WHITE

PAPER

A Prudent Approach for Storage

Encryption and Key Management

By Jon Oltsik, Principal Analyst

May, 2009

Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

Table of Contents
Table of Contents..................................................................................................................................................... i
Executive Summary ................................................................................................................................................ 1
The Case for Confidential Data Security .............................................................................................................. 1
Confidential Data and Storage Security ............................................................................................................... 3
Storage Security Must be Based Upon Risk ......................................................................................................... 3
Tape Encryption is a High Priority in the Data Center .......................................................................................... 5
A Prudent Approach for Storage Encryption and Key Management ................................................................ 6
Phase I: Address Vulnerabilities with Tape Encryption ....................................................................................... 7
Phase II: Anchor Data Center Encryption with a Central Key Management Service .......................................... 7
Phase III: Proceed to Disk Encryption Based Upon Risk and Regulations ......................................................... 9
To-Do List .............................................................................................................................................................. 10

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The
Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which
are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or
redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to
receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an
action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at
(508) 482-0188. This ESG White Paper was developed with the assistance and funding of Thales Group.

-i-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

Executive Summary
Large organizations continue to invest in a multitude of security technologies to protect both their IT
infrastructures and their most valuable asset: confidential and private data. In spite of this effort, publicly-
disclosed data breaches seem to be everyday occurrences. Why this disconnect? Can anything be done to
improve confidential data security? This paper concludes that:

Confidential data security must be based upon a risk continuum. ESG believes that confidential
data security is a function of its volume (i.e., the number of users who have data access, the number of
devices it is stored upon, etc.), its mobility, and its proximity to IT. In other words, high volume, mobile
data with little IT oversight is most vulnerable to a data breach. Security and storage managers should
marry these guidelines to their data classification taxonomies and then create suitable policies and
security safeguards technologies for the data itself.

Storage managers play an important role. For the most part, confidential data at risk will be at the
edge of the network, not in the data center. Why? Confidential data at the network edge tends to be
highly distributed, mobile, and unmanaged, while data residing on large enterprise storage systems in
data centers tends to centralized, immobile, and in close proximity to IT staff. Given these parameters,
the risk of a breach of data stored on enterprise storage systems is relatively low. Backup tape
cartridges are one exception to this rule as they are mobile by design. As such, tape media in cleartext
presents a data breach vulnerability and should be addressed as soon as possible. With tape as a high
priority, storage managers must become leaders in the confidential data security effort by assessing their
backup processes, creating an inventory of tape drives, and building a plan for tape encryption across
the enterprise.

Tape encryption should anchor long-term storage encryption and key management strategies.
While most companies will start by encrypting a few tape drives, this is just the beginning. Large
organizations need to plan on encrypting all tape drives and complement this deployment with scalable
services for key management. This will provide a foundation for further encryption based upon further
privacy legislation and more mainstream encryption technology. Savvy CIOs will build an encryption and
key management strategy that provides for a time when data center encryption is the rule, not the
exception.

The Case for Confidential Data Security

When it comes to corporate data, there are two immutable facts: 1) total data capacity grows substantially each
year and 2) a large percentage of all corporate data is either private or sensitive in nature. This second point is
highlighted in a recent ESG Research Report. According to most security professionals working at enterprise
organizations (i.e., more than 1,000 employees), at least half of all corporate data could be classified as
“confidential” (see Figure 1).

-1-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

FIGURE 1. ORGANIZATIONS CONSIDER MOST DATA TO BE CONFIDENTIAL

Approximately what percentage of your organization's total data (i.e., all files,
objects, and database information) would you consider to be confidential?
(Percent of respondents, N=308)
Don't know, 2%

Less than half, 48%

More than half, 50%

Source: Enterprise Strategy Group, 2009

This high percentage of confidential data places an increasing burden on IT, storage, and security staff. Growing
volumes of confidential data demand special security controls and technology safeguards because:

Attacks are aimed at confidential data. Unlike some of the exploits of the past, today’s malicious code
attacks are squarely aimed at stealing useful information like social security numbers, bank accounts,
and Intellectual Property (IP). These threats also continue to grow more and more sophisticated. For
example, the Conficker worm is now in its forth (or “D”) revision, with each version introducing new types
of propagation vectors and domain communication algorithms. Ominous threats like these are far more
advanced than most organizations’ security infrastructure or existing storage security controls.

Regulations mandate data privacy and security. Privacy regulation is already ubiquitous; now it is
becoming more demanding. For example, 44 states now have data privacy and breach disclosure
legislation in place, while new privacy conventions in Massachusetts and Nevada mandate that
Personally Identifiable Information (PII) must be encrypted in certain types of e-mail messages and
mobile storage devices. Michigan and Washington State are considering similar laws. It is likely that
other government and industry bodies such as the U.S. Federal Government, the European Union, and
the Payment Card Industry will follow suit with similar encryption directives.

Publicly-disclosed data breaches are an everyday event. According to the Privacy Rights
Clearinghouse, there have been well over 300 publicly-disclosed breaches exposing over 250 million PII
records since the organization started tracking this data in 2005. Things are not improving with time,
either. In just over 3 months in 2009, there were 90 publicly-disclosed data breaches exposing well over
1
100 million PII records. This trend is further supported by recent ESG Research data—in a recent
survey of security professionals working at enterprise organizations (i.e. 1,000 employees or more), 55%
said that their organization had suffered at least one confidential data breach in the past 12 months (see
Figure 2).

1
Source: privacyrights.org

-2-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

FIGURE 2. CONFIDENTIAL DATA BREACHES AT ENTERPRISE ORGANIZATIONS

To the best of your knowledge, has your organization suffered a

confidential data breach within the last 12 months? (Percent of
respondents, N=179)
We may have
suffered a Don't know, 1%
confidential data Yes, several
breach within the confidential data
last 12 months, breaches, 15%
but can't be sure,
4%

No, we have not

suffered a
confidential data Yes, one
breach within the confidential data
last 12 months, breach, 40%
40%

Source: Enterprise Strategy Group, 2009

Organizations of all sizes have one other persuasive driver for confidential data security: the costs associated
with publicly-disclosed data breaches (i.e., contacting customers, offering credit protection, customer service
calls, postage, etc.) can be extremely high. ESG estimates a cost of between $30 and $150 per individual, so a
breach of 1 million personal records could carry a cumulative cost of $30 to $150 million. These expenses don’t
capture other indirect costs such as corporate embarrassment, brand damage, share price reduction, and future
civil litigation. Obviously, large organizations want to employ best practices for safeguarding confidential data in
order to avoid these portentous data breach consequences.

Confidential Data and Storage Security

A strong confidential data security strategy will seek to reduce risk wherever possible. This means restricting
access to confidential data on the one hand and then protecting the confidential data itself on the other. This
begs a logical question: What role should storage security (more accurately, storage encryption) play? After all,
electronic data resides on one storage medium or another, ranging from portable devices like USB flash drives
and iPods to enterprise-class multi-terabyte storage systems. With so much distributed private data, one school
of thought suggests that if all storage devices were encrypted, than confidential data would enjoy far greater
protection. Is this the right approach? If not, which storage devices should be encrypted and which should not?
How will the answers to these questions change over time?

Storage Security Must be Based Upon Risk

ESG believes that to some extent, the fact that confidential data “lives” on storage devices is inconsequential.
Rather, CISOs must collaborate with the storage team to ask themselves one question with regard to storage
security: Is the risk of a data breach of confidential data residing of storage devices high or low?

Based upon recent research, ESG concludes it has a relatively simple but highly effective set of guidelines to
determine the confidential data risk. To summarize, confidential data security risk is directly related to:

1. The volume of users and devices. Risk is a function of the number of users and devices with the
ability to read, write, copy, move, and manipulate confidential data.

-3-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

2. Mobility. Risk is proportional to data mobility. The more mobile the data, the higher the risk.

3. Proximity to IT. Risk is a function of the location of confidential data in relation to its proximity to IT. For
example, mainframes contain a high percentage of confidential data, but since enterprise systems tend
to be housed in data centers surrounded by security controls in close proximity to IT staff, security
professionals are less concerned with confidential data stored on mainframes than data on other
systems. Additionally, corporate employees and external constituencies outside of the purview and
controls of the IT department present a bigger risk to confidential security than knowledgeable collocated
IT staff.

When applied to storage, these qualifications provide a good set of guidelines for where encryption of storage is
necessary and where it is not (see Table 1). Based upon these criteria, three types of storage media demand
immediate encryption: laptop computers, mobile storage devices, and backup tapes. Given the high level of risk,
encrypting these types of storage should get top priority in spite of cost cutting measures associated with the
global recession. All other types of storage devices should be examined more carefully based upon the three
qualifications listed above in addition to other risk criteria such as industry-specific risks, regulations, etc.

Laptop and mobile storage device encryption is generally handled by network, desktop, and security
administrators tasked with user support, endpoint configuration management, and device security. On the other
end of the spectrum, tape drives tend to be co-located with enterprise servers and storage in data centers, thus
tape encryption is generally handled by data center and storage specialists. The remainder of this paper will
focus on encryption best practices for this group by focusing on tape encryption in the short-term while building a
data center encryption and key management strategy over time.

-4-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

TABLE 1. STORAGE ENCRYPTION SHOULD BE BASED UPON PRIMARY RISK FACTORS

Storage Volume Mobility IT Proximity Security and Encryption strategy
device
Laptop High. High. Low when mobile. Encrypt all laptops to greatly lower the risk
hard drive Nearly half of a data breach associated with laptop
of all PCs. loss or theft
Mobile High. High. Can Low. Restrict the use of mobile storage devices
storage Users may fit into a for confidential data. Encrypt all approved
device have many. pocket and mobile devices to greatly lower the risk of a
(i.e., USB easily data breach associated with mobile storage
flash hidden. device loss or theft.
drive)
PC hard High. More Low. Drive Medium. Depends Use physical security to prevent tampering,
drives than half of could be upon the ration of inspect packages, and conduct surveillance
all PCs removed administrators to PCs. on all exits. Create a process for data
but this is a PCs also protected by destruction for hard drive failures or
low risk. physical security maintenance.
measures.
Server- Medium, Low. Drive High. Primary domain Use physical security to prevent tampering,
based depending could be of system inspect packages, and conduct surveillance
hard upon size of removed administrators on all exits. Role-based access control
drives organization but this is a (RBAC) for IT administrators. Create a
low risk. process for data destruction for hard drive
failures or maintenance.
Storage Low. Few Low. High. Primary domain Use physical security to prevent tampering,
systems large Stationary of highly skilled data inspect packages, and conduct surveillance
enterprise in data center staff on all exits. Role-based access control
systems. center. (RBAC) for IT administrators. Create a
process for data destruction for hard drive
failures or maintenance.
Tape High. An High. High to low. High on- Encrypt all tape to greatly lower risk of a
media enterprise Tapes are site but non-existent data breach associated with the loss or
may have transported when tapes are theft of a tape cartridge or box of tape
over 100k offsite on a shipped cartridges
tapes to daily basis
manage

Tape Encryption is a High Priority in the Data Center

According to ESG research, nearly half of all organizations have already recognized this need and encrypt
backup tapes as a regular course of action, while another 6% plan to deploy tape encryption within the next 12
months (see Figure 3).

-5-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

FIGURE 3. TAPE ENCRYPTION DEPLOYMENT

Has your company deployed encryption technologies for tape

backup? (Percent of respondents, N=308)

Don't know, 25%

Already
deployed, 46%

No plans or
interest, 13%

No plans but
interested, 10%
Plan to deploy,
6%

Source: Enterprise Strategy Group, 2009

Active use of tape encryption technologies is a good start, but it does not go far enough; ESG believes that all
backup tapes should be encrypted. Why? Backup operations and tape management is often more art than
science where confidential and pedestrian data is intermixed on the same tape set of tape cartridges, aggregated
in the same shipping boxes, and picked up by the same transportation companies. Additionally, almost every
publicly-disclosed data breach related to tape has resulted from lost, rather than stolen, tapes. A lost tape or box
of tapes places a tremendous burden on IT operations to identify whether this media contained regulated data
but since data, tapes, and boxes are usually consolidated during the backup process, it is often impossible to tell.
Since regulations generally require companies to disclose if they suspect a breach, they are obligated to do so
under these circumstances. Encrypting all backup media could preclude this situation by providing safe harbor,
reducing the organization’s liability.

A Prudent Approach for Storage Encryption

and Key Management
While encrypting all backup tapes may be ideal, deploying and managing encryption technologies can be tricky.
First, most large organizations have a host of backup software, tape drives, and libraries from multiple vendors.
Second, there are numerous encryption technologies to choose from. Should users select host-based options,
encrypting switches, encryption appliances, or new encrypting tape drives? Third, there is the issue of asset
management. It may seem attractive to replace a two year old tape library with a new one supporting encryption,
but not if this asset is not fully amortized by accounting. Finally, it is important to build a strategic encryption plan
that considers long-term requirements. Tactical tape encryption is certainly a priority, but a strategic encryption
plan should reflect on future regulatory, governance, and security operations requirements as well. Additionally,
it is critical to surround encryption with strong key management in order to know which data is encrypted, when it
was encrypted, which encryption keys were used, and where these encryption keys are stored. Auditors will
demand these kinds of encryption and key management controls in the near future.

To achieve both short- and long-term objectives, ESG believes that large organizations should take a prudent
approach for tape encryption and, ultimately, data center encryption key management. This demands a multi-
year plan executed through a number of incremental phases as follows:

-6-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

Phase I. Address vulnerabilities with tape encryption

Phase II. Anchor data center encryption with a central key management service

Phase III. Proceed to disk encryption based upon risk and regulations

Phase I: Address Vulnerabilities with Tape Encryption

Tape encryption often begins with an immediate challenge to respond to a data breach, an audit requirement, or
new regulations. The heterogeneous mix of backup software and tape drive hardware can freeze organizations
as they ponder where to start this process. Since most tape, storage switch, tape drive, and library providers
now offer encryption capabilities, many storage professionals may believe that the best course of action would be
to work with each vendor individually. ESG believes that this would be a mistake as it would lead to redundant
processes, operational overhead, and multiple key management systems that could make key security an issue.

Rather than multiple individual solutions, ESG believes that large organizations would be better served by:

Implementing common network-based encryption appliances. Network security appliances such as

firewalls, IDS/IPS devices, and gateways gain efficiency by sitting on a common network and filtering all
traffic. This same network efficiency can be applied to tape encryption as well. Since network-based
encryption appliances can be implemented in the backup data path while remaining transparent to
backup software and tape devices, deployment and ongoing operations should not disrupt existing
technology or backup operations. And since many appliances contain high performance cryptographic
and data compression processors, backup performance will be unaffected. Storage professionals should
select a single network appliance or family of appliances that offer scale, performance, and central
management. Users with lots of SAN- and DAS-based storage will also want to choose appliances that
offer full support for Fibre Channel, iSCSI, SAS, and SCSI.

Purchasing tape drives with cryptographic processors. While multi-protocol tape encryption
appliances can encrypt any traffic, new tape drives like IBM’s TS1120 and the industry standard LTO-4
now ship with onboard cryptographic processing installed on each drive. Over time, this will certainly
help large organizations scale tape encryption as CPU-intensive operations are distributed to lots of
distributed cryptographic processors. Storage managers should make sure to purchase self-encrypting
tape drives only as legacy tape drives and libraries reach the end of their amortization schedule.

Note that there are two distinct phases described above: one for legacy tape systems and one for a transition to
new encrypting drives. Of course, it would be simpler to select one method or the other, but neither approach is
appropriate on its own. Why? It does not make sense for large organizations to “rip and replace” working tape
drives that are not fully amortized. On the other hand, new tape drives adhere to Moore’s Law by offering
“baked-in” cryptographic processing at virtually no incremental cost. Given the balance of financial management
and technology innovation, a hybrid strategy is best for short- and long-term needs. To minimize the impact of
this transition on tape encryption procedures, make sure that new encrypting tape drives can be easily integrated
with existing encryption appliance key management.

Phase II: Anchor Data Center Encryption with a Central Key Management Service

During this second phase, storage professionals should assume that encryption technologies become more and
more pervasive as cryptographic processing is embedded in all tape and disk drives. As this occurs, many
organizations will find themselves managing hundreds of thousands of encryption keys on a regular basis. IT
managers will quickly find that key management scale can lead to a number of serious concerns. Key security
becomes tantamount—an unsecured key management system could provide the “keys to the kingdom” to an
industrious hacker, while a lost encryption key could render one-of-a-kind critical data “unreadable” forever.
Even if key management is adequately secured, multiple encryption operations could impact data recovery
procedures greatly increasing Recovery Time Objectives (RTOs) associated with disaster recovery/business
continuity objectives.

-7-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

To avoid these and other security and operations problems, large organizations must select rock-solid key
management (starting with the right support for storage encryption) for operations like key generation, rotation,
storage, and security. Ideally, these key management services will already be in place, built into the tape
encryption appliances described in phase I above. Enterprise-class key management services must offer a wide
range of functionality that delivers strong security, operations, and auditing capabilities. In a recent ESG
Research Report, security professionals defined a long list of requirements including key backup/recovery; strong
auditing/reporting tools, Role-based Access Control (RBAC), and easy integration with other key management
systems (see Figure 4).

In addition to this lengthy list, ESG recommends that CISOs work with their storage counterparts to select key
management vendors based upon:

Standard support. Vendors should pledge their support and participate in the development of leading
key management standards efforts. At the very least, vendors should be committed to IEEE P1619.3 as
well as the promising new Key Management Interoperability Protocol (KMIP) developed and promoted by
the Organization for the Advancement of Structured Information Standards (OASIS).

Key management experience and implementation skills. Building a key management infrastructure
is a rather esoteric set of skills. Make sure to work with a vendor that can help design and deploy an
architecture that meets today’s immediate tape encryption needs and scale for future requirements.

Industry relationships. In addition to standards support, it is important to select key management

vendors based upon their ability to work seamlessly with current and future tape and storage
infrastructures. The best solutions will have been tested and qualified by all vendors.

-8-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

FIGURE 4. MOST IMPORTANT REQUIREMENTS FOR KEY MANAGEMENT SYSTEMS

Please rate the following features/capabilities in terms of their importance to a

key management system. (Percent of respondents, N=165)

Very important Important Somewhat important Not very important Not at all important Don’t know

Key backup and recovery 30% 45% 18% 1%7%

Strong auditing/reporting tools 29% 42% 20% 1%1%7%

Role-based access control 26% 41% 22% 2% 8%

Ease of integration into other key

25% 43% 19% 4%1%
7%
management systems
A full set of features for key management
24% 39% 28% 2% 8%
lifecycle
Centralized key management of multiple
21% 45% 21% 3%1%9%
distributed encryption systems
Key management system sold and
21% 37% 25% 7%2% 8%
supported by a “trusted” vendor

Industry standards support 19% 40% 23% 4%2% 11%

Quorum controls 19% 36% 24% 8%1% 12%

Support for multiple encryption and

17% 41% 25% 5%1% 11%
hashing algorithms of various strengths
Integration with PKI products and/or
16% 38% 24% 6%1% 14%
services

FIPS certification 16% 35% 24% 5%2% 19%

Rich meta data associated with each

13% 40% 25% 7%1% 14%
encryption key

A hardened key management appliance 13% 37% 30% 5%2% 12%

NIST SP800-57 Parts 1 & 2 6% 34% 24% 5%1% 29%

0% 20% 40% 60% 80% 100%

Source: Enterprise Strategy Group, 2009

Phase III: Proceed to Disk Encryption Based Upon Risk and Regulations

Today, many large organizations believe that the risk of a breach of data stored on enterprise storage systems is
relatively low. Consequently, they eschew data encryption on these devices. In the future, however, massive
Dell, EMC, Hitachi, LSI, and IBM storage systems will be installed with hardened configurations that include
encryption by default for several reasons:

Self-encrypting drives will become the rule. Like LTO-4 tape drives, new disk drives will ship with
onboard cryptographic processors based upon the Trusted Computing Group (TCG) specification. Self-

-9-
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

encrypting drives will likely become the standard in the next 3 to 5 years as disk suppliers integrate
cryptographic processors into their manufacturing process.

Regulations may require persistent encryption. Future regulations may specify that private data is
encrypted throughout its lifecycle, whether at rest or in flight. For example, it is logical that regulations
around data retention and eDiscovery will mandate or recommend data encryption in the future. Disk-
based encryption may be the simplest route toward compliance.

Data erasure processes may benefit from encryption. While a large Hitachi TagmaStore or IBM
Shark storage system may be anchored to the data center, the actual disk drives resident in these
behemoths are regularly removed, shipped offsite for maintenance or as part of an upgrade, or physically
destroyed and disposed of. To secure these hard drives, most organizations have some type of manual
process for data erasure, including disk degaussing, software tools, and physical destruction. Encrypting
hard drives provide a more elegant solution. Simply delete the encryption keys and voila, all data on the
disk becomes “unreadable.” Given the growing amount of storage used by large organization, data
erasure automation will likely become an increasingly attractive option.

Disk encryption will only accelerate the need for strong enterprise-class key management services described
above. Smart storage managers will build this into their overall encryption and key management plan from the
onset.

To-Do List
The increasing pervasiveness of encryption demands a scalable encryption and key management architecture,
so IT executives should plan accordingly. In addition, ESG recommends that CIOs:

Define processes. Encryption should be transparent, but key management processes demand military-
like formality and discipline. Since key management best practices are an industry work-in-progress, use
existing IT service and security management models like ITIL, COBIT, and ISO 27000 guidelines as a
foundation. Storage managers tasked with immediate tape encryption projects should coordinate their
activities with security and IT operations to ensure that new processes are aligned with existing or
planned IT best practices and service management efforts.

Choose a key management organization. Key management is not a generic security activity that
should be delegated to firewall administrators. Rather, it is highly specialized. While storage managers
may champion tape encryption projects, it is best to adopt a separation of duties model by leaving tape
operations within storage while tasking a trusted sub-set of the security staff primary responsibilities for
key management. Make sure to monitor and enforce policies with strong and frequent audits.

Follow industry progress. One of the responsibilities of the security team should be tracking the
progress of encryption technologies and standards. This will help guide future decisions, determine
interoperability options, and separate proprietary from more open vendors.

- 10 -
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.
 ESG WHITE PAPER
A Prudent Approach for Storage Encryption and Key Management

20 Asylum Street
Milford, MA 01757
Tel: 508-482-0188
Fax: 508-482-0218

www.enterprisestrategygroup.com

- 11 -
Copyright 2009, The Enterprise Strategy Group, Inc. All Rights Reserved.