Mention secure data storage to any IT security professional and there’s a strong chance they’ll either give you a quizzical look or, if they have experience in the area, might even cringe a little.
The reason for the cringe is simple – the massive increase in data volumes over the last few years has caused more than a headache or two among corporate organizations and service providers alike.
The problem, according to Jerome Lecat, CEO of Scality – a Paris-headquartered company that specializes in software to drive and control service providers’ unstructured storage systems – is it can take up to 24 hours to completely back up a one terabyte drive.
“When you are dealing in petabytes, as service providers do, you begin to see the scale of the problem”, Lecat says, adding that handling large volumes of data using conventional data file systems doesn’t work. This is where unstructured data storage comes into play.
Unstructured data storage is where the data is treated on a batched basis, with data typically stored in the cloud via service providers such as Amazon web services and Iron Mountain. These service providers store data as an object, which Lecat says can be a database or series of database blocks of many gigabytes, or even petabytes, in size, which are then mirrored in partial segments over multiple storage environments.
| "The weakest link on the security front isn’t the cloud – it’s the pipe between the enterprise or service provider and the cloud storage" |
| Gary Haycock-West, Blue Cube Security |
This translates in IT terms to waving goodbye to expensive RAID systems and saying hello to pay-as-you-use cloud data services, although, as Lecat points out, you still need interfacing software to control the object data storage.
Do enterprises understand the scale of the problem? According to Dave Gilpin, chief strategy officer with Sungard Availability Services, they certainly do, even though the constraining factor is not one of ‘how securely can we store our data?’ but more one of ‘how much do the solutions cost?’
Perhaps surprisingly, he says, enterprises are not always that concerned whether their data is stored in a data centre or in the cloud. What they are concerned about, however, is what audit and security best practices the ‘storage solution’ offers.
Like Scality’s Lecat, Gilpin says that large companies are now beginning to grasp the scale of the data storage issue they face. He adds that encryption – at the sub-system level to avoid any delays in data throughput – is not always seen as the answer.
“Encrypting data as it is moved around used to be an issue in terms of processing overheads, but that’s less of a problem these days. What clients tend to ask instead is ‘does your data storage offering meet the required regulatory standards?’ and ‘can I have access to the audit logs, please?’”, he says.
What About the Security Keys?
There’s an additional headache waiting in the wings if enterprises encrypt their data on-site before transmission to the cloud, or to the group’s data center. What about the encryption keys?
These are – quite literally – the key to a company’s data, so they need to be managed very securely indeed, and there is a whole industry that has grown up around key management. Then, says Gilpin, there is the level of audit logs and encryption that you apply to the data. “It’s not always about the level of security. In my experience with the police, for example, when they move electronic data around – which could be used for evidence in the courts – the first thing they query is the ‘validity’ of the data. Has it been altered or is it in the same state as when it was stored?”, he confers.
It’s against this backdrop that Gilpin says wherever there are large volumes of data that have to be stored securely, there has to be a trusted authority – someone, or some entity, that can certify that the data is secure and validate the data. “Whoever that trusted authority is, it then allows the user of the data to say to a third party: ‘My data security is validated by XYZ, so you can trust it is intact’”, he explains.
| "The problem I have with some of the lower-cost cloud services is that you don’t know where your data ends up" |
| Bob Tarzey, Quocirca |
Because of these issues, Gilpin says that clients are increasingly starting to ask for ISO27001 certification. ISO27001 specifies a management system that is intended to bring IT security under explicit management control and, because it is a formal specification, it mandates specific requirements. Because of this, organizations that claim to have adopted ISO27001 can therefore be formally audited and certified as compliant with the standard.
Over at Thales Group, the electronics and systems company, Richard Moulds, the firm’s vice president of strategy for eSecurity operations, says that encryption is now a watchword for secure data storage. Moulds, whose company is the UK’s second largest defense electronics group, with 8500 people in 40 locations, says that the desire for encryption on the data storage front is being driven by regulatory needs.
“Often it’s down to PCI DSS issues. The standard says you must encrypt your data, even though most experts agree that encryption is a very blunt instrument”, he says. “The Data Protection Act – and its equivalent across the European Union – is also driving the requirement for encryption. It’s one of the reasons why IBM and Sun have developed storage systems with encryption technology built in”, he says.
Processor Overhead?
Processor overhead, says Moulds, is not a problem when you build encryption into a storage sub-system at the CPU level. It makes it easier, he claims, to the point where you have zero processing overhead.
Even so, for many enterprises, he adds that the challenge is whether to turn encryption on or not, as the issue of key management – which Sungard’s Gilpin warned is a problem – rears its ugly head.
“Thales’ focus for clients is all about key management, as the encryption keys are the master key to all of a company’s data. You need access to the keys very quickly when something goes wrong, such as when you’re dealing with a forensics or data recovery situation”, he says.
If you lose your keys, he adds, then you lose access to your corporate data – and then you really have messed up.
He also tells Infosecurity that it’s this fear of ‘messing up’ that makes many IT security professionals very wary of encryption on the data storage front.
The Reseller Perspective
Most enterprises rarely buy their secure storage offerings direct from a security vendor or service provider, but look for impartial advice and, according to Gary Haycock-West, CEO of Blue Cube Security – who founded the systems integrator in 2000 after becoming disillusioned with the state of the IT security market – the data volume issue is something than can be easily countered these days.
“Enterprises have always wanted to handle data in their own data centers for a long time. But a growing number of corporates are now turning to the cloud environment, not just for storage, but also for their entire computing service”, he says.
“We’ve done that ourselves. We’ve moved from 27 servers to just two, with the bulk of our systems and services handled securely in the cloud. Now I’m working on getting rid of the remaining two servers”, he adds.
| "What clients tend to ask these days is ‘does your data storage offering meet the required regulatory standards?’ and ‘can I have access to the audit logs, please?’ " |
| Dave Gilpin, SunGard |
What about the security? Don’t enterprises look for security for their data storage before they move it all into the cloud? “Not an issue. It all comes down to a [security] tick list and how much it costs. If you meet the client’s needs on both of these issues, they will move their data into the cloud”, he replies.
It’s behind the scenes that Haycock-West says that secure storage is changing, with systems integrators putting together solutions for enterprises that are modular in nature. “You need to have a scalable solution, but if it is also modular, then it can handle the granular level of control that major companies – and even service providers – are looking for”, he says.
Perhaps surprisingly, he adds that enterprises and service providers are not as wary of the cloud when it comes to their secure data storage needs as they used to be.
“Most service-level agreements with cloud providers are all the nines [99.99%] these days. The weakest link on the security front isn’t the cloud – it’s the pipe between the enterprise or service provider and the cloud storage”, he says, adding that clients should be looking for leased lines and internet route diversity when pushing their data securely into the cloud.
Different Types of Secure Storage
Back in vendor-land, meanwhile, Erik Moller, executive vice president of HP’s EMEA operation, says that before an enterprise or large corporate looks for a secure data storage solution, IT management needs to work out what type of storage they actually need. “They need to differentiate between whether the data is being archived or whether it’s a back-up system”, he says, adding that, if is an archive, then speed of access is not always an issue.
“If it’s back-up, then [while] security is obviously an issue, it’s the speed with which you can retrieve that data” that really matters, he explains.
Working out what system you need, Moller says, involves classifying your data. Once you have classified what your data is, you can work out where it needs to be stored, how securely it needs to be stored, and, of course, how quickly you can get access to it when you really need to.
| "You need access to the [encryption] keys very quickly when something goes wrong, such as when you’re dealing with a forensics or data recovery situation" |
| Richard Moulds, Thales |
The implication here is that you can have the most powerful levels of encryption and authentication, with very high levels of audit logging and control, but these mechanisms are for nothing if the data cannot be accessed quickly.
It’s because of this issue that Moller tells Infosecurity that he and his team are starting to see the arrival of information managers and information security managers in many enterprises and major corporates. This, he says, is for the good reason that there are now quite stringent legal and regulatory requirements on data storage in almost any organization.
“This often goes beyond regulatory issues. Quite often, information managers must develop their secure data storage systems to cater for the need for electronic provision of evidence, where a court requires that facility”, he says. That’s not to say that an enterprise will ever need to provide that information. But it must be prepared to, if and when the need arises, he adds.
Perhaps the final word on secure data storage has to go to Bob Tarzey, service director with Quocirca, the analyst and research firm, who points out that it doesn’t actually matter whether a major corporate stores its data in its own data center, or in the cloud.
“The biggest problem is making that data safe – and proving that you’ve done so. The problem I have with some of the lower-cost cloud services is that you don’t know where your data ends up”, he says.
“It could be stored or even mirrored outside of the EU, which contravenes the Data Protection Act. And then you have to work out what happens when you delete your data. Does it really get deleted?”, he asks.
The cloud can be a cheap and ostensibly secure environment to store data, he continues, but the bottom line for most auditor and governance professionals is what is the provenance of the data?
It’s for this reason that Tarzey says that major corporates must encrypt their data before it leaves the network. Once it’s encrypted, he says, it doesn’t matter where it is stored, or what actually happens to it, if something bad happens.