IT-Analysis.com - The importance of encrypting data in stora

IT-Analysis.com - The importance of encrypting data in stora: "The importance of encrypting data in storage
Monday 10th May 2004
The importance of encrypting data in storage
Monday 10th May 2004

Storage companies must be having a field day. It is estimated that around 80% of all business information is now stored in electronic form - all of which must be carefully and securely stored, not least to comply with the wide variety of legislation that has been passed recently, making us more accountable for the integrity of our business information.

Compliance with these regulations means that companies must be able to produce business records on demand, with different laws specifying different periods of time over which the data must be kept securely. This includes all sorts of records, from databases to informal e-mail systems.

But this information cannot be kept entirely secure unless it is encrypted and those encryption keys locked down in a totally secure hardware environment. Without encryption, it is perfectly possible for someone to take data and make copies - for example, a company database containing sensitive information.

Given that internal attacks make up anywhere from 50% to 80% of the security breaches encountered by companies, it is particularly important that companies take care to secure confidential business information away from prying eyes. Compliance with legislation is forcing companies to take a close look at their risk management procedures - and the possibility of an employee altering or deleting information, whether on purpose or not, is one that companies must take care to avoid.

Using computer forensics techniques available today, even files that have been deleted can be recovered, making it of great importance that companies should think of security when they dispose of their data as well - in much the same way that highly sensitive paper documents are fed through the paper shredder. Unless you are absolutely sure that you have software running to electronically dispose of data once and for all - covering all systems, storage mechanisms and all data that could be considered sensitive - the electronic equivalent of the shredder is encryption.

But ensuring security of information in storage is more than just encryption and secure disposal. It requires that complementary technologies be deployed in parallel - most specifically robust and secure access and authentication tools, as well as the capability to log activity. That way, you can be sure that information can be viewed only by those for whom it is intended.

At the recent InfoSec in London, there was a lot of noise around securing data in flight and keeping external attacks out. Many were pointing out that the mobile worker is a threat - but it is not just the communications networks that need securing. We need also to think about what happens when they are inside the organisation's business systems. Keep the doors locked and encrypt data at rest.