The State of Missouri Now Gives Organizations 48 Good Reasons to Encrypt Data Stored to Tape
An organization can come up with any number of reasons why it does not encrypt data stored to tape. Encryption is too hard or expensive to implement. The management of the encryption keys is too complicated. The business does not have the time or manpower to deal with encryption right now. These are all valid excuses for not implementing encryption. However, if storing sensitive data to tape remains a part of an organization's long term data management and retention plan, then the growing list of federal and state regulations means it can no longer ignore the need to encrypt its data.
Even in a challenging economic climate, most organizations will find that they need to encrypt data stored to tape because if they do not, they expose themselves to state and federal penalties that can outweigh whatever upfront and ongoing costs and time is required to implement encryption in the first place. Consider the following:
Of course, the big issue around encrypting tape has to do with managing the encryption keys. If you encrypt the data but no one (including you) can decrypt it, encrypting the data makes no sense. The good news is that managing encryption keys no longer needs to be as challenging because of some recent innovations that have occurred in key management appliances.
To help customers achieve that goal, Quantum recently integrated its Scalar Key Manager Appliance with its Scalar libraries so the management of Key Manager Appliance is now done through the Scalar library GUI interface. Using this interface, organizations can set policies that handle both the encryption of the data as it is stored to tape and the ongoing encryption key management. In so doing, it addresses one of the biggest objections to encrypting data stored to tape - the time and risk associated with managing the encryption keys.
It also offers a couple of new features that should further enhance its appeal to enterprise organizations. It is now offered in a highly available configuration so should either the primary or secondary appliance in the HA pair fail, organizations can still encrypt or decrypt tapes since the key database is synchronized between the two appliances.
Another important feature is that is can now import and export the encryption keys. This becomes valuable when an organization needs to send tapes to another facility (either its own site or that of an organization with which it does business). It can export the keys, store them to a thumb drive and send that thumb drive with keys separately from the tape so the keys can then by imported by the appliance at the other site and used to decrypt the data on the tape at the other site.
Organizations may not want to deal with tape encryption, but the addition of Missouri to the list of US states and territories now gives them at least 48 reasons to act sooner than later. The new integration between the Quantum Scalar Key Manager appliance and its Scalar tape libraries now addresses many of the concerns that organizations have around implementing and managing tape encryption. In so doing, Quantum offers organizations a better means to avoid the legal headaches and financial penalties that these new state laws introduce without imposing the internal penalty of having to manage the encryption process themselves.
Even in a challenging economic climate, most organizations will find that they need to encrypt data stored to tape because if they do not, they expose themselves to state and federal penalties that can outweigh whatever upfront and ongoing costs and time is required to implement encryption in the first place. Consider the following:
- All organizations store some sensitive data about their employees or clients
"Sensitive data" can take many forms: bank account numbers, credit or debit card numbers, driver's license number, health information and social security numbers are all examples of information that most organizations have in their possession in one form or another.
Storing this type of data to tape as part of an organization's archiving or backup practices does not necessarily mean it has to encrypt this data. However, if it does not, it must account for all of the tapes and the data on them should the organization ever be subject to an audit or review of its tape management practices. Encrypting data can eliminate concerns about lost or stolen tapes.
- Most organizations are subject to some federal regulatory guidelines
Banks, brokerage firms, credit unions, doctors' and dentists' offices, hospitals and payment processing firms are subject to the rules issues by different federal regulatory agencies. The problem that emerges is that some of these agency regulations are defined as "required" and others as "addressable".
For instance, HIPAA (Health Insurance Portability and Accountability Act) is designed to protect patients' medical records and is applicable to health plans, doctors, hospitals and other health care providers. It has a specific guideline that mentions encryption (pg 29) but it only classifies encryption as "addressable". Specifically it says, "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."
It is safe to say that any data that is ever outside of the control or has the potential to be outside of the control of these organizations should be encrypted. It is reasonable to assume storing data to tape would fall within these parameters and should therefore be encrypted.
- Almost every organization resides in a state or does business with a state that imposes civil penalties should sensitive data be compromised
The list of states that do not have civil penalties for the accidental, inadvertent or deliberate disclosure of sensitive data is now shorter than those that do. Missouri was the most recent state to join the many states (plus the District of Columbia, the Virgin Islands and Puerto Rico) that require notification when security breaches involving personal information occur. This leaves only five states (Alabama, Kentucky, Mississippi, New Mexico and South Dakota) that do not currently have laws on the books.When one looks at encryption from these different perspectives, it quickly becomes evident why an organization should encrypt its data stored to tape since it can eliminate much of the financial uncertainty and risk that exists with unencrypted data.
Even if an organization is located in one of these five exempt states, if it should happen to do business in any of the other states that do have these civil regulations, then it may still be subject to their laws regarding the management of the data that it possesses of the citizens of that state.
The risk that organizations run by not encrypting their data is substantial civil penalties imposed by the state in addition to whatever other legal costs they incur. For instance, the state of Alaska imposes a $500 civil penalty on an organization for each resident that was notified of a breach, up to $50,000.
Making the argument to encrypt data stored to tape compelling is that most states exempt organizations from needing to notify residents if the data on a tape that is lost, misplaced or stolen is encrypted.
Of course, the big issue around encrypting tape has to do with managing the encryption keys. If you encrypt the data but no one (including you) can decrypt it, encrypting the data makes no sense. The good news is that managing encryption keys no longer needs to be as challenging because of some recent innovations that have occurred in key management appliances.
To help customers achieve that goal, Quantum recently integrated its Scalar Key Manager Appliance with its Scalar libraries so the management of Key Manager Appliance is now done through the Scalar library GUI interface. Using this interface, organizations can set policies that handle both the encryption of the data as it is stored to tape and the ongoing encryption key management. In so doing, it addresses one of the biggest objections to encrypting data stored to tape - the time and risk associated with managing the encryption keys.
It also offers a couple of new features that should further enhance its appeal to enterprise organizations. It is now offered in a highly available configuration so should either the primary or secondary appliance in the HA pair fail, organizations can still encrypt or decrypt tapes since the key database is synchronized between the two appliances.
Another important feature is that is can now import and export the encryption keys. This becomes valuable when an organization needs to send tapes to another facility (either its own site or that of an organization with which it does business). It can export the keys, store them to a thumb drive and send that thumb drive with keys separately from the tape so the keys can then by imported by the appliance at the other site and used to decrypt the data on the tape at the other site.
Organizations may not want to deal with tape encryption, but the addition of Missouri to the list of US states and territories now gives them at least 48 reasons to act sooner than later. The new integration between the Quantum Scalar Key Manager appliance and its Scalar tape libraries now addresses many of the concerns that organizations have around implementing and managing tape encryption. In so doing, Quantum offers organizations a better means to avoid the legal headaches and financial penalties that these new state laws introduce without imposing the internal penalty of having to manage the encryption process themselves.
Leave a comment