Opinion: Develop a game plan for storage security
Without one, you risk duplicating efforts and overlooking risks
Computerworld - How much progress is really being made in securing storage? For several years now, pundits have sounded the alarm about a range of security risks associated with storage. That includes everything from a lack of fundamental network security practices for SANs to the ever-familiar problems associated with handling off-site media. Regarding the latter, hardly a week goes by that some organization isn't reporting the loss or theft of laptops or tapes containing confidential information.
Yet, aside from those corporate victims in the spotlight that have been forced to make improvements, it seems that the state of storage security has been advancing very slowly.
Furthermore, many so-called storage security initiatives should be more accurately labeled as off-site tape security initiatives. In other words, the focus isn't on a strategic approach to securing the overall storage infrastructure, but on the pain point du jour -- in this case, the desire to avoid being the next organization to make headlines in Computerworld for the wrong reason. Certainly, the desire to close this particular security hole is understandable, but without an overall game plan, there is a strong likelihood that efforts will be duplicated and other risks overlooked. (Test how well your data is protected with the Storage Networking Industry Association's storage security self-assessment quiz.)
A widely reported study from the Identity Theft Resource Center found a 47% increase in data breaches in 2008 compared with 2007. Of these breaches, 20.7% involved "data on the move" -- on laptops or tapes, for example. However, twice as many incidents (41%) occurred through a combination of hacking, insider theft and subcontractor breaches.
Yet even the goal of securing off-site media hasn't been successfully addressed. Consider, for example, the lack of wide-scale adoption of encryption. Only 2.4% of the lost media in the above study was encrypted. Why is that? In the case of tape, it's not because of a lack of awareness or misunderstanding the problem -- that's painfully obvious. Nor is it because of a lack of technology available to address the problem. Encryption products for every level can be obtained from mainstream vendors: tape drive (LTO-4, IBM TS1130 or STK T10000), tape library (Spectra Logic), SAN switch (Cisco or Brocade), SAN or LAN appliance (NetApp) and host software (most backup applications).
It's easy to point to the challenges of key management as the primary roadblock to more widespread adoption of media encryption, and this is certainly a contributing cause. However, the problems of key management point to a larger issue: the lack of a comprehensive security strategy that truly encompasses storage. As long as storage sits at the periphery of organizations' security focus, there will continue to be risks, and obstacles to addressing those risks.
What's required is understanding that different entities within an enterprise access, manage, control and own responsibility for data. An effective strategy considers the security needs of all constituents.
A strategic approach to storage security not only would weigh additional risks beyond things like off-site media encryption, but would also consider identifying which data needs to be encrypted and at what level. Perhaps if data is encrypted at the application level to protect against unauthorized access, it might not need to be re-encrypted at the tape level. If a centralized key-management function, with associated policies and processes, were instituted to manage all data security access, the prospect of off-site tape encryption wouldn't be as daunting.
Given the current economic reality, it's improbable that many organizations will undertake this type of program in the near future. However, it's important to begin to bridge the gap between storage and security and build a rational framework on which to incrementally improve. Otherwise, the breach tally is certain to climb even higher in 2009.
James Damoulakis is chief technology officer at GlassHouse Technologies Inc., an IT infrastructure consulting and services firm.
Read more about Data Storage in Computerworld's Data Storage Topic Center.
- Data Warehouse Augmentation: The Queryable Data Store While organizations have, to date, been busy exploring and experimenting, they are now beginning to focus on using big data technologies to solve...
- Rebranded Quadmark revamps its IT solutions with Google Apps Switching to Google Apps halved Quadmark's IT admin costs while achieving 10% time savings per employee. The global consulting firm now spends 80%...
- CrashPlan PROe Security Because mobile laptops often are connected to unsecured networks, a very high standard of security is required to ensure privacy.
- Protecting Digitalized Assets in Healthcare Healthcare providers face an urgent, internal battle every day: security and compliance versus productivity and service. For most healthcare organizations, the fight is...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- Make or Break: New Auto Products Must Go To Market On Time This Webcast quantifies the value of time to market for the auto industry and highlights how Primavera Enterprise Portfolio Management can help organizations. All Data Storage White Papers | Webcasts