Data breaches are an everyday occurrence, and the consequences for organizations that suffer a breach can be horrendous, ranging from loss of consumer confidence to fines and punitive damages.
Some organizations, however, have discovered through experience that there is one tool that can help: encryption. For instance, last fall, the Second Appellate District Court of California ruled in favor of the defendant, the University of California, in a breach dating back to 2011 involving the theft of a laptop with 16,000 patient records. A plaintiff had sued under the Confidentiality of Medical Information Act (CMIA), a state statute. The case was decided in part on the fact that the patient records on the laptop were encrypted, thus nullifying any notion of actual loss of confidentiality or privacy.
To be sure, encryption of data “in flight” is increasingly the norm, and many organizations now also recognize the importance of encrypting data “at rest” on a storage device. But despite the growing need to protect sensitive data to meet regulatory and compliance mandates as well as service-level agreements, many are hesitant to make a wide-ranging embrace of the technology. The resistance to enabling encryption of data at rest has to do with a number of important factors: complexity, risk and costs. From a complexity standpoint, the problem is having to deal with many key managers and applications, most of which have proprietary key managers, along with the day-to-day management of multiple encryption-key-management (EKM) systems. Risks and cost go hand in hand: the risk of not meeting a backup window certainly presents heavy risk on any enterprise with the goal to meet and improve on service levels. Now imagine the resistance to enabling encryption of data at rest given that doing so on most systems, will increase the time to safety of the data on the backup appliance, thus increasing the risk. From a cost perspective, imagine the time lost by having to manage all these disparate systems daily versus a centralized key-management approach to solving this issue, as well as a single data-protection platform to manage.
Still, few can ignore the worsening threat that is bedeviling security professionals. Clearly, data inside the firewall can no longer be considered safe. Furthermore, the rise of cloud data storage and cloud computing in general means organizations must now vouch for data in environments they don’t even directly control. Those trends are now driving demand for and interest in protecting data at rest via encryption.
Fortunately, a double revolution is brewing. First, complexity associated with managing encryption keys is no longer as great a barrier thanks to developments such as the Key Management Interoperability Protocol (KMIP), an industry-standard communications protocol linking key-management systems and encryption systems. This protocol is governed by the Organization for the Advancement of Structured Information Standards (Oasis). Enterprises using multiple encryption solutions, each with their own respective (and often proprietary) key managers, have faced ever more complexity and cost. By implementing via an industry standard, the economics shift. Thus, KMIP is rapidly becoming the recognized method to manage encryption keys, no matter where they are required—and both vendors and their customers are committing to the technology.
KMIP isn’t entirely new. In fact, it was initially submitted to Oasis for standardization back in 2009. Enthusiastic vendors quickly began to announce updates to their products that would incorporate KMIP; actual demos and compliant-product deliveries followed.
With KMIP, a server stores and controls keys, certificates and user-defined objects. Client devices access these objects using the protocol through a server-implemented security model. Objects have core base-object properties such as key length and value, as well as extended attributes that can include user-defined features. Objects each have a unique, fixed identifier along with a name, which can be altered if desired.
Momentum is building. According to Oasis, the 2013 RSA Conference included KMIP clients from Cryptsoft, IBM, Quintessence Labs, and Thales e-Security communicating with key-management servers from Cryptsoft, HP, IBM, Quintessence Labs, Thales e-Security, Townsend Security and Vormetric. The clients and servers were able to demonstrate the full key-management life cycle, including creating, registering, locating, retrieving, deleting and transferring symmetric and asymmetric keys and certificates between vendor systems. Support for older and newer versions of KMIP was also demonstrated at the event.
Although KMIP has provided broad enablement for encryption through simplified key management, others have been focusing on delivering innovations related to the inherent performance challenge—particularly relative to backup activities, which can become unacceptably slow when coupled with encryption and decryption activities. These performance challenges can inhibit the ability to implement encryption as well as perform other vital tasks. For instance, traditional backup systems often lack sufficient scalability and robustness to simultaneously meet the challenges presented by explosive data growth, increasing risk and complexity, tight budgets, and the additional requirements of encryption—especially simultaneously. Data growth in particular—generally averaging about 20 percent per year—magnifies all the other challenges.
One part of the challenge is simply having enough storage. But facing a need to backup data from powerful applications such as enterprise resource planning (ERP), databases like SAP, and Oracle Business Suite, large enterprises and their IT staff are recognizing that just adding more non-scalable disk solutions or tape libraries to the mix is no longer a cost-effective or efficient strategy. They need approaches that are more workable; providing enterprise-optimized data-protection solutions that can help them address these challenges and stay ahead of the data growth curve.
Enterprises need a powerful and flexible data-protection platform that delivers scalability, performance and flexibility to accommodate both data growth and changing storage architectures, as well as enhanced data-protection features such as encryption. Furthermore, they must be reliable in addition to being easy to deploy and use, providing higher levels of service while reducing operating and capital costs.
Successful solutions to the performance dilemma, as outlined above, combined with encryption and the capabilities of KMIP, should deliver performance that neither suffers when data is being “ingested” nor increases the “time to safety” (the amount of time when data is on its way to disk but not yet encrypted).
Enterprise-scale organizations must move ahead now, gaining the benefits of more-capable and efficient storage infrastructure along with the crucial protection that encryption of data at rest provides. Doing so can help contain costs and avoid the alarming risks associated with data breaches and compliance violations. Fortunately, the technology is available today.
About the Author
Florin Dejeu, director of product management, Sepaton, Inc., has more than 20 years of product-management experience, overseeing the development of offerings that address the information-management needs of large enterprises with emphasis on storage, archiving, classification, HSM and data-protection solutions.