Having an ironclad hold on customer data

Storage vendors are pulling out all the stops to keep critical information from falling into the wrong hands.

For Hu Yoshida, Hitachi Data Systems' chief technology officer, driving home the message of the importance of storage security to customers, takes on a larger significance as he himself had been a near-victim of data theft.

Yoshida owns timeshares from Marriott Vacation Club International, which was in the news last month for losing customer data including personal information such as the credit card details, social security numbers and, in a few cases, the bank details of customers. Backup tapes containing data on approximately 206,000 customers were missing from a company office in Florida.

"I happen to own a timeshare with them in Newport Beach," Yoshida revealed in an interview with ZDNet Asia at HDS' headquarters in Santa Clara in January. Pointing out the spate of data leaks in the United States over the last year, including those at MasterCard International and Bank of America, he added: "Any company in the service business has information about individuals and will need to have data protection and privacy protection plans in place."

Now more than ever, companies need to look more closely at storage security, or risk landing monetary fines and prison terms, according to regulatory requirements, he said.

Jim Simon, director of marketing at Quantum Asia-Pacific, shares the same sentiments. "The hot trend this year is security, especially around the physical transport of data. For instance, what happens when you're moving tapes offsite? Companies have an obligation to protect the confidentiality of data."

A case in point
For Singapore-based life insurance company Great Eastern Life, having proper policies governing security, and procedures and technical standards to mandate mitigation controls that reduce the risk of physical loss or compromise of confidentiality of its customers' data, is paramount.

Ng Koh Wee, Great Eastern Life's executive vice president of IT, told ZDNet Asia over e-mail: "In our business, it is inevitable that some of the data needs to move outside of our premises to our banks, or to our disaster recovery center."

Best practices

  • Two-man rule: Make it a requirement for two or more officials to authenticate and authorize sensitive operations.

  • The compliance officer should maintain a failsafe backup copy of encryption keys and lead the process of authorizing data deletion.

  • Limit data access to employees or contractors that need certain data for their jobs. Eliminate "superuser" data access for system and storage administrators, using encryption and access controls.

  • For auditing purposes, security administrators should review user and admin logs to identify unauthorized data access and attempts.

    Such data, which typically include electronic payment deductions from Great Eastern's customers, are normally stored on tapes, Ng said. The insurance company engages a courier to deliver the tapes to their respective destinations.

    However, "the courier is only selected after stringent evaluation, and this is done in compliance with the Monetary Authority of Singapore's guidelines on outsourcing", said Ng.

    He further explained that when the tapes have to be couriered, they are locked in "proper containers" and the courier is not allowed to open these containers. There is also a process to sign off dispatch and receipt of these containers, and thereafter to reconcile the receipt of the tapes in the containers with those dispatched.

    "In this way, any loss, whether it is a whole container or a tape, can be detected," he added.

    Later this year, however, couriers will no longer be needed. Great Eastern will be sending all data electronically to its bank via secured links to its bank's systems, "thereby eliminating the courier as a possible point of loss", said Ng.

    Iron-clad protection technology
    For companies like Great Eastern that have stringent data security requirements, there are technologies that provide high levels of protection.

    For instance, to help companies preserve the integrity of data that they have archived on tapes, Quantum has added write-once, read-many (WORM) capabilities onto its tape drive products. "It's a compliance manager which ensures that once the data is written on the tape drive, it can't be written over again," said Simon.

    Quantum has also added a password-protection feature onto its DLT-V4 value range of tape drives. This is useful, said Simon, when you are trying to prevent unauthenticated users from accessing data that has been loaded to the tape.

    When the data has been loaded off to a tape cartridge that does not come with a password-protection feature, it can still be accessed with a third-party application like Veritas' NetBackup software, said Simon. "But if you password-protect the cartridge, you can protect the data from being accessed," he added.

    By the end of March, Quantum will add the password-protection feature to its high-capacity DLT-S4 drives.

    The recent spotlight on keeping data on physical storage devices secure has heightened the need for encrypting data.

    Storage security appliances, such as those provided by Decru, are becoming popular with organizations looking to encrypt and manage the security of data on networked-attached storage (NAS), storage area networks (SAN), direct-attached storage (DAS), and tape environments.

    Decru, which was acquired by storage vendor Network Appliance in June last year, has solutions that keeps data secure using encryption, access controls, authentication, and secure logging.

    Decru and NetApp have jointed developed a solution that lets organizations permanently delete primary and secondary data in accordance to compliance laws. The tool--Decru CryptoShred--instantly destroys copies of expired data regardless of physical location, and even sophisticated laboratory techniques cannot access the original data, claimed Pankaj Narayan, director of marketing at NetApp Asia-Pacific.

    Today, many large military and defense organizations are presently using Decru's CryptoShred solution, said Narayan.