HP 3PAR StoreServ Storage with Encrypted Drives Closes Potential Loophole in Enterprise Encryption Strategies

Corporate interest in data encryption grows with each passing day as companies fret over third party attacks and stricter regulations. But a set of data that organizations may fail to encrypt – and which may be the easiest to access – is data stored on storage system hard disk drives (HDDs) and solid state drives (SSDs). By using encrypted drives on the HP 3PAR StoreServ Storage, organizations close this security loophole while ensuring data stored on these drives remains safe from prying eyes.

Corporate Interest in Encryption on the Rise

An extensive global study of over 4200 individuals in seven (7) countries on encryption performed by the Ponemon Institute found corporate attitudes toward encryption have noticeably changed since the mid-2000’s. While organizations have always viewed
their data as “critical,” in the last decade data has become the new corporate currency that increasingly separates and even determines business winners and losers.

As such, failing to protect their data from threats within and without puts the stability of a business at risk. Couple these threats with industry specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) and it is no surprise that corporate interest in encryption is on the rise.

These factors have led many to abandon ad hoc approaches to data encryption or informal plans that used to suffice. According to the study, enterprises are nearly twice as likely to have a formal encryption plan or strategy (29% in 2012 versus 15% in 2005) in place. While other security strategies are still necessary and important, encryption is in particular viewed as contributing heavily toward a company developing and presenting a “strong security posture.”

This Ponemon Institute study also found:

  • Nearly half of the respondents have deployed 4 – 6 types of encryption
  • Management standards and hardware security modules (HSMs) are becoming more important as a means of unifying and automating key management
  • The most significant threat to the exposure of sensitive or confidential data is employee mistakes
  • Concerns over inadvertent exposure outweighed concerns over actual attacks by more than 2:1 (57% to 25%)

Despite these multiple techniques that companies employ to encrypt their data they may still be leaving themselves exposed in an area where they are most vulnerable: their production storage system drives. These drives reside in secure data centers that are fortresses in their own right. However there are legitimate ways in which these drives may exit a building opening the door for the data on them to be accessed and recovered.

The Data Exposure Threat of Unencrypted Drives

Despite the stories in the media about enterprises having their data accessed and compromised by people on the outside, it may be the people on the inside that they need to worry about the most. Consider the following scenario:

A technician responsible for the maintenance and upkeep of computer storage systems is approached by a third party who offers to pay him a sizeable sum for a copy of a specific directory on the company’s file server. The technician does not have access to that directory but he does know on which drives that directory resides. Further, he also knows how to simulate problems on these drives such that the replacement of these drives would be the expected course of action.

Over the course of the next few weeks and months, he then fails the drives with this directory on them one by one. As the individual also responsible for replacing them, he cuts the appropriate change control records, replaces the drives and then hands them off to the third party. While the information in the directory may change slightly over this period, the third party acquiring these “faulty” drives can mount them and then access and read their data.

In this scenario, a company gives away its data and has even signed off on the process through its internal change control process. Even should this data resurface somewhere, it is unlikely the source of the leak would or could be traced back to the “failed” drives or the technician who replaced them.

While this may sound like a scene out of a spy novel, companies like American Semiconductor know it is not. It had its data stolen by a competitor who used it to build a comparable product and then sell it at a lower price. How its data was compromised is unclear. What is clear is this event led to American Semiconductor’s stock (Nasdaq: AMSC) dropping by almost 90% as it could not effectively compete in the marketplace.

Even assuming there is no ill will and a drive is legitimately reported as “failing,” most technicians will install a new drive and discard the “failed” one. However this faulty drive may still work. Should it somehow end up on the secondary market, the data on the drive could be accessed and read.

How often this occurs is anyone’s best guess but it can happen. A report published by the UK Information Commissioner’s Office in 2012 found that 1 in 10 drives on the secondary market contain highly sensitive information. In yet another study, the security firm Secarma recovered data from HDDs bought on eBay and were able to recover user logins, passwords and dissertation data from them.

Encrypted Drives: A Key Element of an Enterprise Encryption Strategy

These examples illustrate that companies may be inadvertently leaving a backdoor open to their data. This door can be easily shut by simply making encrypted drives a key element of an enterprise encryption strategy. By encrypting data on drives enterprises prevent inadvertent exposures of data. Further, passwords can be set by individuals other than the ones maintaining the storage systems so the data remains inaccessible to technicians that remove and replace drives.

Yet as organizations look to use encrypted drives, they should also preserve and/or put in place other best practices for protecting their data. For instance, drive encryption will probably not suffice should they replace an out-of-warranty storage system that has in that storage system, the data on them will remain accessible and readable. This still makes it essential
to erase and reformat these drives so they can be assured the data is not accessed.

A Comprehensive Encryption Strategy Begins with Encrypted Drives and HP 3PAR StoreServ Storage

The use of encrypted drives is only part of a total enterprise encryption strategy. However they serve an important role by ensuring no unencrypted data is accidentally exposed on any drives leaving a premises. Making this aspect of data encryption more appealing, it is simple and easy to implement as encrypted drives only need to be installed in storage arrays and then t
he feature turned on.

is where having the right storage array comes into play. Once drive encryption is turned on, the HP 3PAR StoreServ Storage goes the final mile and minimizes if not outright eliminates the performance impact sometimes associated with drive encryption. Its wide striping feature stripes data across multiple drives so the workload associated with encryption is spread across multiple drives.

The HP 3PAR StoreServ technique of spreading data across multiple drives coupled with drive
encryption makes the chances of recovering any breached data–much less any meaningful data– from a drive almost nil which provides the type of assurances that organizations want in an ever more insecure world.

Click Here to Signup for the DCIG Newsletter!


DCIG Newsletter Signup

Thank you for your interest in DCIG research and analysis.

Please sign up for the free DCIG Newsletter to have new analysis delivered to your inbox each week.