“Missing computer disk spurs suit,” the newspaper reported. Not to mention “Missing disk, missing data.” Those headlines in the Report on Business on Feb. 4 sent shock waves through Canada’s IT community. Clients of ISM Canada, such as Investors Group Inc. and the Saskatchewan Ministry of Health, could not have been happy with the news that a hard drive holding personal data on hundreds of thousands of citizens and customers had gone missing. A class action lawsuit alleges that, among other misdeeds, the company was negligent in protecting confidential information.
Just hours after that news hit the street in Ottawa, Mac Brown, president of M4 Technologies, shook his head and pointed to a “black box” – a storage security hardware solution distributed by his company. “Had they deployed this,” he said, “fine, take the hard drive. It doesn’t matter” Brown’s black box “encrypts your data with 256-bit encryption,” he says. “When it is in transport to and from your user and your hard drive, it is encrypted so no one can read it. When it is sitting on your disk, it is encrypted. If someone steals the drive, and starts analyzing your data, they’ll read nothing but garbage.”
Along much the same lines, Mary Kirwan is watching the market for her company’s data security products grow.
Kirwan, senior director of business development with Kasten Chase Applied Research Inc., cites “a sense on the part of managers that now that there is so much data being stored . . . moving storage away from direct-attached, it is an increasingly large target.”
“In light of that, you want to make sure that your storage environment is as well protected as your network environment.”
Government computing power used to be focused on results, like printed cheques or hard copy reports. Now, each data centre has the potential to be a steadily growing node of corporate memory. Increasingly, planners, managers and executives are looking to their stored data as a way of developing new programs. As new ways of scanning, sorting and interpreting the data are developed, the value of the stored information grows.
However, as the ISM Canada incident clearly illustrates, security has not yet caught up with storage. When accumulated data outgrows direct-attached storage and evolves to networked storage, it can all too often wind up outside the security barriers that protect the corporate network.
As Brown says, “in terms of security, everyone is worried about the perimeter, the firewall. . . Everyone has intrusion detection so they are pretty secure. The problem is, most break-ins take place from within.”
Security measures, in Brown’s view, should protect the data and not just the networks that move it around. “That’s the final piece, and if it is all encrypted, no one can read it.”
As is often the case, technology created the problem and technology is being called up to solve it. As the world becomes more wired – and more wireless – more data is being created by more people using more – and faster – devices. Networked storage is one answer, but now it needs its own security retrofit.
“The reason these devices haven’t been in place before is that doing the encryption algorithm is very CPU-intensive,” says Brown. “To get your data on and off your disk would take seconds instead of microseconds. Users don’t like that delay.”
Which is why the new generation of chips allows encryption and decryption “on the fly” at speeds that end users can live with, if they notice any delay at all.
Although secure storage costs more, Mary Kirwan notes that “security managers will tell you that the numbers vary, from 2 per cent to 10 per cent to 12 per cent and perhaps more if you are in a hypersecure environment. (But) what we are finding in the last year or so is that security is acquiring more of a budget apart from the general IT budget.”
Kirwan also reports more interest from the public sector, in both government and military organizations with hypersensitive data.
Richard Bray is an Ottawa journalist who specializes in high technology. A former reporter and producer with the CBC, he is also a former editor of Ottawa Computes. He may be reached at firstname.lastname@example.org.