The Year in Insecurity

2005 was a big year for storage and security -- between February and October, more than 50 million Americans had their personal information compromised, many from highly-publicized losses of unencrypted tape. Customers are now in the front line of a war to lock down as much corporate data as possible. (See Storage & Security: Marriage or Mismatch?, Data Security: None of Your Business? and Biz Continuity Not Always a Disaster.)

But, despite attempts to build encryption into storage products, CIOs have faced some real security curve-balls over the last 12 months, even the U.S government is getting nervous about protecting its masses of data. (See Ridge Issues Security Challenge.) So now, with 2005 winding to a close, what better time to time to chew over some of the key security trends of the year?

No. 5: Comply Or Die

IT managers and -- more importantly -- their bosses could be forgiven for viewing 2005 as a watershed year for regulatory compliance, and they enter 2006 under increasing pressure to lock down their data. The Securities and Exchange Commission (SEC) may have extended Sarbanes-Oxley deadlines for certain firms, but CIOs are now finding state legislatures breathing down their necks with a slew of new data privacy laws. (See SEC Extends Sarbanes Compliance and IDC: 'Users, Do Your Homework'.) Stiff penalties await those who fail to comply. Users, it seems, have still got more than enough on their plates when it comes to compliance. (See AMR Sees $6B in SOX Spending.)

Compliance stories from 2005 include:

No. 4: ID Lockdown

If you mentioned the term identity theft” to someone just a few years ago, chances are that you would have been met with a blank stare. Not any more. For IT managers, this means controlling who gets access to what systems is crucial.

But getting all the different technology pieces of this identity management jigsaw to work together is easier said than done and users are becoming increasingly frustrated by a lack of interoperability. (See CIOs Face Identity Crisis and Identity Management Heats Up.) Service provider Savvis Communications Corp. (Nasdaq: SVVS), for example, told Byte and Switch that it is forced to rely on a slew of different identity management products, none of which talk to each other. (See Savvis Cites Security Challenges.) While some may view that lack of interoperability as another security measure, it's poised to become an albatross for enterprises in 2006.

Identity management stories from 2005 include:

No. 3: Users Get Their BackupsConfronted with a growing number of security threats, businesses are being forced to do some serious thinking about their backup and disaster recovery plans. The Kansas City Development Corp., for example, told Byte and Switch that its backup strategy helped it survive a protracted hacking attack earlier this year. (See Kansas Hacking Prompts Changes.) Other users, particularly in the hurricane-ravaged southern U.S., had their own reasons for overhauling their backup strategies. (See Seeking SAN Ports in a Storm.)

2005 also saw growing momentum behind disk backup, thanks largely to some highly-public problems with tape, which we will come to later. (See Baptist Memorial Healthcare and Diskers Enjoying Tape Woes.) Shifting to disk-based backups may be easier said than done. Storage managers looking at the technology as an alternative to tape could find themselves in an uphill battle against the storage establishment. Often, installing a disk-based product means dealing with startups and making substantial changes to internal procedures. (See Disk Backup's in a Crunch.)

Backup stories from 2005 include:

No. 2: Encryption Dilemmas

There is no doubt that encryption holds the key to many of the security problems users face today. But, in the near term, it looks as if products that encrypt "data at rest" on storage gear are likely to be strictly proprietary. (See Encryption Standards in Slow Lane.)Essentially, it is still a problem for many users to adopt encryption in a way that not only protects data but ensures it's searchable and retrievable as needed. (See Building an Encrypted (But Accessible) Archive.) This is because different storage systems use different methods of handling encrypted data, even if they use the same kinds of encryption techniques inside the box.

The Institute of Electrical and Electronics Engineers Inc. (IEEE) is working to devise a standard way to encrypt data at rest in disk and tape devices and initial specs defining encryption key exchange between vendors, as well as a more streamlined way of handling of encrypted data. These are expected next year so we look forward to seeing whether this will solve users’ encryption dilemmas.

Encryption stories from 2005 include:

No. 1: Tales Of Lost Tape

Lost tapes had IT managers reaching for the Advil throughout 2005, with a number of firms hitting the headlines for all the wrong reasons -- even the holiday season has been marred by missing tapes. Earlier this week, for example, Marriott Vacation Club International confirmed that it had lost backup tapes containing data on 206,000 people. This followed high-profile storage snafus at Time Warner and Iron Mountain. (See Time Warner Talks About Lost Tapes.)It's not just tape that is making firms look vulnerable. A number of organizations, including ChoicePoint Inc. , LexisNexis and Ford Motor Co. have suffered high-profile security breaches during recent months. (See ChoicePoint Appoints Independent Exec and IT Managers Sweat Security.)

There is only one thing that is certain about this trend: Lost data equals bad press and irate customers. Yet, despite the warnings, many firms have been slow to address this problem, particularly where tape is concerned. (See Tape Security Trips Up Users,Disuk Issues Warning and Group Calls for Security Shakeup.) It's clear we haven't seen the last of this phenomenon.

Tape stories from 2005 include:

— James Rogers, Senior Editor, Byte and Switch