EMC Deal Aimed at Securing Stored Data - Acquisition of RSA is Intended to Handle the Encryption of Tape and Disk Storage

EMC Deal Aimed at Securing Stored Data - Acquisition of RSA is Intended to Handle the Encryption of Tape and Disk Storage
EMC Corp.'s recent acquisition of RSA Inc. underscores the convergence of information security and storage. EMC, which sells large storage systems for use in corporate data centers, bought RSA—a manufacturer of encryption software and devices—to provide it with identity and access management technologies and encryption and key management software, which will help EMC deliver information lifecycle management.

RSA manufactures password tokens that companies can give to customers and employees in order to securely authenticate users; Bank of America employs these tokens in its SiteKey system for securing online access to banking applications.

EMC is looking to apply RSA's technology to securely encrypt data stored on disk and tape media. A passel of widely-publicized cases of missing tapes containing Social Security numbers and other personal data has sensitized companies to the need for protecting information should it fall into the wrong hands. In addition, laws and regulations require banks and other financial institutions to institute policies for retaining, protecting, and accessing information. These policies are referred to as information lifecycle management. Automating those policies is a key objective of EMC and its customers, which comprise most of the Fortune 500 corporations. Information security officers have concerned themselves with securing data sent out over networks and across the Internet. Now they're turning their attention to securing data that's stored in data centers and archives, both on and off site.

"We're now seeing the same blending of security and storage as we've seen with security and networks," says Barbara Nelson, CEO of NeoScale Systems, which makes "appliances"--hardware devices that encrypt disks and tapes, and manage the keys needed to unlock data.

A survey last year by CompTIA, an IT trade association, found that protecting and securing data is the number one challenge in storage management. Security was cited as the top concern by one-third of storage management execs surveyed; management and administration of stored data was the second highest concern, followed by speed of access to stored data, and making data more accessible.

RSA’s encryption and key management technology is central to EMC’s strategy to directly protect information no matter where it resides within or outside of an organization, the company said in a statement.

The deal has drawn mixed reactions from analysts, with some questioning the fit between the two companies. Gartner, for example, says that EMC hasn't demonstrated a strong enough understanding of what's needed in the encryption market to be able to integrate RSA's encryption and key management tools into its products. It also says the deal could stifle RSA's forays into the consumer online security space, as exemplified by its acquisitions of Cyota and PassMark; PassMark's technology is the centerpiece of BofA's SiteKey system.

The criticisms underscore just how important the need is for technology to enable information security officers to protect and manage stored data. There are basically two types: software and hardware. Software encryption is used primarily for large databases such as Oracle, which builds the encryption into its products. While software encryption works at the application level, additional technology is needed to secure data at the media level, e.g., disks and tapes.

That's where companies such as NeoScale come in; NeoScale provides not only the technology needed to encrypt data, but also the technology needed to access data and manage the keys used to encrypt and decrypt data. The technology is in the form of a hardware device that resides in a data center; which supervises key management across a spectrum of storage devices located in the customer's facilities or at an offsite provider. "In any application, the pain point is key management," says Nelson. "Encryption is easy; it's making sure that it's operationally simple and nondisruptive that's hard."

Financial institutions are especially vulnerable to data security issues because of the severe regulatory fines and penalties to which they can be subjected, as well as the bad publicity surrounding a data leak. To guard against any breaches, companies need to take several steps, beginning with a vulnerability assessment, conducted by an independent third-party assessment firm. Next, the need to focus on the endpoints where data is most vulnerable: the tapes and disks residing in data centers, as well as the media in departmental servers, laptops, and PCs. Merely encrypting data will be insufficient if authorized users are blocked from access due to faulty policies. That's the problem that EMC is looking to fix with its purchase of RSA.

About the Author

Andrew Miller

Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.

Around the Network