The two states are now mandating that companies encrypt
"The breach notification statutes usually say you don't have to notify consumers of a breach if your data was encrypted, but they don't define what that means," he says. Others simply say something to the effect that it must not be reasonably likely that the encrypted data could be read by an unauthorized party. "That implies some level of sophistication, but not like data protection schemes used at the National Security Agency," he says.
Furthermore, he notes, the Massachusetts statute seems to anticipate that companies may differ in their ability to comply. Thus it provides that:
"Whether the comprehensive information security program is in compliance with these regulations . . . shall be evaluated taking into account (i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program, (ii) the amount of resources available to such person, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information."
Indeed, notes David Hill, analyst at Mesabi Group, "Mandating is easy, doing may be hard," especially for resource-strapped SMBs. For one thing, he notes, a lot of data is in mobile devices or in locations where it can be difficult for SMBs to maintain full control. So achieving the kind of "in-place" encryption implied by the state laws may be difficult.
Fortunately, notes Hill, existing or emerging technologies already available or built in to familiar products may offer some help. For example, he says, many larger SMBs may be using LTO technology for their tape backups, and LTO-4 already offers encryption as a capability. Hill also points out that the Trusted Computing Group (TCG), a not-for-profit organization that develops and promotes open standards related to security technologies, has a good approach for self-encrypting drives. That technology is now in various states of being offered by large disk drive vendors. "The most sensible approach for SMBs is to introduce the new drives whenever there is a need to replace existing drives, either in the data center or on mobile drives," says Hill.
Of course, that kind of approach could take years to complete, leaving an organization exposed legally in the meantime.
So, says Hill, a quicker approach is to buy encryption software. But this can be challenging since it requires retrofitting existing disks with new software and making sure all devices are in compliance. Moreover, if the eventual goal is to move to TCG-compliant drives, this would introduce a hybrid mix that could be difficult to manage, he points out. Although not ideal, Hill says one approach might be to simply work on a triage basis, ensuring that the most sensitive information is the first to be encrypted.
Encryption key management issues
Yet another challenge, of course, is key management. With encryption methods there is not only the possibility of losing keys through accident, mismanagement, or malicious acts, which could mean the permanent loss of the encrypted data, there is also the cost of the extra time that IT has to spend to properly track and manage the keys. However, he adds, doing key management is not that hard to learn and any IT professional should be able to absorb it.
The challenge that may be hardest to meet is the overall cost for encryption hardware and software and staff time. "How can organizations find extra money in difficult economic times," asks Hill. It is a question that has no easy answers, especially when some solutions can cost up to $90 per seat. Hill predicts that some businesses will simply try to ignore the problem. Those that are willing to be more proactive may take a tentative approach, taking some small steps to "show they are trying" but having little hope of really succeeding.
Gartner Inc. encryption analyst Jeffrey Wheatman says each one of the possible solutions comes with different pros and cons. "Our customers … have identified that encryption, while it does protect data, also leads to other issues such as, key management problems and issues of integration between multiple encryption products." For now, he says, "Most of our clients are focusing on low-hanging fruit and/or the issues that the auditors are focusing on. In most cases this is around the subject of backup encryption."
Adam Hils, a Gartner analyst focusing on SMB security also advises focusing on first identifying the data considered to be sensitive by statute. "The first step is data discovery," he says. Then, consider implementing data policies that will restrict unnecessary access to sensitive data. This can narrow the encryption requirements substantially, he says.
"Another strategy for SMBs is to use service providers for services such as email and storage and insist that they meet the new encryption mandates," he adds.
If you are going at it alone, Hils says, "try to get encryption capability as part of a suite rather than adding a best-of-breed solution, this will simplify your infrastructure," he says. Furthermore, he notes, some hardware products have "unadvertised" encryption capabilities already built in that can be turned on when required -- suggesting that talking to your existing suppliers could produce happy results.
Still, no matter what approach you adopt, challenges will remain. Wheatman says the consensus at Gartner is that even with a faltering economy the push for more encryption will likely continue -- and expand -- as more states follow the lead of Nevada and Massachusetts.
About this author: Alan Earls is a Boston-area freelance writer focused on business and technology, particularly data storage.
Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.
Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for SearchSMBStorage.com.