In the last twelve months we’ve seen some massive data security breaches in the United States. Here is a list with the largest number of customer records exposed to loss:
- Anthem (80,000,000),
- Home Depot (56,000,000),
- JP Morgan Chase (76,000,000),
- EBay (145,000,000)
- Target (70,000,000)
- Living Social (50,000,000)
The loss of private information on such a massive scale is every executive’s worst nightmare. In Target’s case, their CEO Gregg Steinhafel was fired in response to their loss of customer credit card information. While the financial penalties from a breach may be large, the cost of recovering from a breach may be larger.
The cost of exposing personal data
It was revealed in many of these reports that the data that was compromised was not encrypted. In the case of personal data, companies are required to notify every individual whose data was exposed. You can imagine the cost in the Anthem hack of notifying 80 million people and providing credit monitoring and identity protection services free of charge for this many people. The 1990’s main federal health privacy law — the Health Insurance Portability and Accountability Act, or HIPAA — encourages encryption, but doesn't require it. However, in the case where the law is not specific about encryption, the use of encryption could provide a “safe harbor” where notifications may not need to be sent out if the data is encrypted (check with your legal officer). The Huffington Post notes that “The lack of a clear encryption standard undermines public confidence, some experts say, even as the government plows ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers.”
Regulations are converging on Encryption
Headlines like these are driving a greater awareness of the consequences of security breaches and data loss. The response is going to be laws and regulations that will require the implementation of specific security measures and penalties for those who fail to comply. Pending EU data protection regulations may impose fines up to 1,000,000 Euros or, in the case of an enterprise—up to two percent of its annual worldwide turnover! While security demands a comprehensive approach that includes authentication and access control, role based access, virus and malware protection, audit logging, resource partitioning, media sanitization, key management, as well as data in flight encryption and data at rest encryption, the industry seems to be converging on the need for encryption as the primary tool for data protection.
Why data is not encrypted
There are many reasons why companies have been reluctant to encrypt data. Among these are cost, performance impact, the cumbersome burden on day-to-day operations of managing keys and encrypted files, and the need to increase encryption strength as technology advances. Many choose to rely on perimeter defense to protect their data and assume that encryption of the data itself is not needed. Many of these concerns around encryption are outdated and have been addressed with recent advances in encryption and key management. Hardware encryption has eliminated the overhead of software encryption and new encryption techniques enable encryption to be done in real time. Storage system capabilities like dynamic provisioning, resource partitioning, and the new key management interchange protocol, KMIP, all help to relieve the impact on day-to-day operations. The new Advanced Encryption Standard (AES) with a 256 bit encryption key will make it much more difficult for a computer to do a brute force attack on 2^256 combinations, compared to the old Data Encryption Standard (DES) with a 56 bit encryption key.
Hitachi Data Encryption
Hitachi provides a unique approach to data encryption in our storage systems, which makes it very easy to implement and manage encryption of data at rest. Our Virtual Storage Platform G1000, Virtual Storage Platform, Hitachi Unified Storage VM, Hitachi Unified Storage 150, provide a performance-friendly AES-256-XTS encryption capability on the back-end I/O modules. Hitachi uses the AES 256 encryption key as well as an XTS encryption key that incorporates the logical position of the data block in the encryption. This encryption method addresses threats such as copy-and-paste attack, while allowing parallelization and pipelining in cipher implementations. While an AES 256 XTS encryption will eventually be broken, the chance of this happening in the next 30 years is unlikely. Hackers will find much easier ways to attack data systems than cracking AES 256 XTS encryption keys.
Hitachi’s implementation of encryption in the storage controller protects data at rest on any media that can be attached to the backend module, including flash drives. While other vendors may use self-encrypting disks, installing self-encrypting disks will be more costly since it locks you into certain form factors, capacities and speeds. Encryption through the storage controller enables you to use your existing disks, and more flexible choices of media. The controller provides a unique encryption key for each individual piece of media internal to the array. Hitachi storage encryption capability is configured and monitored through the GUI-based Hitachi Command Suite and Storage Navigator management software. It provides role-based access control (RBAC) for the separation of duties including enabling/disabling of encryption as well as archiving encryption keys. Data can be encrypted or rekeyed using available storage controller functions for migration or tiering. When encrypted data is moved from one media to another or is deleted; destroying the old encryption key can shred the old media. All these activities are captured in internal logs and the customer has the option for external audit logging of security events. Hitachi VSP G1000 raises the bar by offering the 1st security audit logging in accordance with the recently updated Syslog RFCs (IETF ‘Request for Comment’ standards) to ensure security and reliable audit log transfers.
Shredding the old data is also important for protection of data. Encryption provides an extra measure of protection and confidentiality for lost, stolen, or misplaced media that may contain sensitive information through crypto shredding, the deletion of encryption keys. The DoD specification for shredding with a series of over writes, with different bit patterns, can take time and storage resources, while crypto shredding just involves deleting a key. Over writing is not effective for flash media since writes are always done to a new block. Since Hitachi storage arrays can encrypt any SSD or flash drive that connects to the controller; it can shred the data on flash drives through crypto shredding.
Key management, can be one of the more difficult aspects of data-at-rest encryption. As such, key management can become an impediment to using encryption, or worse, it can cause data loss due to operator error or lack of action. Recognizing this situation and fully understanding the applicability to storage, Hitachi has implemented its encryption feature such that little human intervention is required. This approach helps ensure that data are not compromised due to key mismanagement. Hitachi supports a simplified key management approach for key protection, backup and recovery for those organizations that do not have an existing key management infrastructure in place. For those organizations that have a formalized key management infrastructure already, Hitachi supports the Key Management Interoperability Protocol (KMIP). This protocol supports generation, backup and recovery of data encryption keys, as well as trusted source operations, that will integrate with many key management products on the market today. We partner with the leading key management vendors Thales e-Security and SafeNet who make it easy to deploy large-scale encryption solutions.
More than Encryption
Data security requires more than encryption. Once an attacker hacks the user’s credentials, ID and password, encryption is of little help. At Hitachi, we offer a set of solutions that address the requirements for data security at the storage management level. For a description of security features in our latest VSP G1000 please link to this white paper.
Hackers are constantly looking for ways to exploit any vulnerability they can find to get access to data. Encryption of data at rest should be table stakes especially when technology today makes it easy to encrypt data through storage controllers with little impact to performance and with the integration of storage and key management tools like KMIP to reduce operational complexity. You may not have a choice in the near future due to increasing regulatory requirements. The Payment Card Industry Data Security Standard (PCI DSS) already requires encryption of data at rest to ensure that all companies that process, store or transmit credit card information maintain a secure environment. After the Anthem hack, there is a movement to require encryption for HIPPA. Regulators around the world seem to be converging on encryption.
Shouldn’t data encryption be part of your defensive game plan today?