A recently launched software package that integrates data storage with encryption and key management technologies may be a good option for companies looking for a single device that combines these capabilities, industry insiders say.
Dubbed EMC PowerPath Encryption with RSA, the new device was unveiled by Hopkinton, Mass.-based EMC Corp.
As its name suggests, it takes advantage of encryption technology developed by RSA Security Inc.
PowerPath protects against inadvertent loss of information due to personnel error, data theft through malicious attacks, and spoofing of the fibre channel – three of the most common causes of data loss.
“It was smart on EMC’s part to take advantage of RSA’s encryption technology,” said Heidi Biggar, data archiving and protection analyst at Enterprise Strategy Group (ESG), a research firm based in Milford, Mass.
She said the industry had been speculating on when such a combination would occur ever since EMC acquired RSA in 2006.
Encrypting “data at rest” or information stored in databases is an effective way of securing data from outside attempts to hack into a corporate network or even in-house breaches – whether intentional or accidental, according to Philip Barnes, senior research analyst at IDC Canada.
In the event a hacker gains entry to the network or should an employee accidentally release company data, the information can only be read by someone who has the key needed to decrypt the data.
Another method encrypts “data in flight” or data being transmitted.
Despite its obvious advantages, widespread adoption eludes encryption technology, said Barnes.
“In many enterprises, not all data is encrypted. You are more likely to see just pockets of encryption.”
One reason for that is not all data in the enterprise needs to be encrypted.
Companies reserve encryption for vital information such as sensitive client data, essential data used for legal or financial purposes and proprietary information.
Encrypting and decrypting data takes significant computing power which might otherwise be needed for carrying out other tasks.
Some companies are also hesitant to encrypt data because corruption or loss of the encryption key can prevent information recovery, the IDC analyst said.
PowerPath, however, is equipped with a management appliance configured in redundant pairs to mitigate failure or corruption, said Doc D’Errico, vice-president and general manager for the infrastructure software group at EMC.
“Redundancy ensures there is no single point of failure and eliminates the need to purchase additional devices to provide high-availability.”
The product also enables centralized management and scalability to support multiple hosts without the addition of other appliances.
Controls also enable managers to encrypt data at the database, file server and storage layers and provide the ability to set the volume of encryption to conserve computing power, D’ Errico said.
He said apart from protecting data from outside threats, the product can also effectively limit risk from within the organization.
“About half of the recorded data leaks stem from sensitive data being accidentally attached to outgoing e-mail or drives containing valuable data being discarded.”
By having data encrypted, companies need not worry should a sensitive data leave the network through an e-mail or in a device, he said.
The product also prevents non-authorized personnel and even data base administrators from viewing sensitive data within databases.
Recent studies by the Enterprise Strategy Group (ESG), a research firm based in Milford, Mass indicate that securing data independent of where it resides or how it is stored is a critical customer requirement.
“The risk of vulnerabilities rises as the amount of data being handled by organizations grow,” says Biggar.
The niche market for native encryption will include: financial institutions, government agencies, health agencies and organizations handling payment card transactions, Biggar added.
An ESG survey of Canadian and U.S. companies across various industry sectors indicates the majority are not confident of their security situation.
The consulting group, in October 2007, polled more than 200 network managers, IT managers and information security managers on their leading security concerns and practices.
The survey indicated that just 20 per cent – or one in five respondents –felt confident their data was adequately protected.
“Read the other way around, this means that 80 per cent of those polled have doubts about the degree of data protection they have,” noted Biggar.
Apart from increasing security threats, another driver for greater data security is the growing number of industry and federal information protection regulations.
According to the ESG survey the top five security regulations on the list of North American companies are: Health information regulations, 56 per cent; Sarbanes Oxley, 55 per cent; the U.S. Federal Information Security Management Act, 47 per cent; and the Personal Information Protection and Electronic Documents Act (PIPEDA); and, the Canadian privacy law, 41 per cent.
ESG also predicts that in 2008 more firms will start to purchase disk drives, processors, tape drives, file systems and databases that support native encryption.
As this happens, companies will begin demanding stronger centralized key management products to prevent the loss or theft or encryption keys.
Among the competitors in the market will likely be: Hewlett-Packard, IBM, nCipher, PGP Corp. and EMC/RSA, the research firm said.