Small and medium-sized businesses (SMBs) are just as vulnerable to online attacks as larger companies but are often less able to defend themselves due to their comparative lack of security specialists and the lack of security features in the products tailored to their needs and budgets.
It is, analysts said, one of the few technology areas in which vendors have failed to keep up with the needs of smaller customers.
Security vendors such as Symantec Corp. have responded to demands from SMBs for more sophisticated IT by adapting their products
Storage vendors, however, have not built the ability to encrypt on-disk data into their SMB products despite the pressure on SMBs from federal regulations that require documented protection for sensitive data.
"Let's take a four-employee company that is offering investments and is building a fund to invest in other companies. They will be governed by the same rules and regulations as J.P. Morgan," said Tom Trainer, a senior analyst at Greenwood Village, Colo.-based Evaluator Group, Inc. "They have full requirements for encrypted data, longevity of data and quick recovery of data when e-discovery requests are made. It's not a whole lot different than the enterprise commercial account," Trainer added.
The remaining differences are fading as previously abstruse storage technology becomes more practical for SMBs – despite the increased risk they represent.
"NAS and iSCSI are far more susceptible to attack due to the fact that in most SMB environments these protocols ride on the same shared backbones as user desktops, backups, wireless access points, etc," said Richard Bocchinfuso, vice president and chief technology officer at MTI Technology Corp., an Irvine, Calif.-based VAR. "When I look at the SMB, the use of IP technologies and the lack of physical security make a strong argument for encryption," Bocchinfuso added.
Dan Molina, chief technology officer at Nth Generation Computing Inc., a San Diego, Calif.-based VAR, said companies are overlooking the ease with which new portable storage products can be stolen. Molina points to the recently introduced DS3200 and DS3400, or HP's StorageWorks All-in-One Storage System.
"It's easier for somebody to take the whole appliance because now you're dealing with a component that you can actually put in your car," Molina said. "Easily removable appliances like that need to be encrypted," said Molina.
Still, for the most part vendors have refrained citing a number of reasons such as increased costs, lack of customer demand and the belief that many SMBs don't face the harsh scrutiny that authorities require of larger companies. For these reasons, vendors said they have left encryption for SMBs to third-party vendors like Decru and Neoscale, but they do recognize the problem.
"It is not that the SMB space does not need encryption, the space may very well need it," said John Mansfield, vice president, product management at Hitachi Data Systems. "HDS did not "exclude" encryption, but rather we see encryption starting in the enterprise via specialized appliances then moving into the midtier with lower cost, standardized options."
Hewlett-Packard Corp. executives said they are waiting for customers to take the lead and are watching the rate at which encryption costs in storage fall over time.
"Encryption did not come out as a key requirement in focus groups," said Carlos Martinez, product marketing manager for HP StorageWorks Security. "The migration of encryption from the application level to the storage subsystem level is being addressed by HP and the industry, but we have not yet arrived at bulk encryption in every storage technology," Martinez added.
Instead vendors have enhanced their SMB products by offering increased speed, storage capacity, an expanded number of supportable operating systems, and added the ability to use either Fibre Channel or iSCSI, among other features. Encryption, it seems, is further down the road.
" We are going to have more to talk about later in the year," said Pete Koliopoulos, EMC's vice president, global channel marketing, confirming that encryption was not part of the plan for the CX3-10 – the latest addition to EMC's CLARiiON line – which is designed for midsized businesses. "You're going to see us coming out with more around the security side of things, and encryption is certainly something that we are looking at."
In their quest to provide adequate security, VARs and systems integrators have partnered with many security vendors as they seek to deploy a total solution for customers.
"There are so many moving parts that the education, analysis, design, integration and implementation effort is significant," Bocchinfuso said.
The hope is that there won't be a breach of security at an SMB customer site that may have a negative impact on VARs.
"I don't think the lack of embedded encryption is having a significant affect on the market. With that said, anything can change in the future," Bocchinfuso added.
At Nth Generation, Molina said 2% of SMB customers were asking for encryption on disk, with the overwhelming majority asking for encryption on tape.
Just this month IBM shipped the encryption-capable TS3400 tape library, which includes a Java encryption key manager to allows interoperability across AIX, i5/OS, Linux, HP, Solaris and Windows, for a list price of $30,000. However, such SMB offerings are rare, as vendors aim encryption at high-end customers.
IDC analyst, Charles Kolodgy, said there are plenty more examples of encryption offerings for high-end storage customers that have an understanding and policy on the encryption of stored data. For instance, Sun's StorageTek Crypto-Ready T10000 tape drive and IBM's TS1120 tape drive both have integrated encryption capabilities, and Seagate has created a laptop disk drive that can do full disk encryption.
"SMBs just aren't at the stage where they will pay extra for integrated encryption. In the future, as vendors begin to update their whole product lines, they will begin to integrate encryption into all of those products, "Kolodgy predicts. "But even then there will be a need to have strong key management which will definitely add complexity."
There are other problems that may surface when encryption is included in storage products, said Michele Borovac, director of marketing at Decru, a NetApp company based in Redwood City, Calif.
For one thing, embedded encryption doesn't enable support for heterogeneous environments -- what works well on one vendor storage device may not work on another. Borovac also said many storage vendors are new to encryption and key management and their solutions are not robust. Additionally, when a customer deploys many different encryption systems, then they must manage multiple key management solutions, causing confusion and adding cost when you're encrypting data that may be stored for months or years.
In the meantime companies like NetApp are happy with the security features they offer, but refrain from committing themselves to an encryption offering for SMBs, according to Sajai Krishnan, general manager at NetApp's SMB business unit.
"In addition to the advanced protection architecture available in the StoreVault S500, we are also looking at encryption. At this stage, there has not been a customer need or willingness to incur additional costs for this added feature," Krishnan said. "Future product revisions may incorporate encryption technologies, but only when our customer base becomes interested," Krishnan said.
Let us know what you think about this story; email: Nicole Lewis, Senior News Writer.