Virtual Environments such as Amazon AWS and Microsoft Azure are becoming a popular choice for cloud storage, but it isn’t uncommon for businesses to operate and manage their own physical servers – either on premise or via third-party data centres – and the data they hold is incredibly valuable. But, given their static existence, do they really need to be encrypted?
Often, articles will suggest that these physical servers do not need to be encrypted.
The arguments are usually as follows:
- Physical servers are usually well-protected within business’ walls, inside an even more secure data centre
- The servers can, and usually do, run for many months or years before being brought down
- Full Disk Encryption (FDE) is really only for the protection of data ‘at rest’ – physical servers usually keep data moving
- Adding another layer of security comes at the cost of reduced convenience
These statements are accurate, but we don’t believe that they outweigh the benefits of physical sever encryption.
So, why encrypt a physical server?
To counter the first two points, it is important to remember that physical data theft is a real threat. The idea that someone could simply make off with your drives is not as silly as it may sound: data is valuable, and burglaries are carried out for less. Cyber-security is top priority for businesses – but does your real-world security fill you with confidence?
Even if your drives are in Fort Knox, they will eventually leave its walls. Servers need repair and, eventually, disposal. An encrypted drive can be easily wiped before it is retired – and if it goes missing before then, the data is inaccessible.
The third point – that data is seldom at rest in a physical server – is often no longer accurate. As Garry McCracken, VP of Technology at WinMagic, pointed out in an earlier article, the rise of hyperconvergence infrastructure (HCI) and Virtual Machines (VM) means that data is often static as the ‘cloud in a box’ goes up and down far more regularly than a physical machine.
The argument for convenience is often what ultimately sways a business away from data encryption – and its value varies between organisations. But erring on the side of security, caution is seldom something to regret.
An unfortunate example: data drive disappearance
McCracken’s recent update to his argument for physical server encryption came with a startling use case.
He focused on a nameless financial services organisation (FSO) with hundreds of branches, each with physical servers. The FSO didn’t have in-branch IT personnel at each of these locations; certainly, none qualified to diagnose and repair the drives.
You’ll have spotted the threat already: when the drives needed repair, they were posted to head office. The risk of theft or loss increased by orders of magnitude.
Eventually, one of the drives went missing. This was disastrous, as the FSO had to report it to the authorities and deal with the fallout (both legal and financial).
It was enough to spur the FSO into action. Their solution was simple: they had to encrypt all of their remote, physical servers – nearly 1,000 in total.
The encryption was done quickly and without any technical hiccups.
This lowered the worst-case scenario to the cost of replacing the hardware. Anyone with a drive they shouldn’t have wouldn’t have been able to access the data.
As McCracken pointed out, his use case isn’t FSO-specific. Many organisations, from retail to legal firms, have branches with physical servers that go back to head office for repair. On top of that obvious risk, a lot of branches don’t have the physical security measures of head office – servers are more likely to be swiped straight from the building.
The GDPR complication
Since GDPR rules came into force, it is even more important to offer every protection to your consumers’ data. Not only are the rules stricter, but the public are far more aware of their rights when it comes to data security.
It is still worth encrypting a physical server. As long as you have valuable data, there is a risk that someone will steal it.
If you want to know more about the kind of centrally-managed encryption that allows the FSO (and many other firms) to keep physical servers in-branch without a large, remote IT staff, check out MFG Managed Encryption’s server encryption. Alternatively, get in contact to find out if physical server encryption is necessary for your business.