RealTime IT News

Storage: The New Frontier in Data Protection

ORLANDO, FL. -- Enterprises are at a "critical intersection," according to NetApp's Tim Russell: facing the task of balancing data regulatory mandates while simultaneously keeping IT costs down and service levels up.

That's the message that Russell, vice president and general manager of NetApp's storage security business unit, delivered during a morning session at Storage Networking World, the bi-annual storage conference taking place here this week.

While encapsulating the challenges now facing IT shops, Russell also said enterprises' balancing act may only get more precarious: Businesses need to meet growing user demand for data access while coping with a growing number of rules and regulations.

As a result, companies must realize that "perimeter" security approaches no longer work -- and have to adopt technologies like data encryption.

"The perimeter was once just the firewall, now it is moving closer to the storage environment," Russell said. "If you're not doing security there, you're going to have trouble because you're all letting more people into your networks and giving them more data access and security has to be in place."

Russell said one recent study found that 75 percent of all data loss incidents are tied to human error. He also said IT is responsible for 30 percent of "inappropriate" data loss -- ranging from misplaced memory sticks to failing to fully scrub data from laptops before disposal.

The comments echo growing concern over data security among IT professionals. The subject was cited as the top priority for 2008 by IT pros in a recent Enterprise Strategy Group study.

One reason that IT staffs have data protection on their minds is in response to a growing number of security and breach-notification regulations, forcing companies to shore up their efforts at safeguarding data.

"We see research that clearly indicates security breach notification laws are working and best practices in securing confidential data, whether it's active or stored, is helping to keep security tight," Russell said.

But, he noted, there is still a long way to go. Many enterprises aren't even using encryption technology, which he describes as the foundation of storage security.

State and national government here and abroad aren't obviously satisfied with company security approaches. Lawmakers in both the US and the UK are pushing new mandates into the pipeline. A privacy commission in England wants criminal offense penalties to be unlimited in scope for companies that suffer repeated and egregious breaches.

[cob:Special_Report]Massachusetts, for instance, recently adopted a new data breach law, making it the thirty-ninth U.S. state with such a regulation in place. When it goes into effect in October, the law will create new compliance obligations for companies when personal information about residents goes missing or improperly accessed or released.

Unfortunately, most businesses wait for a breach to happen before stepping up to the plate and protecting data, Russell said.

What many don't realize, he told his audience, is that not only do they risk brand-name damage and potential customer loss, they'll also pay more than just fines.

A Gartner study reports that a record breach can end up costing $90 per customer account -- which can be a hefty sum when hundreds of thousands of data files go missing. A Forrester report pegs the cost even higher, at $305 per record.

In comparison, Russell said, the expense of encrypting a customer data file is just $6 on average.

"There are significant costs for not protecting data," said Russell. "Encryption is the key and it can be done many ways, from the application to the storage level." Gartner, for instance, recommends enterprise combine database monitoring with media encryption.

Enterprises have to start asking themselves some serious questions, such as what are the internal and external risks, the potential damage if data was released, and when was the last time that access processes were reviewed.

Given the impending new rules expected, data protection and compliance programs have to be multifaceted with strong encryption and encryption key management in place.

"Our jobs will only be getting more difficult from a storage perspective. There must be a defense in depth," Russell later told InternetNews.com.