In May 2005, financial services giant UBS joined a growing list of companies that have suffered the highly public embarrassment of having to admit to losing customer data. In this case, a hard disk containing customer records had gone missing after some routine IT maintenance work.
Similarly, officials at the Bank of America were left apologising profusely after it was revealed that it had lost back up tapes containing personal data relating to hundreds of thousands of US government employees.
Such high profile losses of customer data are not just damaging to corporate reputations, but could easily have been avoided by encrypting stored information – something that has been technologically possible for some time already. But the problem for most businesses is that considering encryption at the storage level requires the addition of extra complexity in an already fiendishly complex environment, says Bob Zimmerman, analyst with Forrester Research. "The need is understood, but few sites have opted for a storage [security] appliance because it adds yet another layer to the storage hierarchy."
There is also a performance issue to consider. Historically, end users have perceived encryption to be a drag on availability of data. But this is no longer valid, says Tim Pitcher, VP for strategy and business development at storage vendor Network Appliance. "As with any technology, performance improves over time. That perception is changing."
Now NetApp has a vested interest in pushing encrypted storage: it is due to complete its acquisition of security appliance vendor Decru in the third quarter of 2005. But along with the December 2004 merger of security giant Symantec and storage software vendor Veritas, NetApp's $272 million deal is recognition that IT professionals are waking up to the problem of stored data security, says Tony Prigmore, senior analyst at the Enterprise Strategy Group (ESG).
According to ESG, almost two thirds of organisations never encrypt their data during backup. "It is the dirty little secret of storage," says Prigmore. "Data, by and large, is not secure."
But while performance may be less of a concern as technology improves, the act of encrypting stored data will still add cost to the IT organisation. The twin pressures of regulatory compliance and meeting customers' data protection expectations are forcing businesses to accept at least part of that cost. The trick is to minimise the volume of data that undergoes encryption, says Rich Mogul, research VP at analyst Gartner: "Encrypting everything, everywhere, isn't necessary. Focus on regulated data and customer personal data."
End-to-end protection
But encrypting data at the storage level is only one possible mechanism for bolstering its security. For the most cost-effective way of providing a secure infrastructure, management needs to take a holistic view of the end-to-end systems. "That includes storage, but it also includes all the other points from the edge of the network," says Mark Seager, VP for technology at Symantec.
Seager highlights the example of spam email: without proper protection at the email gateway, hundreds of unwanted messages sit on the email server, and are then in turn archived, adding massively to the storage burden.
The momentum behind securing storage has attracted other vendors. Storage hardware heavyweight EMC is developing products to meet both the encrypted storage challenges, and the wider issue of data integrity. "Customers want data encrypted. Some want it encrypted online; some want it encrypted only when it goes to tape; some want it encrypted only when it's being moved," says Joe Tucci, CEO of EMC.
EMC is set to release its continuous data protection product in the third quarter of 2005, and promises it will capture data changes as they occur. It also plans to release single sign-on and auditing products in 2006. With such broad and high-profile backing, the storage security market looks set for growth, sparing many companies' blushes in the process.