Tactics for encryption of sensitive data

When you talk about IT strategies, it is important to step back and ask what business problem you are trying to solve. After you've clarified this you can assess what tactics and tools can help you solve the situation. I would say that you don't really want a data encryption strategy because data encryption isn't a business problem. When people talk about encryption, the business problem is usually this: I have sensitive data and I don't want bad people to read it. To dig into this business problem, here are some questions to ask:

• What standard practices exist for my industry? If you choose your own path, you had better be very sure that you are right and everyone else is wrong, otherwise the lawsuits and the newspaper coverage may be especially painful.
• What bad things happen if someone does read my data? Along with standard practices, this determines your budget. If nothing bad happens when people read your data, maybe you should let them.
• What attacks are most likely and – if they occur – most harmful? This determines what to protect against. You'll never protect against everything.

The way in which bad people would get at your data determines which protection techniques to use. Encryption is great at protecting stolen disks or tapes, but it doesn't protect against people whose job requires them to see the data. In developing a strategy, standard practices are often a good place to start. Unfortunately, things are still pretty chaotic when it comes to protecting sensitive data. Everyone knows that you should have a firewall on your network, and locks on the doors of your data centre, but encryption is still new enough in the commercial world that there aren't really any standard practices yet.

On the other hand, the financial services industry – banks, brokers and insurance companies – is moving very quickly. I believe that encrypting backup tapes will be standard practice for these firms. Financial services and Fortune 500 companies are moving fastest, but I expect encrypting backup tapes to be the first step for many other firms as well. Backup tapes are especially vulnerable because they hold so much data, and because they are often sent offsite. After human error resulted in lost tapes at Iron Mountain, they began recommending that all of their customers encrypt backup tapes. In fact, they use and recommend our DataFort appliance, and offer an outsourced encryption service based on it. Right now, over 50 percent of our encryption business is encrypting backup tapes.

Sometimes it makes sense to go beyond standard practices. One Wall Street firm we work with has a division that handles wealth management for super-rich people. The general manager concluded that their data was so sensitive that they should encrypt everything – disk, tape, optical, and so on. The risk to their business, if this data escaped, was just too high, and you could even imagine this being a competitive advantage for them.

Standard practices are different for different industries. In the intelligence world encryption has been standard practice – even legally required – for quite some time. The second biggest component of our encryption business is with various military and intelligence agencies. Standard practices also change over time. Right now Congress is considering legislation to tighten the requirements on protecting sensitive consumer data, and there are already dozens of state laws in place. There has been so much bad press, and so many new laws, that I believe most industries are still struggling to define what makes sense for their data.

For more information, please visit www.netapp.com.