While the practice of encrypting sensitive data across the Internet has long been established, there is far less consensus on the value of encrypting data "at rest" in a SAN. Now, a new law in California could provide a decisive answer to that question.
The California state law, which is set to go into effect July 1, 2003, is intended to combat the alarming growth of identity theft. State legislators passed the law following an incident in April 2002 in which hackers gained access to the California state comptrollers payroll database. After getting past the perimeter security, the hackers easily rummaged through 265,000 employee records, including information such as bank accounts and Social Security numbers. The security breach wasnt discovered for more than a month, and it took another few weeks before the affected employees were notified.
The California SB 1386 legislation requires all state agencies -- as well as all businesses that collect personal information from California customers -- to either promptly disclose security breaches or face severe penalties.
So what does all this have to do with storage? According to the law, encrypted data does not qualify as personal information. That little provision in the law already has vendors of storage security devices and software giddy at the prospect of a booming market for their products.
According to Hari Venkatacharya, the senior VP of strategic business development at storage security vendor Kasten Chase Applied Research Ltd., the new law is already prompting a number of companies to consider encrypting their storage. The law, he says, "is scary for any company. But if youre encrypted, you dont have to abide."