Opinion: Develop a game plan for storage security
Without one, you risk duplicating efforts and overlooking risks
Computerworld - How much progress is really being made in securing storage? For several years now, pundits have sounded the alarm about a range of security risks associated with storage. That includes everything from a lack of fundamental network security practices for SANs to the ever-familiar problems associated with handling off-site media. Regarding the latter, hardly a week goes by that some organization isn't reporting the loss or theft of laptops or tapes containing confidential information.
Yet, aside from those corporate victims in the spotlight that have been forced to make improvements, it seems that the state of storage security has been advancing very slowly.
Furthermore, many so-called storage security initiatives should be more accurately labeled as off-site tape security initiatives. In other words, the focus isn't on a strategic approach to securing the overall storage infrastructure, but on the pain point du jour -- in this case, the desire to avoid being the next organization to make headlines in Computerworld for the wrong reason. Certainly, the desire to close this particular security hole is understandable, but without an overall game plan, there is a strong likelihood that efforts will be duplicated and other risks overlooked. (Test how well your data is protected with the Storage Networking Industry Association's storage security self-assessment quiz.)
A widely reported study from the Identity Theft Resource Center found a 47% increase in data breaches in 2008 compared with 2007. Of these breaches, 20.7% involved "data on the move" -- on laptops or tapes, for example. However, twice as many incidents (41%) occurred through a combination of hacking, insider theft and subcontractor breaches.
Yet even the goal of securing off-site media hasn't been successfully addressed. Consider, for example, the lack of wide-scale adoption of encryption. Only 2.4% of the lost media in the above study was encrypted. Why is that? In the case of tape, it's not because of a lack of awareness or misunderstanding the problem -- that's painfully obvious. Nor is it because of a lack of technology available to address the problem. Encryption products for every level can be obtained from mainstream vendors: tape drive (LTO-4, IBM TS1130 or STK T10000), tape library (Spectra Logic), SAN switch (Cisco or Brocade), SAN or LAN appliance (NetApp) and host software (most backup applications).
It's easy to point to the challenges of key management as the primary roadblock to more widespread adoption of media encryption, and this is certainly a contributing cause. However, the problems of key management point to a larger issue: the lack of a comprehensive security strategy that truly encompasses storage. As long as storage sits at the periphery of organizations' security focus, there will continue to be risks, and obstacles to addressing those risks.
What's required is understanding that different entities within an enterprise access, manage, control and own responsibility for data. An effective strategy considers the security needs of all constituents.
A strategic approach to storage security not only would weigh additional risks beyond things like off-site media encryption, but would also consider identifying which data needs to be encrypted and at what level. Perhaps if data is encrypted at the application level to protect against unauthorized access, it might not need to be re-encrypted at the tape level. If a centralized key-management function, with associated policies and processes, were instituted to manage all data security access, the prospect of off-site tape encryption wouldn't be as daunting.
Given the current economic reality, it's improbable that many organizations will undertake this type of program in the near future. However, it's important to begin to bridge the gap between storage and security and build a rational framework on which to incrementally improve. Otherwise, the breach tally is certain to climb even higher in 2009.
James Damoulakis is chief technology officer at GlassHouse Technologies Inc., an IT infrastructure consulting and services firm.
Read more about Data Storage in Computerworld's Data Storage Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- OpenStack and Red Hat: IDC White paper Most OpenStack deployments are by public cloud providers that are early adopters of technology and use OpenStack in a do-it-yourself deployment and support...
- Red Hat Enterprise Linux OpenStack Platform Datasheet Seamlessly transition to the cloud. Red Hat Enterprise Linux OpenStack Platform delivers an integrated foundation to create, deploy, and scale a secure and...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Make or Break: New Auto Products Must Go To Market On Time This Webcast quantifies the value of time to market for the auto industry and highlights how Primavera Enterprise Portfolio Management can help organizations.
- IBM Flash Webcast: Optimizing your Datacenter for Efficient Storage & ROI Register for this webcast to learn the benefits of flash storage from IBM Customer, Leonardo Irastorza of Royal Caribbean Cruise Ltd and Storage... All Data Storage White Papers | Webcasts