While you might be tempted to orient the encryption discussion around the ramifications of not adhering to compliance regulations, don't go down that road. Most often, the argument won't work. Many customers take an "it can't happen to me attitude" or explain that they are doing what their organization's legal counsel has advised, which can either end the discussion or send you down the hall to see the corporate attorney.
So, instead of spending time citing facts and figures about compliance, make encryption an IT issue. Most IT professionals will agree that data leaving the building needs to be in an unreadable fashion, and they know that data is leaving their building.
The obvious example is tape. If the customer is shipping tape off-site, they need to be encrypting that tape to make it unreadable. This can be done via tape drives with native encryption, like LTO-4 format drives, or by implementing a stand-alone appliance -- like those from NetApp or Thales -- that encrypts data regardless of the tape drive used. The stand-alone appliance uses a common encryption method across differing tape formats.
The next example is user data leaving the building. While this is mostly a network and building security issue, but storage resellers can apply laptop data protection to secure local data. Once the data is successfully backed up, your customer can use technologies like Spearstone's DiskAgent to perform a remote wipe, or they can enable on-device authentication with destruct-on-failure capabilities via another utility.
The issue of user laptops leaving the building also can naturally lead to a discussion about a virtual desktop infrastructure. While mobile capabilities have long been a shortcoming in VDI products, Citrix and VMware are rapidly closing that gap, with the ability to access VDI resources while offline, though the products differ in their implementations.
VMware View and Citrix XenDesktop allow admins to store all user data locally on the SAN. If a laptop is stolen or lost, a remote wipe can be performed. And, they'll be able to get that user back up and running the moment they can find another desktop or laptop and connect to the Internet.
Finally, let's talk about storage in the data center. Many storage managers will push back on encrypting this data. That's because once a user authenticates into the network, most encryption is defeated.
What they often fail to consider is the threat posed by data center storage -- rather than just the data itself -- leaving the building. And data center storage does leave the building, typically in two scenarios: when a drive has died and needs to be sent in for return, and when an array is decommissioned.
In both cases, there is real data on those drives, and people who really know what they're doing can pull data from a single drive that used to be in an array and find things like Social Security numbers. Worse than that, decommissioned arrays that end up in the trash or on eBay carry the complete data set.
Both of these scenarios can be addressed quickly and easily with encryption. This can be done at the drive level (companies like Seagate offer encrypted drives) or at the SAN switch level (companies like Brocade have encryption blades that plug into its SAN switches). In either case, simply remove the encryption key from the drive or the array, and the data is totally unreadable.
Focusing on fines and jail time in your discussions with customers will end up making storage encryption a long, hard sale. But if you instead address the issues that really affect them, it becomes an obvious project for them to embark on.
Here is Kevin Beaver's story on storage encryption:
Storage encryption essentials
The assumption that firewalls, file permissions and passwords provide enough security without the additional overhead of storage encryption is no longer true. There are plenty of opportunities for secure storage systems to be compromised by forces both outside and inside your organization. Storage-area networks (SANs), network-attached storage (NAS) and direct-attached storage (DAS) systems are goldmines of sensitive information waiting to be exploited.
Here are some tips to help you begin a storage encryption project in your organization.
Getting started: Identify your weaknesses
There a few things you need to think about before you get started with storage encryption. First, determine your current data storage weaknesses -- you can't protect what you don't acknowledge.
Read the rest of Kevin's story about storage encryption.
About the author
George Crump is president and founder of Storage Switzerland, an IT analyst firm focused on the storage and virtualization segments. With 25 years of experience designing storage solutions for data centers across the United States, he has seen the birth of such technologies as RAID, NAS and SAN. Prior to founding Storage Switzerland, George was chief technology officer at one of the nation's largest storage integrators, where he was in charge of technology testing, integration and product selection. Find Storage Switzerland's disclosure statement here. This was first published in October 2009
This was first published in October 2009