In-Depth

Storage Encryption: Let the Feeding Frenzy Begin

Extra weight isn't just for the holidays. Here's a diet plan that might interest you.

• By Jon William Toigo
• 11/29/2005

With the Thanksgiving holiday just passed, many readers may be regretting our overindulgence at the buffet table. Truth be told, however, the period from late October (beginning at Halloween) to late January (ending after Super Bowl Sunday) is a notorious diet breaker for most of us.

Anthropologists posit that it might just be a throwback to ancient times, a tendency to pack on the calories before snow makes food scarce. I happen to believe that all the good company just makes everything taste better.

The same theory might just apply to storage encryption. The equivalent of a feeding frenzy is forming around storage encryption as vendors eagerly await the outcome of pending legislation, modeled after California’s SB1386, that would extend the requirements of the Graham-Leach-Bliley Act and require companies to notify each and every person—individually—if their personal information has been released into the wild.

The 2003 California law imposes a burden on companies that do business with citizens of the state. Going beyond the GLBA requirement that companies humiliate themselves publicly if unauthorized data disclosures occur, the California law is seen as a thinly-veiled “fine” for poor security, considering the costs involved in contacting all effected persons individually via mail, phone call, e-mail, or good old-fashioned fax.

Privacy groups, consumer activists, and a radical fringe of Luddites love the idea. More than a few Americans are sympathetic as well, given the spate of disclosures made public in recent months from Bank of America, Citicorp, AOL, and several others.

But the real champions of the cause are storage security vendors. At the just-concluded Computer Security Institute information security conference in Washington, DC, a UK-based storage encryption software vendor released the results of an ongoing survey that it is conducting (in part, with my help) to determine how pervasive storage encryption technology is today. The results were not a source of much industry thanksgiving.

According to the DISUK “Paranoia Audit,” most companies are sending their data out into the world “nekkid.” (I’ve changed the spelling so this column won’t be stopped by your e-mail filters.) According to their latest numbers, “Only 34 percent of respondents said that their corporate security policy included backup encryption, and only 23 percent said that it was actually taking place.”

There would be no joy in Mudville for companies such as DISUK, or encryption appliance vendors such as Decru, NeoScale, and others, were it not for the future plans of the recalcitrant hold-outs. According to the company, of the non-encrypting 77 percent, more than 46 percent plan to incorporate encryption.

“Overall,” the surveyors state in an ominous tone, “this still leaves almost one in six firms with no plans to encrypt backup tapes any time soon.”

Does this apparent lacksidasical attitude worry folks? Some say it is a big issue. In October, Consumer Reports published an article about a survey in which some 80 percent of Internet users interviewed said they're at least somewhat concerned someone could steal their identity from personal information on the Internet. A majority of respondents say they've stopped giving out personal information on the Web and 25 percent told Consumer Reports they've stopped buying online.

In the UK during the same month, Forrester Research reported that 4 percent of Brits quit online banking because of security concerns. Moreover, according to the analysts, 600,000 of the UK’s 15 million Internet banking customers turned away from online financial transactions because of concerns about privacy and security.

To date, this e-business “trend” does not appear to have influenced the customer base of bricks-and-sticks firms in the U.S. or elsewhere, though there is considerably more advertising geared to privacy protection in commercial advertisements for credit card companies and brokerages. Much like the extra pounds we gained at the Thanksgiving table, security is at least nagging at the backs of people’s minds.

Numerous research and analysis firms are already projecting information security to be the next big boom in technology spending. The storage guys are hoping to go along for the ride.

Before you jump on the storage encryption bandwagon, however, you need to think things through a bit. Security may be getting a free ride on the backs of current and upcoming legal mandates, with an organization's front office temporarily suspending requirements for a rigorous business-value case for every IT acquisition proposed; but that doesn’t mean that it is the right thing to do or that current tools are the silver bullets for getting the job done.

In my conversations with storage security vendors of late, one statistic that keeps coming up is this: encrypting your backups can impose a 40 percent delay on data restore rates—assuming, that is, that you have the presence of mind to stash offsite and out of harm’s way the keys and/or another copy of whatever you used to encrypt the data in the first place. Doing the math, this means that the restore time for a TB of backup data, which takes about three hours under nominal conditions, will now require 4.3 hours. Multiply that by a 10 TB backup and you are talking 43 hours to do the job. Can your disaster recovery plan (assuming you have one) stand that?

You can rest assured, by the way, that the tape-is-dead folks are going to pounce on that little tidbit faster than my dog jumped on the slice of ham that fell off my plate during our family's feast last week. Seagate has already announced disk drives that encrypt on write. Soon, the continuous-data-protection guys are going to start telling us that this encryption thing is the final nail in the coffin of the tape guys.

Don’t you believe it. Tape was already under pressure from the “data explosion” (aka, our failure to segregate data into classes, thereby enabling us to backup only the stuff that really needed to be backed up). From the standpoint of tape viability, encryption just exacerbates the situation. With respect to encryption, as with the dilemma of too much data, the real solution is the same: better data management.

Ultimately, we will not solve the problems of data security by throwing encrypted disk at it. We need to identify the data that needs to be protected and judiciously apply the right technology, encryption, or what have you. That is real compliance, and you won’t have to sell your soul to a vendor to realize it.

Your comments are welcome. jtoigo@toigopartners.com