EMC Security: Focus on the positive

This week, EMC Corporation announced a new security strategy and a corporate commitment to security moving forward.  The announcement outlined a few concrete steps like new professional services and partnerships, but either eschewed specific details or left them vague. 

Of course, this prompted my phone to ring off the hook.  What should we make of this new EMC strategy?  Why isn't EMC more specific about what it will do?

These questions are natural but in the ever-changing nebulous world of security, they are a bit off base.  The facts are these: Security is a mess.  The space is dominated by point solutions that don't integrate together.  No one vendor has all the security pieces to adequately protect enterprise companies.

Yes, EMC is talking vision not specifics but so are Cisco, McAfee, and Symantec companies with lots of security products, resources and skills.  Not one vendor can really do what is needed, that is protect critical assets AND information.  Again, there are pieces of the solution but not an integrated enterprise solution.  In this realm, EMC has as good a chance of reaching security Xanadu as anyone else.

We technology industry professionals are a cynical lot and I am no exception but sometimes its best to really understand what is being said instead of looking for what is omitted.  EMC's new commitment to security changes the rules in storage.  Henceforth, storage vendors had better integrate security into their development efforts, product designs, and go-to-market strategies.  Companies like HP, Hitachi, and Sun already do.

Kudos to EMC for bringing security to the big leagues of storage.  From now on, think "secure storage" and "secure ILM" or disregard security at your own risk.   

I'll give you 1.2 billion reasons to encrypt your backups

Here's the reality, plain and simple.  Since the ChoicePoint breach in February 2005 there have been 9 publicly-disclosed data breach incidents involving tape loss starting with the Bank of America on 2/25/05 and ending with Providence Home Services on 1/25/06.  These 9 incidents exposed the personal data of over 8.6 million Americans.

The best estimate of the cost per breached individual was done by the Ponemon Institute, a security research firm that specializes in data privacy.  According to Ponemon, the cost per breached individual is roughly $140.

Now do the math.  8,601,000 (# of Americans whose personal data was breached) x $140 (Ponemon Institute estimate of the cost per breached individual) = $1,204,140,000!

Does anyone need any additional reasons why they should encrypt their confidential backup data?

Welcome to SNW! Ignore storage security at your own risk!

This week is Storage Networking World in San Diego -- where the beautiful storage people come to meet.

In between the seminars, power lunches, and cocktail parties, I predict a lot more discussions around security than in past years.  Why?  Oh, I don't know, perhaps because there were 130 publicly-disclosed data breaches in 2005 potentially compromising the personal data of 55 million Americans.

In storage world, this new security religion generally translates into tape encryption but this misses the point.  Yes, a boatload of data breaches were the result of lost tapes but that is a DISCLOSURE issue not a risk issue.  The chances of breaching private data from a lost tape are about as likely Steve Duplessie winning an award as the industry's most understated analyst.  Slim to none.

So in between shrimp cocktails and sushi, I suggest that storage users and vendors do all they can to learn about issues like secure development, vulnerability scanning, patch management, secure communications, logging, role-based access control and key management. 

I know, this is a lot to swallow but get used to it.  Like the tides, security issues ebb and flow but never, ever goes away.