Encryption's Hard Truths

IRVINE, Calif. -- Data Protection Summit -- Encryption is no cure-all for enterprises' data security woes, warned Gordon Hughes, associate director of the Center for Magnetic Recording Research (CMRR) at the University of California San Diego, during a keynote here yesterday.

A recent report from the Ponemon Institute revealed that about two thirds of large U.S. businesses currently have some sort of encryption strategy in place, although Hughes told users not to get carried away with the hype: "Data encryption is not a panacea." (See Encryption Set to Go Mainstream.)

Hughes, who tests ATA and SCSI drives for the National Security Agency, instead urged users to think about the effect of encryption on storage virtualization, data de-duplication, and compression. "If you leave the data encrypted everywhere, it defeats all these functions," he said, echoing CIOs' recent concerns about encrypting virtual data. (See Tales From the Virtual Crypt, What's the Key to Excellent Encryption?, and Vendors Push Virtual Security.)

De-duplication, which is set to be one of this year's hottest storage technologies, also poses some real challenges when it comes to key management. (See Users Look Ahead to 2007, Dealing With De-Dupe Doubts , and New Wave of CDP Rolls In.) "If every user has the same data encrypted with different keys, you're not going to be able to detect the duplicate data."

Hughes also talked about the lack of encryption standards, urging users not to get too excited about short-term results from industry bodies like the Trusted Computing Group. (See Red Tape Trips Up Security.) "It's a great idea, but it's not going to happen instantaneously," said Hughes, highlighting the challenge of getting so many different vendors to work together. "I don't think it's going to happen for several years."The TCG was founded in 2003 by a group of vendors including Microsoft, Sun, Intel, AMD, IBM, and HP to develop open standards for security. (See Nortel Joins Group, TCG Announces Open Blueprint, and On the Brink of Storage Disaster.)

That said, Hughes highlighted Seagate's recently launched Momentus drive, which was developed in conjunction with the TCG, as a hint of things to come from the group. (See Secude, Seagate Demo at SNW, Seagate Ships Drives, and Security Smorgasbord on Show.) "It looks like it's a higher level of security than anything else, apart from physical destruction."

On the subject of destruction, Hughes also shared his thoughts about the shortcomings of "degaussers," which remove magnetic data from hard drives. (See Data Demolition and Lost Data? Call a Counselor.) "They become obsolete as new generations of tapes and disks are developed -- old degaussers can't erase new drives."

Hughes voiced his dismay about firms' laissez-faire attitude towards data destruction. Much of CMRR's research, he told Byte and Switch, is done using drives bought on eBay, most of which still have their original data intact. "Despite all the federal laws, people don't do it," he noted, adding that only three to five percent of firms actually erase their data.

Another Data Protection Summit speaker agreed that the average firm does not understand the reality of data deletion. "Most people don't know what the regulatory policies are supposed to be for deletion," said Jay Kramer, vice president of worldwide marketing for iSCSI specialist iStor Networks. (See IStor, StorageRep Partner and IStor, AXstor Team.)The exec, taking part in a roundtable discussion yesterday evening, said that, even when deletion policies are in place, they are typically associated with specific applications such as email. (See Intel's Email Maelstrom.)

UCSD's Hughes also laid into end-users, who present a major technology challenge for many businesses. (See Users Self-Destruct on Governance.) "Users are nave -- they simply expect computers to protect data," he said. "Very few users do anything to protect their data –- they expect that computers come wrapped in bubble-wrap and do that."

Even IT staff came in for criticism during Hughes's keynote: "Data center people and enterprise storage people automatically think that their storage is secure. In my experience, they are no more likely to take on additional responsibility than individual users."

— James Rogers, Senior Editor Byte and Switch