The other day I wrote a blog entry that said encrypt your tapes but not your disks. My fundamental premise was that encrypting data at rest in your disk drives only protects from the thing that will never happen: someone walking out with an entire disk array under their arm. Single disk drives yanked out of the array (more likely) were not going to be any use to anyone even if you didn’t encrypt them.
Turns out I was wrrrmph.
Turns out that the most sensitive data is probably very recoverable from a RAID-ed disk drive. A whole lot of 1K database rows can be stored in a 64K block of data stored on an individual disk drive in a parity-protected disk array. (See the comments from my previous post for details.) And it turns out that you can’t degauss hard drives and return them, so there’s also the exposure of what happens when you return a disk drive to the manufacturer.
I was wrong about the risk, but I still think there are bigger fish to fry in the datacenter. Sticking with just my world, we’ve got companies that:
- Don’t copy their backups (they keep only one copy of every disk or tape they make)
- Don’t send their backups offsite
- Wait a week or two before sending their backups offsite
- Don’t back up their laptops
- Back up their remote offices using tapes that aren’t copied and/or aren’t ever sent anywhere
If you’ve got data that isn’t being backed up and isn’t being stored in a different location than it was backed up, you will lose data. This isn’t a “maybe some guy might steal a disk drive and if he does he might be able to read some data on it.” Every company in the world has lost a disk drive somewhere in their environment. I’m a very small company and I lost four this year alone.
The number one reason people telling me they’re on the list above is money. So my point is that if you’re spending money on encrypting your disks, but you’re not backing your stuff up in the first place — you’ve got your priorities all wrong.
I have the same opinion when I see people spending money make their backup server highly available, but they don’t have money to make a second copy of their backups. Who cares if your backup server goes down for an hour? It’s a big deal, but the only app that’s down is backup — not production. But the chances of you losing data because you had a failed tape and no copies is much higher. Save the money on the HA software for the backup server and spend it on something that actually makes your backups better.
I also think you can minimize this risk by doing a few things, all of which are cheaper than full disk encryption:
- Strong physical security in the data center. Plenty of good things you can do.
- Video surveillance in the data center
- Identify really sensitive data and encrypt it in the application
- Strong physical security (locks) on the disk arrays themselves. Prevent someone from grabbing a disk drive.
- Monitoring on same. If a disk drive is taken, you should be immediately notified.
Like I said, there are lots of things you can do (and should do) that don’t cost near as much as full disk encryption and most of which you should be doing anyway.