In-Depth

What Security Provisions Do We Really Need?

Proof is in the pudding….but no one seems to be in the kitchen

• By Jon William Toigo
• 05/05/2005

In response to our previous column covering the incidents at Bank of America and elsewhere that put customer data in jeopardy of unauthorized disclosure, many readers e-mailed us. Some were from vendors, offering a kind of “I told you so” critique and emphasizing that the bank could have avoided pain and humiliation if it had just used their specific wares to secure its backup data. Others were IT folk who wanted to know how they could better track the emerging technologies for storage security. Still others wanted to know how they could keep on top of legal developments that would shape management thinking on this important subject. So, in our ongoing effort to be responsive to our loyal readers, we offer some observations and advice.

One reader queried: “What do you think of this idea: adopting legislation/regulations that force companies, like banks, credit card issuers, etc. to reveal their data security practices to the consumer? Such as, ‘At B of A, your private data is stored unencrypted on disk arrays, and after days, is copied to tape unencrypted and sent to an offsite tape storage repository where it is held for years.’

“That way, the consumer can decide whether or not to give B of A their data. Same goes for the clearinghouses of the world, e.g. ChoicePoint. As things stand, companies have to reveal their data privacy practices to consumers—but not data security practices. I think it's a big hole waiting to be filled.”

I like this idea a lot; it is in keeping with the observations I made in the previous article. I argued that, without some idea of how disclosure events occurred and what was being done to prevent them from happening again, it is very difficult to develop best practices around storage security. Forcing businesses to hang general information about their security methods on their Web sites and in their marketing materials, then using this as a discriminator for customers, is another interesting idea. We hope that some financial institutions will begin to do this voluntarily and without the need for a government mandate. Maybe it would touch off a kind of “bidding war” for the customer’s confidence that could only benefit us all in the end.

There are, however, some provisos to the above. For one, we have no way to ascertain, without regulatory policing, whether a business is actually doing any of the things that it says it is to keep consumer data safe. For another, if businesses appear to be bragging about their security, we wonder if hackers and other malcontents might view that as a challenge and step up efforts to break the business’ security just for giggles. The latter is a concern that has long kept security folks tight-lipped about their security measures. No one wants to paint a target on his back.

What really needs to happen, in my view, is embedded in the writer’s note. We need to engage in a meaningful discussion of what security provisions are actually needed for storage. Many companies believe that security requirements stop with the corporate LAN and the application password challenge. Storage I/O has been held sacrosanct because of its extreme sensitivity to latency. It has been a rule of thumb forever in the security world that the cure must not be worse than the disease. So, anytime anyone started talking about encryption with respect to data storage, red flags would be raised.

NeoScale, Decru, and others have long argued that their encryption process does not introduce latency. That they still find themselves in the category of “start ups” after so many years is testimony to how few companies are buying their claims. As far as we can see, SNIA’s Storage Security Forum hasn’t helped to raise awareness or to demonstrate the efficacy of these technologies. Nor have users been very vocal about their success or failure with them.

Perhaps what is needed is a public demonstration. Someone unbiased should create reference configurations, test them, and publish the results to show exactly how much latency an extra measure of storage security will introduce. My test labs, TPI Technologies, would be happy to do this if we wanted to play in the Fibre Channel world (which we don’t). Unfortunately, most of the vendors offering storage encryption sought to find homes in large enterprises (where the money was a few years ago), which is to say, in data centers where you couldn’t sell a port of anything that wasn’t Fibre Channel. This decision may have seemed smart at the time, but it severely limits the utility of these wares as the world moves inexorably away from FC and toward iSCSI and RDMA over IP.

What is needed is new security technology that takes advantage of IPsec, the set of standard security protocols created explicitly for IP traffic, of which storage is soon to become a significant component. My free advice to Barbara Nelson, CEO at NeoScale, and Dan Avida, CEO at Decru (both of whom say that iSCSI-compatible iterations of their wares are either shortly forthcoming or on the near-term horizon), is to get those products out and in front of folks to validate their performance claims.

They may then want to ask the venture capitalists for a little extra coin to encourage a few legislators into writing requirements for storage security into some sort of amendment to federal regulations, such as Sarbanes-Oxley (SOX) or Gramm-Leach-Bliley. That way, everyone holding private data will need to pony up and comply.

Insiders are telling me that the disclosures we know about from prominent companies are only the tip of the iceberg. Those in the know also tell me that more federal regulations are in the works that will extend the draconian requirements of HIPAA beyond the health care industry and into other verticals, including finance.

The problem with many of the regulations, however, is that they are a lot like seat belt laws. With the exception of a few showcase arrests, regulatory violations will only be enforced in connection with some broader beef, such as racketeering, where they can be used to expand the number of indictments handed down to some future Enron, WorldCom, or Tyco. There are already many voices lobbying government about the existing regs. Their primary complaint: SOX has made a CEO’s job less fun.

Oh, well. Next time I will explore an interesting backup security play from eVault and provide some sources of good info on storage security—not the least of which is another column on security published right here at ESJ.com.

Comments, as always, are welcome: jtoigo@toigopartners.com