In-Depth

Security Out of the Closet

New legislation will doubtless require encryption of data traversing networks and Fibre Channel fabrics.

• By Jon William Toigo
• 11/20/2003

A few weeks ago, while on other business at the University of Maryland’s conference center, I noticed that a forum was underway to discuss how future federal legislation should be framed regarding information security. While my schedule did not permit me to listen in on the meeting, the immediacy of the issue was underscored when I checked the newswire coming out of the Gartner Group’s ITexpo Conference, which was being held at the same time in Lake Buena Vista, FL.

The news from the conference included a summary of a talk by Richard Clarke, the former chairman of the President's Critical Infrastructure Protection Board, who called for congressional action on a specific standard that the U.S. Securities and Exchange Commission could use to measure and enforce corporate cybersecurity efforts. Clarke noted that a bill was being introduced shortly to the U.S. House of Representatives, called the Corporate Information Security Accountability Act of 2003. It would require companies hire an independent auditor to assess existing information security controls and ensure that they meet basic standards that the SEC has yet to be determined. SEC would have 60 days after passage of the bill (assuming it passes), to come up with specific standards for the audits.

In the wire accounts, security technology industry insiders said the bill would "force information security out of the closet, and make it part of the overall fabric of management and business operations." My read: they were hoping for a regulatory mandate to help drive the adoption of their information security products by publicly held companies.

From the perspective of enterprise storage, such legislation would doubtless require encryption of information both traversing networks (or Fibre Channel fabrics) and written to media as a safeguard against disclosure or misuse. This would be good news for companies such as Decru and Neoscale Systems, two companies offering out-of-the-box storage encryption appliances.

Another storage player that is building capabilities ahead of the regulatory curve on storage security is Breece Hill in Louisville, CO. CEO Phil Pascarelli notes that the “handwriting was already on the wall that a heavy push would be forthcoming in storage security in the wake of HIPAA in the health care industry and the Patriot Act in the financial industry. There was likely going to be a requirement at some point that all of this personal data be encrypted in archival storage. The new legislation, when it passes, will just add to new demand.”

Pascarelli says efforts are already afoot at his tape automation solutions company to deliver a platform that enables enhanced storage security. “We have offered support for Write-Once Read-Many (WORM) techniques in our tape products and on MaxOptix optical disc products for several years. But, WORM is primarily intended to provide data with non-repudiability and authentication, not encryption per se. With our new products, we’re incorporating front-end disk staging of backup or archive data before migrating it to removabls storage. We’re bringing to market an integrated appliance for Disk-to-Disk-to-Removable or D2D2R storage, targeted for SMB. Our next step is to enhance our platforms with technology both to support external encryption schemes and to add our own on-board approach that will facilitate the security and regulatory compliance requirements of our customers.”

Breece Hill enjoys a reputation as a sterling provider of tape and magneto optical solutions to the small and medium-sized business, a group that Pascarelli observes is among the hardest hit by burgeoning information security regulations and least effectively served by big names in the storage industry who typically targets their data security solutions at larger enterprises.

While Breece Hill does not provide a security solution at this point, Pascarelli is correct when he suggests that newer disk-to-disk-to-tape or optical platforms can set the stage for better security implementation. Backup and archive data stored to removable media are often left out of security schemes that are being increasingly applied to production systems. This is a potentially huge oversight that could end up costing organizations significant money in the form of unauthorized data disclosure and subsequent regulatory agency fines.

Tier 2 disk provides a location for cleaning data of unnecessary replication, viruses and “contraband files” like pirated music MP3s and videos. Additionally, it can be used as a location to encrypt data and for establishing secure pipes for transmitting data to backend tape or optical systems.

It's worth a look.