Storage Security: Neglect It at Your Peril
With increasing regulatory demands and rapidly complexifying technology, storage security has become a discipline in its own right. Still, many companies don't include it in their security plans.
Hardly a week goes by without some sort of story appearing in the papers about one major financial institution or other losing back-up tapes containing confidential client information. When you consider that more data than ever is being stored for regulatory compliance and other reasons, and that companies are obliged in most cases to reveal data security breaches, it's not hard to see why data storage security is getting more attention than ever before.
And there's no doubt that storage security is getting more complex. Back in the days when storage meant direct attached storage (DAS), storage security was included in overall IT security. But as storage architectures have developed with the introduction of high speed, high capacity Fibre Channel based storage area networks (SANs) as well as more traditional Ethernet based network attached storage (NAS) systems, storage security has become a discipline in itself. Neglect it at your peril.
But alarmingly, many companies do seem to be neglecting it: 30 percent of 288 storage professionals surveyed by the Milford, MA-based research house Enterprise Strategy Group (ESG) said their companies' security policies did not include storage systems.
So what general steps should companies be taking to secure their stored data? The starting point for a systematic approach to storage security, according to Sal Capizzi, a senior analyst at Boston, MA-based Yankee Group, is to take stock of the various types of data being stored and classifying it according to how important it is and how costly it would be to the business if it were lost or stolen. Then for each classification, appropriate security policies should be set.
The next step, Capizzi says, is to enforce password and Wold Wide name identification (for Fibre Channel) and logical unit number (LUN) authorization to ensure that only authorized users, devices or applications can access data, and to implement LUN masking so that particular storage volumes can only be seen by authorized users, devices or applications.
Alarmingly (again), ESG estimates that 20 percent of companies do not know or are not in a position to tell if their storage security has been breached. A good first measure to enable you to do this is to ensure that all actions, accesses and changes to data are logged to provide a clear audit trail of who did what to which data from where, and when. Without such logs it is very hard to tell if or how data has been compromised.
Finally, don't neglect the boring obvious stuff: use anti-virus, and anti-spyware software and a suitable firewall, disable unused ports, change passwords frequently, and so on.
And since you can't counter every risk however much you spend, a disaster recovery plan to cope with fires, floods, sabotage and other catastrophes at the primary site also needs to be in place.
What about encryption? There are lot of diverging opinions on the need for data encryption, and when and where it should be used. For example, many experts recommend that removable tapes be encrypted as a precaution against them being lost accidentally, but others point out that tapes are relatively fragile, and any tapes that are lost and left lying around will very rapidly decay to the point that they are unreadable. Equally, data files on a tape cannot easily be read by anyone who happens upon them without the correct hardware and software applications to go with it. On the other hand, tapes that are deliberately targeted and stolen are significantly more secure if they have been suitably encrypted. Encryption is also useful to protect it when it is "in flight" from a storage system to a server over a network which might be penetrated by a hacker.
The good news is that advances in various technologies are likely to make managing mass storage, and storage security, much more effective in the near term. Virtualization, for example, is likely to make an increasingly large impact on storage systems because the ability to pool across multiple storage arrays makes the managing, migration and backup of data faster and cheaper. "Most vendors are incorporating virtualization technology into their products and I can see that continuing even more so moving forward," says Capizzi. "Virtualization will be the underlying technology for data management, data protection, and computing and storage technology," he says.
Perhaps the most significant development which is likely to have an impact in 2006 is continuous data protection (CDP). Using CDP, all data in a company's storage system is backed up every time a data change is made. In effect a storage snapshot is made at every modification, rather than every hour or so, or several times a day. As a result, should a database become corrupted or infected with a virus it can be restored to the state it was in immediately before this event took place. And what's more, data can be recovered in a matter of seconds. "I see 2006 being a big year for CDP," says Capizzi.
In the end, every company's storage architecture and security requirements will be different, so there is no easy to follow ten step plan to storage security. But if nothing else, don't ignore it. Storage security is a fundamental part of IT security, so incorporating storage security into security policies at a fundamental level, not as a bolted-on afterthought, is absolutely critical.