To Encrypt or not encrypt
by Hu Yoshida on Jan 9, 2006
Lucas Mearien of Computer World reported that ABN Amro Mortgage Group Inc, will no longer send data tapes to its credit reporting bureaus after one of its tapes went missing. The company’s CEO Thomas Goldstien is quoted as saying “the company will encrypt data and send it over secure networks when possible..”
That makes great sense, encryption to ensure data privacy, and transmission over secure networks for data protection.
HDS Security Architect, Eric Hibbard, adds some additional comments regarding encryption of data. Eric who has authored security tutorials for the SNIA Security TWG (PDF), differentiates encryption of data in flight and data at rest. He advises that sensitive or regulated data which is to be sent off site or to a remote location, should be encrypted during the transfer process. Use encryption to protect confidentiality of sensitive or regulatory data, along with access credentials for that data while it is in flight. Encryption of data at rest, should be done as a measure of last resort for primary data. Use extreme caution when encrypting data at rest since data can be lost if the encryption key is lost or damaged. Long term key management is critical for encryption of data at rest. Since there are additional computational resources and response time considerations for encryption/decryption, a data classification based on cost, risk, and accessibility should be done.
The SNIA Storage Security Industry Forum is a good resource for tutorials and white papers on storage security.
Comments (3 )
Maybe they should use their IBM zSeries mainframe and start encrypting their tapes then?
i just have read your blog, if you can’t decide how to do, check http://www.yaodownload.com/utilites/security-encryption/invisible-secrets-4/ to make your decision.
Giant, cumbersome, multinational vendors growing via accuisition rather than service provision are giving the offsite tape storage industry a bad name.
There should be no need for encryption because no tape should never go missing. Simple! Why should the client be punished for his suppliers stupidity and neglect?