Encrypting Data at Rest

Computerworld - Vincent Fusca trusts his staff. But he can't take any chances. It's all about the money.

As operations director at Dartmouth Medical School's Center for Evaluative Clinical Studies in Hanover, N.H., Fusca oversees the handling of nearly 7TB of raw medical data from the Center for Medicaid and Medicare Studies. Programmers aggregate and refine the data down to data-analysis sets that researchers use to publish some of the most comprehensive comparative medical research in the U.S.

Fusca isn't aware of any attempted or successful security breach involving personal medical information during his tenure at the center. But the Health Insurance Portability and Accountability Act (HIPAA) requires the center to safeguard patients' personal data, and ignoring the regulation could mean losing millions of dollars in research grants.

So two years ago, the center purchased two network appliance servers that keep data encrypted until researchers request the information on their secure desktops. The data is then sent on to backup tapes in an encrypted form.

"We want to ensure that we exceeded the levels of security required by HIPAA so we never place our funding sources in jeopardy," Fusca explains.

On the Radar

Like it or not, encryption will become part of most data at rest.

Companies of all sizes are exploring encryption because of a real threat of losing data or having it stolen, and because of government regulations such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and HIPAA, which require protection of Social Security numbers, credit card data and other sensitive information. While encryption isn't required, it can provide an easy, blanket solution.

"First, we had the market leaders. Now, we're getting the midsize companies realizing that personal confidential information regulation is there to stay," says Eric Ouellet, a privacy and security analyst at Gartner Inc. Ouellet says he saw a tenfold increase in customer calls about encryption technology beginning in January 2005.

Security threats aren't confined to the backup tapes stored at off-site facilities anymore, though last year's highly publicized losses of tapes belonging to Bank of America Corp., Time Warner Inc. and Citigroup Inc. put a spotlight on the need for encryption. Laptops and databases need encryption too.

Still, organizations are reluctant to use encryption. In the Ponemon Institute's 2005 National Encryption Survey, only 4.2% of the nearly 800 companies polled said they have enterprisewide encryption plans. The primary reasons cited for not encrypting sensitive or confidential information were concerns about system performance (69%), complexity (44%) and cost (25%).

It's true that encrypting tapes using some types of backup software increases backup times, consumes more storage space and costs more money. But those arguments may be losing steam. A dizzying assortment of products were introduced last year, promising to make encryption better, smarter and faster. The bad news: A single encryption method can't be used in moving data from a laptop to off-site storage in most cases. The good news: Decryption has become simpler, and backup times have improved significantly, especially when using encryption appliances.