On June 28, 2007, Ecma International has approved a new standard, ECMA 379 - Test Method for the Estimation of the Archival Lifetime of Optical Media. This standard will enable the industry to offer reliable archival-grade optical discs to help end-users select the media life expectancy best suited to their application requirements. The standard was approved by the Ecma General Assembly, culminating an effort initiated in June 2006 when Ecma International’s Technical Committee TC31 agreed to finalize a draft standard developed by various industry participants working within the Optical Storage Technology Association (OSTA).

The new Ecma Standard specifies an accelerated aging test method for estimating the life expectancy for the retrievability of information stored on recordable or rewritable optical disks. This test includes details on the following formats: DVD-R/-RW/-RAM, +R/+RW and it may be applied to additional optical disk formats, such as Blu-ray and UDO, with the appropriate specification substitutions and may be updated by committee in the future as required.

Following this milestone, the standard will be transferred to International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) Joint Technical Committee 1 SC23 under an established “fast track procedure.” The earliest anticipated ISO/IEC version is December 2007, said Ecma International.

Manufacturers sponsoring and participating in the development of this standard included Fujifilm, Hewlett-Packard, Imation, MAM-A, Panasonic, Philips, Pioneer, Ricoh, Sony, Toshiba and Verbatim.

The committee also received support from related industry organizations including Japan’s CDs21 Solutions and the Digital Content Association (DCAj) and OSTA (Optical Storage Technology Association).

The ECMA 379 specification document may be reviewed and here .

With all the regulatory and industry compliance requirements and initiatives around today, data storage encryption has come to the forefront of most IT team agendas. The bottom line is whether or not it may make sense to lock down your technical information, both in transit and at rest. Don’t be too eager to jump into instituting encryption controls for ’security sake’ without understanding what information is stored and the consequences if it becomes tampered with or exploited by either internal or external factors. Fundamentally before your IT team becomes involved with auditor or upper management inquiries about data security, you must first determine what data is potentially at risk and the extent of vulnerability within your storage environment if you’re not using encryption. The following checklist will help you to determine if and where encryption may need to be implemented within your infrastructure.

• Review your organizational data classification documentation/processes to ensure that you and your team understand how to classify level of importance and potential vulnerability of sensitive or protected information. During this process you may also begin to wonder why the data needs to reside where it is and how long does it need to be kept.
• Find out where this sensitive information is generated and being storage within your data storage environment, ie. applications creating the sensitive data, databases, direct-access storage or local client/workstation/server storage, laptops, mobile devices/PDA’s, USB and more.
• Assess what regulatory compliance requirements affect this sensitive information, ie. 21-CFR-11, BASIL-2, DOD5150-2, HIPAA, GLBA, ISO15489, SEC17a-4, SOX and other applicable international privacy or individual state compliance or applicable breach notification legislation.
• Determine what sensitive information can be potentially attacked and exploited without an encryption process in place within your existing security framework.
• Determine if other layered defense security tools already in place could replace the need for encryption.
• Assess infrastructure requirements to implement appropriate encryption controls where applicable within your existing data storage environment.
• Ensure that you and your team consider the most important factor of implementing encryption, an encryption key management system.
• Ensure that you and your team have documented this sensitive data evaluation process to determine where data storage encryption is or is not required.

Once you have determined the need for encryption and where it is to be applied, you then will need to worry about managing the keys. Every encrypted data item will require an encryption key to unlock the encrypted data, which will require management of potentially hundreds or even thousands of encryption keys utilized across your enterprise. The fear of data loss due to the inability to decrypt the encrypted data because of a lost key is the most significant reason why encryption has not been extensively deployed today. Most seasoned IT veterans will take a more conservative view where implementation of new technology is concerned, yet even though encryption could potentially lock them out from accessing their data, both legislation and liabilities for compromised sensitive data continue to drive encryption to the forefront.

The Federal Information Processing standard (FIPS) 140-2 Level 3 standard requires that the systems used to store encryption keys must be physically secure, must utilize two-part authentication, and produce audit logs showing all accesses and encrypt all communications between systems. Requiring two-part authentication, 128-bit key lengths or keys that change every few weeks may not be applicable in every organization, but if you utilize the same 56-bit key for every encrypted file or storage medium, key management will not become so onerous. If your organization does not need FIPS 140-2 Level 3 compliance, there are a plethora of security products on the market today that employ a variety of more standard, off-the-shelf encryption key techniques like Java JCA/JCE CSP, Microsoft’s Cryptographic API (MS-CAPI), OpenSSL, PKCS#11, RSA Labs and others.

As encryption becomes more prevalent, key management issues will be of paramount concern and an enterprise-wide key management system that will issue, secure and track encryption keys will be required. Ensure that you and your team give some consideration to the following encryption key management issues:

• Will encryption keys be stored locally on each client, on a centralized server or in a hardware device such as a dongle, SmartCard, USB or other removable device?
• How will you audit and track what data was encrypted with what key and where the applicable key(s) are stored?
• Who will be an authorization authority that can access and provide encryption keys if a disaster strikes requiring server rebuilds from encrypted backup or DR images without the original backup software that initiated the encryption?
• How will you ensure that the encryption keys will be readily available in the future, ie. 5, 10, 25, 50+ years from now when access to the data is required?
• Ability to regularly change keys;
• Ability to replicate keys so that any failure will not result in a data loss scenario;
• Ability for software-based recovery of encrypted data using keys originally stored on removable hardware (dongle, SmartCard, USB, or other removable device);
• Effective reporting capabilities to associated keys with encrypted stores and users.

Depending on the encryption type being used, it can have a significant impact on the performance of your network. Hardware encryption will be a lot faster than software-based encryption, so be sure you select the right encryption solution for your environment.

The New Year has arrived and IT managers across the globe have begun another year of balancing shrinking IT budgets against organizational needs and ever-growing regulatory requirements. However, as these changes continue to pepper the IT landscape, one aspect still remains a constant, the requirement to archive data.

Although a plethora of archival storage solutions and technologies inundate the data storage market, not all may meet the overall requirements for the masses. Fundamentals for consideration of an archival storage solution include the access control, data availability, data integrity, data recording technology, disaster recovery, file format, user authentication and validation. Most archival data storage solutions are designed around the long-term preservation within a write-once usage model that can provide decades of controlled accessibility in an immutable environment.

With the recent rash of data and identity theft threats cropping up across the globe, a lot of attention has been drawn to the overall security of data, both in transit and at rest. These new threats can endanger the availability, integrity and security of the actual archival data contents, forcing another round of scrutiny of IT policies and defense techniques being applied to the archival storage system(s).

Even with the new ‘open’ eXtensible Markup Language (XML), Secure XML and XLST eXtensible Style Sheet Language Transformation formats, one of the most prominent active archival storage projects at the U.S. National Archives and Records Administration (http://www.archives.gov/) presently relies on Adobe’s Portable Document Format (PDF) and Microsoft WORD file files for long-term accessibility. This choice was based upon the May 2005 ISO/DIS 19005-1 international standard that defined the use of PDF for archiving and preserving documents by the International Organization for Standardization (ISO) that represents over 148 countries. Although there are a variety of data format alternatives, there is no single standard data/information life cycle protocol or format for secure e-record archival storage today, and the costs to switch to an alternative to the PDF format will be daunting.

Regardless of the data/file format in the archive, the use of encryption has been heralded as ‘The Answer’ to the data integrity and security problems we all face and it is increasingly available from an ever-growing variety of flavors and vendors. For example, the RC4-HMAC Kerberos encryption is employed in the Encrypted File System (EFS) option in Microsoft Windows, Sun Microsystems Solaris 10 operating systems and others. Encryption also employs the use of asymmetrical (public) keys, typically generated in pairs, that include a public and private key. Management and safeguarding of keys can become a significant problem when applied across zettabytes of  archived data that is potentially accessed by an equally daunting number of users.

Although there are several encryption standards that have been adopted by a variety of market segments, the majority of hardware and software-based data encryption solutions that employ  both standard and non-standard (proprietary) methodologies have been ‘cracked’ and violated by hackers. So even though there are a variety of encryption standards, employing and applying a specific type of encryption to a long-term data archive is potentially very risky and questionable.

(By: Mike Johnson/BusDev/CUC. PART 1 of a multi-part post..)

By the time a manufacturer releases a new storage product to market, they are already painfully aware of the limited time they have to address and gain specific market share. This is due to both the notoriously short product life cycles in the data storage market, and the competing vendor and technology factors that will attempt to hasten the products’ obsolescence in the market.

Blu-Ray technology appears to have all the indications of a longer than normal lifespan for a data storage technology. When multiple giant companies like Hitachi, Panasonic, Toshiba, Sony and others band together to mutually address and adhere to a technology standard, it more than likely will ensure that the product will endure a longer life with even a potential promise of increased ‘arial density’.

This sends an optimistic message to the end user who desires to enter into a long-term technology road map and business partnership with some degree of confidence, as it provides a level of procurement insurance against acquiring a technology product that will be either quickly abandoned or discontinued by a proprietary manufacturer.

Some departmental or project-related storage requirements may not require a long technology lifespan but if archive is involved, it quickly becomes a different storage problem. Placing the long-term data assets of an organization onto ever-changing media technology that cannot provide an upgrade path becomes both a very expensive proposition to the organization and a data storage management nightmare.

Blu-Ray appears to be the new ‘White Knight’ that can help ease the decision-making process on what ultimately will be the long-term data storage technology that a company can store their legacy data with confidence of data accessibility 25+ years down the road. Blu-Ray arial density road maps are now available to help with your future storage planning needs.