Building An Encrypted (But Accessible) Archive

The last thing you need when auditors come to town is an encrypted e-mail message in your archive that you can't decipher. You have to locate the end user who encrypted it and pray that he still has the decryption key -- and that it hasn't expired.

Encrypted archiving may not be a regular practice today, but regulatory and legal pressures are forcing many enterprises to rethink how they archive their e-mail, file, and database data. If your data is sensitive or confidential, such as patient or client data or intellectual property, you're responsible for protecting it from prying eyes. Encrypting your archived data is one way to meet regulatory compliance (think HIPAA and SOX) and minimize liability risks.

Some organizations under the regulatory microscope, such as financial and healthcare firms and federal agencies, are already grappling with how to strike a healthy balance between securing their archives and making them readily available for audits, legal discovery, or even just in-house access. "If we archive all of this data and it's not in a usable format, did we really fulfill our requirement to archive it?" asks Steve Elky, technical director of information security for Software Performance Systems, a Falls Church, Va.-based integrator with federal government clients.

There's no magic bullet for building an encrypted archive. Encryption and archiving for the most part are still separate technologies and products today, although that is about to change.

Policy Matters
The key to building a secure but accessible archive is policy. That means defining enterprise policies for encrypting your e-mail messages or other data as well as for user access and data retention. If your policy is to encrypt data only when it hits the archive, you won't, for example, end up with an e-mail message that's unreadable because Joe in accounting used his own PGP key that has since expired.So before you rush out and buy encryption and archival software packages, first assess your workflow, including your regulatory and access requirements as well as your existing security. That means knowing where the data resides, who needs it, and how they access it. "The average company doesn't usually look at this," says Chris Wood, chief technology officer for data management at Sun Microsystems. "Decide what you don't need to archive and by what mechanism you'll securely manage your encryption and retention policies."

If you have a user-based encryption model, drop it. This may have been an easier way to adopt encryption initially, but it leaves you at the mercy of your end users and their PGP or other desktop keys, industry experts say. Instead, "adopt an enterprise-friendly encryption model" for archiving, says Pete Zimmerman, director of archiving products for IntelliReach, an e-mail management solution provider based in Dedham, Ma. Enterprises are realizing that encryption and archiving are really interdependent, he says.

The most streamlined way to manage your archived data is to encrypt it at the storage level, or after it's stored in the archive, industry experts say.

Some organizations add a physical "layer" to their archival access policy. Researchers at Dartmouth Medical School's Atlas of Health Care project, for instance, must contact the systems administrator when they need access to older data stored offline in its encrypted tape archives. The systems admin loads the data online, setting up accounts that provide the researchers access only to the data for which they are authorized. "Core programmers can access all of the raw data, for instance, and a principal investigator would have access to the second-degree data sets," says Vincent Fusca, operations director for the Atlas project, which studies and documents how medical resources are used in the United States.

Atlas relies on healthcare claims database information for its analysis, so the data must be encrypted under HIPAA. Most of Atlas' nonarchived data sits online and encrypted using Decru's DataFort encryption appliances, and the Atlas IT team also encrypts the raw Medicare data tapes it receives. "All of our archival tapes are encrypted, so if someone were to break into the tape room and walk out with Medicare tapes, they can't do anything with them," Fusca says.It would be more efficient, but obviously more risky, to give your end users direct access (without IT intervention) to an online archive. "Organizations are extremely uncomfortable with having the end user make the decision of when and what to archive," says Vicki Brown, vice president of marketing for IntelliReach. "You're leaving an important decision in their hands."

Aside from encryption and access, you'll also need to decide how long you will keep your e-mail messages and other archived data available to auditors or other users. Sun's Wood says it's best to destroy e-mails after the retention period mandated by SOX or other regulations, unlike more structured data such as human resources records that must be kept longer. That's because it's expensive to store the volumes of e-mail most organizations generate. "But if a company has reason to believe that any data [e-mail or otherwise] might be germane to possible legal action," says Wood, "they cannot destroy it, period."

Tool Time

If you're a Windows shop, you could tie your archive access control into Microsoft's Active Directory, says Jon Oltsik, senior analyst for information security at the Enterprise Strategy Group. "And depending on how secure the data needs to be, you could look at PKI [Public Key Infrastructure]," he says. "But some companies don't have the stomach for PKI."

Self-service is one of the key features of Symantec's Enterprise Vault. Users can search the e-mail archive from Microsoft Outlook and restore e-mail they accidentally deleted from the archive, for instance. Enterprise Vault also automatically decrypts a message without the user (or auditor) having to ask for IT's help, as long as it's a message they're entitled to access.

Sigaba's encryption software associates the encryption key with the messages themselves, says Jahan Moreh, chief security architect for Sigaba, which sells Secure Email. Once the software authenticates the user and confirms she's authorized to access, say, sensitive financial data, she gets a decryption key. "We view encryption as a way of enforcing access control," Moreh says.

Help From Hybrids
The good news is that encryption, authentication, and archival vendors are starting to integrate their wares. Symantec/Veritas, for instance, has integrated its Enterprise Vault software with rights-management products such as Entrust and Liquid Machines, and Microsoft is working with Symantec and other e-mail archival vendors to add its Rights Management Services (RMS) software, which embeds the rights and access controls into your e-mail messages and documents themselves and also handles encryption.Symantec is currently developing an adapter for Microsoft's RMS that will let you search RMS content in the archive. "Today you can archive RMS content and search on subject, but content isn't searchable," says Nick Mehta, senior product manager at Symantec. The new adapter will ship early next year, he says.

If you'd rather wait for a more turnkey solution, you're in luck. A new generation of hybrid products that blend encryption with archival and document management software is beginning to emerge. IntelliReach, for instance, this month plans to roll out archival software packaged with its own encryption features.

More Than Encryption
But don't get lulled into a false sense of archive security with encryption. Encryption is only one piece of the puzzle for securing your archive: Make sure your network perimeter and the archive server itself are also secured properly. "If I can compromise the [archive] server, it doesn't matter if the data is encrypted," Enterprise Strategy Group's Oltsik says. "It's an end-to-end security process, and encryption is just one layer."