Encrypting sensitive data on premise before the data gets to the cloud or gets on a truck is a best practice when utilizing offsite storage. I have talked with many organizations that insist they will never store regulated data in the cloud. In fact, when asked what it would take to make them more comfortable they do not even spend 3 seconds of think time before shuddering at the prospect of their CEO appearing on TV to explain a major data loss incident. Many cannot envision any confidence in data security that will enable off-site storage of sensitive data. However, with proper key management organizations can safely reduce expenses by using storage services for encrypted data only.
Seagate announced that it has sold more than one million self-encrypting drives. This is important to security officers because disk drives, and the regulated data they contain, do not stay in the data center forever. Seagate claims that 80% of the disk drives that are sent out for repair, or returned at the expiration of a lease, contain readable data. Furthermore, disks that are retired undergo expensive physical cleaning and shredding processes – unless that is overlooked due to human error. Self-encrypting drives automatically encrypt all data on disk to reduce the risk of data loss without adversely affecting performance or requiring incremental security procedures.
There are also many vendors offering to use shared cloud-based resources to drive down the costs of handling sensitive data for such activities as backup/restore (IBM, i365), email archiving (AppRiver, ProofPoint), and world-wide availability (RSA Security, Trend Micro). The critical element for cloud-based services is also to encrypt and decrypt the data on premise so it is not at risk of exposure in the cloud. This also reduces the IT burden of auditing service provider security policies and allows the organization to leverage efficient storage services.
Both of the physical and cloud-based secure storage objectives require organizations to manage their own cryptographic keys. That is a core competency that every security-aware corporation must have, especially if they choose to enable the use of external service providers. Companies effectively use services with sensitive data all the time (e.g. payroll services, 401K programs, health networks, sales force information, etc) so they should feel more comfortable with evaluating secure storage services knowing that the company still controls the data.