Storage Encryption Poses Management Challenges

There are plenty of reasons why businesses and other enterprises should embrace encryption. First, there is a steady stream of data breaches, including high-profile incidents. Then there's the growing number of state laws that require disclosure of data breaches and increasingly strict government regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), which mandates the security of credit card account information.

Yet, when it comes to encrypting stored files, databases, and backup tapes, it's just not as simple as flipping a switch from unencrypted to encrypted. Encryption technologies bring an additional layer of complexity as the cryptographic keys need to be managed and secured, and encrypted data is much more difficult for administrators to manage than data that is not encrypted.

"While it sounds easy to just simply encrypt everything, key management is not always that straightforward," says Eric Ogren, founder and principal analyst at security research and consultancy The Ogren Group. "Keeping track of all of the keys that are issued, revoking them when necessary, and figuring a way to store security store them isn't trivial."

There are a handful of vendors that provide encryption and key management appliances that aim to ease the management burden. For instance, keyAuthority from nCipher Corp. Ltd. , NetApp Lifetime Key Management from NetApp Inc. (Nasdaq: NTAP), and Vormetric Data Security from Vormetric Inc. help to automate key management and provide an audit trail of what storage devices are encrypted to ensure adherence to internal data security policies and government and industry regulations. Generally, these appliances reside on the network, store the cryptographic keys, and provide the encryption engine. When users attempt to access data, the appliance will authenticate the user, grab and decrypt the data, as well as provide audit-able logs of much of the process.

Recently, Metabank, a bank serving Iowa and South Dakota based in Storm Lake, Iowa, sought a way to better encrypt and protect sensitive information it maintains on customers, as well as credit card information as mandated by the PCI DSS. For instance, PCI DSS requires that credit card data be encrypted. It also requires detailed auditing and logging of all access attempts, and controls on those who are authorized to view or work with the data."To get to that level of encryption, we would have had to spend a significant amount of time managing the keys, making certain they're secured, and figure a way to have the logs necessary to prove our databases are encrypted," says Troy Larson, MetaBank's vice president of Information Systems.

Rather than attempt to do all of that manually, MetaBank chose to deploy Vormetric Data Security to encrypt SQL databases that store sensitive data as well as any PCI DSS-related data. "The system made our key management and encryption as simple as it can be. The keys are dynamically created, files and disks are encrypted, and everything is logged for our PCI compliance," he says.

Ogren says that these encryption and key management appliances can alleviate much of the burden associated with encryption and regulatory compliance rules, although he warns they might not be ideal for all environments. "While these appliances can transparently encrypt data, there is often a performance hit," he says. "You want to test these appliances as closely to your production environment as possible before you purchase."

Larson says he has yet to see any hit on performance. "We needed this for security and PCI compliance, and so far it's worked very well for us."