Skip navigation

Windows IT Pro Storage UPDATE--Protecting Data at Rest--May 2, 2005

Windows IT Pro Storage UPDATE--Protecting Data at Rest

Subscribe to Windows IT Pro:


Don't let overzealous antispam software block your copy of Storage UPDATE--add [email protected] to your list of allowed senders and contacts.


This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Storage UPDATE.

Protect the Integrity and Availability of your Company's Information

Integrated Help Desk Services Lead to Greater IT Productivity


1. Commentary
- Protecting Data at Rest

2. From the Community
- Any Uses for Old Backup Tapes?

3. New and Improved
- NetApp and VERITAS Collaborate on Disk-Based Data Protection
- Tell Us About a Hot Product and Get a T-Shirt!

4. Windows IT Pro Resources

==== Sponsor: Protect the Integrity and Availability of your Company's Information ====

To protect business viability, industry experts agree that disaster recovery plans need more than just the archival strengths of tape backup. Strategies that include complementary disk-to-disk backup solutions like Symantec LiveState Recovery can deliver the disaster recovery protection and business continuance that you need so you can worry less about backups and focus more on business success. Click here: for more information on Symantec LiveState Recovery.


==== 1. Commentary: Protecting Data at Rest ====
by Elliot King, [email protected]

Oops, they did it again. When Ameritrade announced that it had lost backup tapes containing personal information about 200,000 of its customers, there was a clear sense of--in the words of the famous New York Yankee pundit Yogi Berra--déjà vu all over again. After all, just 2 months ago, Bank of America revealed that it had lost tapes containing data for 1.2 million federal employees.

Although troubling on their own, these incidents are just two of what has become a steady stream of announcements from companies admitting that confidential information stored in their data systems might have been accessed in an unauthorized or illegal fashion. During one week in March alone, Boston College sent a warning letter to 120,000 of its alumni alerting them that an unknown hacker might have stolen their addresses and Social Security numbers; thousands of current, former, and prospective students, faculty, and staff at California State University, Chico, received a similar unwelcome announcement; and shoppers at 103 DSW Shoe Warehouse stores learned that credit card and purchase information had been stolen and was being used fraudulently. Just what is going on here?

Part of what's going on is the California Database Breach Act, also known in the world of regulatory compliance as California's SB 1386. Though much of the attention and analysis of the new regulatory impact on information technology has rightly focused on Sarbanes-Oxley compliance, SB 1386, which took effect in July 2003, could ultimately have an even more far-reaching effect on a broader range of companies.

The key provision of SB 1386 is that any business or agency that uses a computer to store confidential personal information about a California resident must immediately notify that individual, upon discovering any breach to the computer system on which this information is stored. Failure to do so could result in civil actions and lawsuits.

Unlike Sarbanes-Oxley, which applies only to publicly held companies, SB 1386 applies to all companies regardless of size that have stored confidential information about even one California resident--either a customer or an employee. Clearly enterprises of all sizes must pay attention, as must companies that do business over the Internet or with California-based clients. Moreover, the sophistication of the computer system on which the data is stored makes no difference. Nor does using an outsourcing provider to store the data protect an enterprise from the legal consequences of a data breach.

Traditionally, security infrastructures have focused on two primary areas: protection of the perimeter and of data in transit. Firewalls, Intrusion Detection Systems (IDSs), and prevention systems have been designed to prevent unauthorized access to computer networks. And protocols such as Secure Sockets Layer (SSL) were used to encrypt data as it moved between different systems. Neither protection mechanism is now sufficient to protect you against liability for a security breach.

The growing number of public disclosures of information breaches has directed attention to the need to protect data sitting in storage systems, which is now called data at rest. Several approaches to protecting data at rest have emerged. One tactic is to install additional layers of security inside the perimeter, closer to the stored data itself. For example, several companies now offer appliances that can monitor and audit databases, issuing real-time alerts when they detect unauthorized activity.

On a second front, storage vendors are increasingly looking at encrypting stored information. For example, IBM recently added encryption to its Data Retention 550 (DR550) compliance-archiving solution by bundling IBM Tivoli Storage Manager 5.3 with it. A handful of smaller companies are also offering encryption solutions.

Encryption, which could help companies meet SB 1386 regulations, isn't a "no-brainer" solution. First, encrypting a lot of data can affect application performance. After all, if data is encrypted, it must ultimately be unencrypted before it can be used. Second, the maintenance of the encryption keys has to be carefully managed. Third, if encryption is used, it has to trickle down to every tier of the storage infrastructure.

Although SB 1386 is a California regulation, it will have national and perhaps international impact. Not only do many observers believe that it will ultimately serve as a model for a national database privacy protection act--indeed Dianne Feinstein, a U.S. senator from California, has introduced such a measure--larger companies that don't have proper procedures in place to deal with its rules might be in violation of Section 404 of the Sarbanes-Oxley Act as well. (Section 404 relates to internal controls.)

For storage administrators, SB 1386 represents a broadening of responsibilities. Data security and protection have to move up the priority list. Storage administrators must see themselves as the stewards of data at rest and respond accordingly.

Today is your last chance to vote for your favorite products in Windows IT Pro's annual Readers' Choice Awards! Vote now at

==== Sponsor: Integrated Help Desk Services Lead to Greater IT Productivity ====

As organizations focus on aligning IT infrastructures to support business needs, IT managers must have the processes and tools to ensure that the infrastructure keeps pace with business needs and provides guaranteed levels of service at predetermined costs. This free white paper explores how to meet IT infrastructure's needs and manage crucial support and service processes by implementing Help Desk, problem, change, configuration, and service-level agreement (SLA) management into a single workflow. Improve productivity and service delivery quality while reducing costs, resources, and downtime in your organization. Download now!

==== 2. From the Community ====

Any Uses for Old Backup Tapes?

Forum participant "JRich" wants suggestions for uses for old backup tapes. If you can help, join the discussion at

==== 3. New and Improved ====
by Anne Grubb, [email protected]

NetApp and VERITAS Collaborate on Disk-Based Data Protection

Network Appliance and VERITAS Software announced that they're offering new integrated disk-based data protection and data management solutions for multivendor environments. The solutions, which are geared toward enterprise customers, will help them reduce backup time, simplify management, and decrease disk consumption. One solution integrates the latest version of VERITAS NetBackup software, NetBackup 6.0, with NetApp's NearStore storage systems and SnapVault software, providing a common management console that lets customers take advantage of disk-based backup while retaining data on tape for long-term archival and disaster recovery. Another joint solution integrates VERITAS Enterprise Vault 6.0 software with NetApp's NearStore and SnapLock products to help customers meet compliance and regulatory requirements, letting them transparently archive data and quickly retrieve specific information as needed. For more information about the solutions, contact the vendors on the Web.
Network Appliance:

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Hot Release (advertisement) ====

Optimizing Exchange: Strategies for Managing the Lifecycle of E-mail Data

With the major increase in the volume of email traffic and the size of attachments--along with a parallel increase in storage and management issues, there is a strong need for more stringent (and centralized) management, audit, and control procedures for email. In this free white paper, explore new methods mid-size organizations are using to manage mission-critical email data. Download this free white paper today!


==== 4. Windows IT Pro Resources ====

Check out these links to a wealth of Windows IT Pro resources: white papers, eBooks, Web seminars, conferences, and other events.

==== Resources and Events ====
(brought to you by Windows IT Pro)

Establish a Manageable Desktop Software Configuration and Control IT Costs

Managing desktop software configurations is a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this free Web seminar, find out how you can meet software-package-preparation requirements and increase your desktop reliability, user satisfaction, and IT cost effectiveness. You'll learn about the new application process, issue management during package preparation, historical recording and reporting, and more.

Are You Experiencing Increased Frustration with Your Current Antispam Solution?

With new and more dangerous email threats, in-house software, appliances, and even some services may no longer work effectively. They require too much IT staff time to update and maintain or satisfy the needs of different users. In this free Web seminar, learn firsthand from your colleagues and peers about their search for a better solution. Register today!

Improve The Availability of Your Exchange Servers

Managing storage growth, providing application resiliency, and handling small errors and problems before they grow are all important aspects of boosting your Exchange uptime. In this free Web seminar, discover how storage and application management techniques for Exchange can be used to improve the resiliency and performance of your Exchange infrastructure. Register now!

Get Excited About SQL Server 2005 Reporting Services

In this free Web seminar, explore the new features associated with Microsoft SQL Server 2005 Reporting Services. You'll discover how to offer the "single version of truth" in your enterprise-reporting environment with the integration of Reporting Services 2005 and the Analysis Service 2005 Unified Dimensional Model (UDM). Plus, you'll discover Report Builder and more. Sign up today!

Get Ready for SQL Server 2005 Roadshow in a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database- computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

Get Ready for SQL Server 2005 Roadshow in Europe

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

==== Featured White Paper ====

Configuring Blade Servers for Your Application Needs

Blade servers are the evolution of the server market. They pack a lot of function into a small space, conserve power, and are flexible. From setting up storage, configuring a file-and-print server, a Web server, an email server, a database server, or a terminal server, you'll learn all the tips you need in this free white paper.

==== Announcements ====
(from Windows IT Pro and its partners)

SQL Server Magazine Gives DBAs and Developers What They Need

With SQL Server 2005 right around the corner, it's important to note that SQL Server Magazine is on target to deliver comprehensive coverage of all betas of the new product and the final release. If you aren't already a subscriber, now is the time to subscribe. Act now and save 47% off the cover price, plus get the new Reporting Services poster.

Storage World Conference, June 7-9, 2005, Long Beach

Register now for Storage World Conference (SWC) 2005 on June 7-9, 2005, at the Long Beach Convention Center. SWC is the most comprehensive educational program in the industry. Keynotes from: AOL, Chevron/Texaco, EMC, StorageTek, and over 50 top exhibitors. All end users can attend at no cost. To receive 10% off, use priority code swc10. Register online at

==== Sponsored Link ====

Converting a Microsoft Access Application to Oracle HTML DB
Convert MS Access into a Web application for multiple users. Download now!;15956147;8214395;r?


==== Contact Us ====

About the commentary -- [email protected]
About the newsletter -- [email protected]
About technical questions --
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today!

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.