not only to the company, but also to the individuals concerned. Examples of the consequences of operational failures include fines, loss of confidence in the organisation and the brand, loss of standing with colleagues or loss of employment and, in the extreme case, corporate failure.
Recognising the risk
The first security measure is usually providing a key to the door, ensuring that access is only given to approved persons. There are other challenges such as defining access routes to information sources to enable identity checks and denial of service policies. However, the main risk is usually from within the organisation.
The value of data to a business is immeasurable. So what happens if it is not available or if an unauthorised individual gains access to corporate information? How can this actually occur?
- Recently there was a case in India where someone was selling customers bank account details;
- Account and contact details of users of Yahoo were stolen in the US;
- Magnetic tapes were lost in transit with personal financial data included;
- Personal computers, being passed on to a charity following use within a major corporation, included private data that should not have gone outside the organisation;
- Back-up tapes being delivered to the wrong owner from the offsite vault;
- A companys back-up tapes being left in a toilet.
The risk of company data falling into inappropriate hands is high and the consequences can be significant to the business or to the individuals concerned or responsible for the safekeeping of the data. To protect against this, companies must consider how they will secure information, whether it is in the data centre, in remote offices or on employees laptops. Data encryption will become a standard practice.
Selecting an encryption process
There are choices that have to be made as to what the most appropriate encryption method for any company is. These choices relate to what data is to be encrypted and at what stage the data will be encrypted.
Taking the case of magnetic tapes that are used for back-up or archive data, adding appropriate routines when the data is being written to tape is the basic option. These are available from companies such as Symantec, CA, Legato and Bakbone. Data compression must be considered beforehand since it is difficult to compress data once it has been encrypted. And who manages the encryption keys is also an issue.
When there are large volumes of data, performance can be an issue. In such cases companies such as DISUK, NeoScale and Decru have solutions. The appliances offered have different approaches to security and key management.
While all vendors support the DES and AES standards, the recognition that some of these ciphers can be broken, becomes an issue. The earlier 56 bit key size can now be broken easily. Current developments support 128 and 256 bit keys. Additionally, some devices will split the data stream, encrypt the data and interlace the data stream before writing, increasing levels of security.
Selecting what to encrypt
The above example has focused onto magnetic tape, because it is a readily removable media. But data on disk may also need to be encrypted. This can be for archive purposes, as supported by EMC, or additional operational security.
Then there is the type of data that will be encrypted. Should this be business critical data, personal data or all information? These are decisions that must be addressed by all companies.
CIOs and business managers have a responsibility to ensure systems operate in a secure fashion and all data within these systems is fully protected. Information is a key asset of any organisation. The evolving practices of corporate and information governance mean that information must be held in a secure and trusted way for operational as well as long term archive data. Encryption of data, critical to the organisation, will become a standard practice.