At one time, corporations protected sensitive information mostly with steel doors and keypads on the wall. Security challenges are now more virtual, and the potential consequences are much more damaging. The growing cyber-crime threat is forcing organizations to take a closer look at their data center security.
Encryption is being more widely adopted for data security, but it brings many challenges -- especially for businesses regularly creating new VMs and moving data between private and public clouds. "Corporations are trying to improve their security profiles, but we still see gaps: Their perimeters are leaky, and virtual machine data is often not encrypted," said Dan Blum, principal consultant at Security Architects Partners in Silver Spring, Md.
News headlines illustrate the tremendous risks. Yahoo's disclosure that 1 billion customer accounts may have been breached is the latest in a series of mind-boggling security hacks suffered by the world's best-known brands: Sony, Target, LinkedIn, eBay and Home Depot.
Cybercrime is big. Hackers adopted cloud computing, and they've developed successful business models that quickly and easily generate lots of malware -- and revenue. Given hackers' sophistication and the inherent flaws in commercial software, chances are good that these attackers have probably found their way past the virtual security gates protecting most -- or all -- enterprise systems, Blum said. With growing data volumes growing, dispersed information and tightly connected systems, it's impossible for IT teams to guard every possible entry point.
A flawed design
Data security methods' shortcomings begin with the design of IT systems. Encryption has been used to safeguard information as it moves from place to place, and firewalls ward off intruders at the perimeter. Little effort, however, goes into data at rest security, where IT administrators must guard information sitting on racks and drives in the data center. In fact, once files reach the data center, where it is falsely assumed to be safe, they typically live unencrypted and exposed. Few IT shops bother to lock down that information. A survey by Skyhigh Networks found only 9% of cloud providers encrypt data stored at rest.
Spurred by the high-profile breaches, data security policy has begun to change. Businesses have been revamping their data at rest security processes in a couple of ways.
First, they have segmented their information. For instance, the Payment Card Industry standard mandates that financial services companies sequester and encrypt credit card information.
In addition, organizations have added more granularity to system permissions. In the past, the role of system administrator earned an IT professional the right to look at any information in any application. Not surprisingly, hackers focused on grabbing those credentials once they wormed their way into a network. Armed with those privileges, they sought out the most valuable information in a data center.
"Rather than an all-powerful system tech, enterprises are crafting a variety of privileges," said Brian Lowans, principal research analyst at Gartner. As a result, the system administrator overseeing the human resources' benefits application cannot access customers' credit card information.
A second change is the growing use of encryption to provide data at rest security. One driver here is the number of compliance regulations.
"Encryption is a get-out-of-jail-free card for businesses," said Security Architects' Blum. "If a break-in occurs, and the data is encrypted, it is less likely that a company will be fined."
Organizations also have more options available to encrypt sitting information. Specialists, such as Gemalto, Sophos, Vormetric and WinMagic, offer sophisticated encryption products. In addition, infrastructure suppliers are baking encryption functions into their core systems. Microsoft has been using Bitlocker, and Amazon Web Services added encryption features to its Elastic Block Storage and Relational Database Service.
VMware, meanwhile, added encryption features in the recent vSphere 6.5 release. With these capabilities, encryption occurs in the hypervisor, beneath the virtual machine. As I/O comes out of the virtual disk controller in the VM, it is immediately encrypted by a module in the kernel -- before being sent to a storage system.
"What is helpful with the new release is we no longer have to worry whether the operating system is Linux or Windows when encrypting our information," said Ryan Fay, global CIO at ACI Specialty Benefits, a provider of employee assistance programs based in San Diego, Calif. that relies on VMware in its data center.
Taking on a tedious task
While the potential benefits of this data security method are enticing, deploying encryptions is a complex, tedious and expensive task. Plus, it's one that IT departments with lots of user requests and limited funding have been leery to implement.
"In theory, full encryption sounds great. But, in reality, it has been difficult for many businesses to deploy," Blum said.
Companies face a series of tradeoffs. Encryption adds system overhead and complicates routine tasks, such as system backup. ACI Specialty Benefits, which uses full encryption for data-at-rest security, has seen its data volumes grow. It works with 100 petabytes of information a day. As a result, backups now take 48 hours rather than 24 hours. With corporate reliance on IT systems to perform their daily tasks growing, firms are loath to add the extra processing.
Cost also is an issue. "One corporation looked at adding encryption to 30 virtual machines," said Marco Alcala, CEO at Alcala IT Consulting in Los Angeles. "The price was $1,000 per VM, so they deployed it on only five VMs."
In addition, the tools provide broad-based encryption functions. Firms either encrypt all of their information or none of it. Since encryption chews up processing cycles and requires a fair amount of integration work, businesses often do not want to encrypt all of their data. Why encrypt generic, monthly HR PowerPoint presentations?
Encryption overload is avoidable, but it requires granular encryption credentials -- a tedious chore. IT needs to craft data security policies that put checks in place for certain types of information. (Generally, this calls for more checks for more sensitive information.) The next step is to program the encryption software to provide access keys to individuals with the proper credentials so that they can access needed information.
Strengthening a weak link
The goal of any data security policy is to protect sensitive information, but such data is used in myriad ways.
"The user is the weakest link in the security chain," said Gartner's Lowan. Workers could download confidential information onto a removable disk, which may not encrypt information. Or they may forward data to their home PCs, again leaving sensitive information unprotected. Businesses can put checks in place to prevent such actions, but that step requires more integration and customization work -- along with more expense, more processing requirements and more system complexity.
It's not just users transferring data to unsecured locations. Encrypted data requires access keys, and the more users -- or services -- with encryption keys, the more access points exist for hackers to target. This creates a protection gap.
ACI Specialty Benefits, which provides wellness, concierge and student benefit services to corporations, has taken on the work. One service helps businesses identify overweight workers and develop nutrition and exercise programs for them.
The firm has 60,000 contract employees working with various companies. To comply with regulations in the U.S. Health Insurance Portability and Accountability Act (HIPAA), the firm needs to sequester personal health information. "We use separate VMs for each client," Fay explained.
Managing encryption keys is challenging. The most crucial element is the password or identifier that unlocks information. Hackers target these. As a result, key-management systems need to have processes in place to rotate and delete keys; this makes them non-repetitive and less open to intrusion.
Also, once the data is encrypted, it can be lost. Users will forget their passwords, and software will malfunction. The encryption system is designed to make it difficult -- ideally impossible -- to replicate keys. So, in this case, recovery becomes unlikely.
Another problem is that encryption tools can be incompatible with other applications. "One company found that its data encryption solution would not work with its desktop backup system," noted consultant Alcala.
To deploy encryption products successfully, an organization needs a stable application environment. Because of an emphasis on responding to customers in Twitter time (ASAP) and the growing use of Agile development methodologies, businesses constantly upgrade systems. Amazon Web Services, for instance, delivers new releases every 11.7 seconds.
Growing cloud concerns
Use of public cloud is growing. Gartner found that the infrastructure-as-a-service market has been growing more than 40% in revenue per year since 2011 and predicts it will continue to grow more than 25% per year through 2019. Moving data securely from private clouds to public clouds is challenging because system interfaces are often incompatible. Standards are being developed, but they are not widely -- or easily -- used at the moment.
In sum, it takes a significant IT investment to put all of the pieces in place to have robust encryption systems and policies that ensure data at rest security.
While improvements in systems like vSphere 6.5 tackled some integration issues, companies such as ACI rely largely on homegrown encryption. Such systems deliver desired performance, especially for information moving between private and public clouds. ACI currently dedicates 15 of its 75 IT staffers to encryption. Few other businesses seem willing to make that kind of commitment.
Securing information in a data center was simpler in the past. Now, information is scattered among dispersed, connected systems in a hodgepodge manner. Encryption is emerging as a technique for securing corporate data, but deploying it is a cumbersome, costly process.
Big data security a concern for marketing analytics
Big data analytics meets security monitoring to protect assets
Google Cloud's key management service is simple, but bare-bones