While encryption products can improve security, they also introduce additional management tasks, especially for companies using multiple encryption products. Always include a strong key-management approach, including quorum-based recovery.
"Encryption products that don't provide a means of recovering keys are asking for trouble, particularly in a disaster recovery scenario where files may be lost or disorganized," Forrester analyst Galen Schreck wrote in a January report. "Quorum-based recovery allows a certain number of parties ... to present their credentials and recover encryption keys."
Also, tape libraries shouldn't have to maintain the mapping of encryption keys to tape volumes. It adds another point of management and complicates long-term key escrow.
It's also important to automatically replicate keys to an escrow service or tape library at a disaster recovery site for fast data recovery in the event that the originals are lost, Schreck says.
And don't forget the human aspects of key management, says Eric Ouellet, an analyst at Gartner. "You may actually have controls that already exist that you can leverage, like better authentication or better separation of duties, or better access control" with databases or applications, he adds. "If you focus on those areas, then you don't necessarily need to deploy encryption everywhere."
Employee access and separation of duties should be a top priority. "Maybe the encryption technologies work fine, but does someone have access to a file that they shouldn't have access to? Or do they have a key to get access to that data? If so, you've just compromised your system," says Ouellet.
What's more, systems administrators should not be system users, and auditors should not be able to grant themselves access or privileges. "Anything that would cause a conflict of interest would not be allowed," he says.
Storage: New Wrinkles 2006
Stories in this report:
- New Wrinkles in Storage
- Storage Package Overview
- Backing Up the Virtual Machine
- Sidebar: How Many Licenses?
- Battle of the Bulge
- Sidebar: Provisioning Pretender
- Sidebar: Thin Provisioning Explained
- Cruising Over Copper
- DIY Recovery
- Sidebar: A Comeback for Managed Storage Services?
- Data Points: Storage
- Safe and Sound
- Sidebar: How Long Will It Be Safe?
- Sidebar: Have a Key-Recovery Plan
- Sidebar: Encryption Decrypted
- Storage-free Zone
- The Storage Specialty
- Sidebar: Resume Gold
- Sidebar: Big Cities, Big Bucks
- Virtual Tape