No matter how much you trust your staff, you can no longer take chances with personal information on clients, patients or staff.
Vincent Fusca is operations director at a medical centre for evaluative clinical studies where he oversees the handling of nearly 7TB of raw medical data. Programmers aggregate and refine the data down to data-analysis sets that researchers use to publish some of the most comprehensive comparative medical research available.
While he isn't aware of any attempted or successful security breach involving personal medical information at the centre, regulations mean the centre must safeguard patients' personal data. Any loss of information or ignoring the regulation could put millions of dollars in research grants at risk.
So two years ago, the centre purchased two network appliance servers that keep data encrypted until researchers request the information on their secure desktops. The data is then sent on to backup tapes in an encrypted form.
On the radar
And like it or not, encryption will become the norm for most data at rest.
Companies of all sizes are exploring encryption because of a real threat of losing data or having it stolen, and because of government regulations such as the Sarbanes-Oxley Act, which require protection of sensitive information. While encryption may not be required, it can provide an easy, blanket solution.
Eric Ouellet, a privacy and security analyst at Gartner says he saw a tenfold increase in customer calls about encryption technology starting in January 2005
"First, we had the market leaders. Now, we're getting the midsize companies realizing that personal confidential information regulation is there to stay," Ouellet says.
Security threats aren't confined to the backup tapes stored at off-site facilities anymore, though last year's highly publicized losses of tapes belonging to Bank of America, Time Warner and Citigroup put a spotlight on the need for encryption. Laptops and databases need encryption too.
Still, organizations are reluctant to use encryption. In the Ponemon Institute's 2005 National Encryption Survey, only 4.2 percent of the nearly 800 companies polled said they have enterprise-wide encryption plans. The primary reasons cited for not encrypting sensitive or confidential information were concerns about system performance (69 percent), complexity (44 percent) and cost (25 percent).
It's true that encrypting tapes using some types of backup software increases backup times, consumes more storage space and costs more money. But those arguments may be losing steam. A dizzying assortment of products were introduced last year, promising to make encryption better, smarter and faster. The bad news: a single encryption method can't be used in moving data from a laptop to off-site storage in most cases. The good news: decryption has become simpler, and backup times have improved significantly, especially when using encryption appliances.
A successful encryption plan involves identifying the right data to encrypt, choosing only the encryption technologies that you need and managing encryption keys effectively.
"There is still no right way to apply encryption," says Jon Oltsik, an information security analyst at Enterprise Strategy Group. "It depends on what you perceive the risks to be and where the money is to solve the problem. Focus on figuring out one or two technologies that will take care of the biggest chunk of issues."