On the Desktop
Data at rest now includes data on the desktop. The NIH's IT department is moving to desktop-level encryption. "Unfortunately, thefts occur inside, too," Rosen says. "Encryption is a fairly simple mechanism. The performance impact is minimal."
Children's Hospital Boston also encrypts data on the desktop says Paul Scheib, director of operations and chief information security officer. "We do laptop encryption, and we try to limit what data can be stored on local machines," he says. "We don't have a sure way to stop people from writing from a CD drive, because they do have a business need to do it. The best you can do is put policies in place and educate people."
But desktop encryption resolves only one security issue, Ouellet says. "A lot of organizations have an onion-layer approach. To be able to get onto the storage environment, you have to go through a bunch of gates and barriers," such as ID management and network firewalls, he says. "That may, in fact, be good enough -- it solves the external data problem. But your storage environment is not addressed that way."
Key Management
For years, encryption users have been calling on security and storage vendors to offer better interoperability when it comes to managing the keys that actually control the encryption. In response, companies such as Microsoft Corp. now allow users to store the encryption keys for data held on other vendors' key management systems.
But key management will become more complex, experts say, as encryption finds its way into more and more storage devices, creating an avalanche of keys to manage.
Some industry standards are being developed, such as IEEE P1619, but they address tape encryption and not the storage environment. "We're seeing that move over to the self-encrypting drive [systems], but as far as the databases are concerned, they don't quite have a standard," says Ouellet.
For now, companies such as IBM and RSA Security Inc. provide some form of key management for external services, Ouellet says.
Industry watchers say that although companies aren't clamoring for encryption and storage security, adoption will remain steady. "There's a finite amount of resources available," Rosen says. "There won't be a huge rush to it -- but with [new hardware], everything is going to be encrypted."
Collett is a Computerworld contributing writer. Contact her at stcollett@aol.com.
Next: Six myths about movable media storage