This article can also be found in the Premium Editorial Download "Storage magazine: How to distance your data from disaster."
Download it now to read this article plus other related content.
Storage security focus for 2006
Storage security turned a corner in 2005. Now it's time for storage pros to get serious about security.
AS FAR AS I'm concerned, 2005 was a watershed year for storage security. EMC announced to the world that, moving forward, security would be integrated into the company and its products. Network Appliance voted with its wallet by acquiring Decru. Tape leaders such as Quantum and Spectra Logic added encryption capabilities to their systems.
Storage security victory! Well ... not quite.
Don't get me wrong. After three years of carrying on about storage security, it's great to see this new wave of progress ripple through the industry. In spite of this, IT storage managers and the storage vendor community still have a myopic view of security. Too many folks think the term "storage security" can be interpreted as either backup encryption or as a security appliance à la Kasten Chase or NeoScale.
So, my storage-centric brethren, when it comes to security there are a few things to keep in mind:
- Security must be systemic. Remember the television show Get Smart? At the beginning of each episode, Maxwell Smart (Agent 86) had to pass through a number of security checkpoints before arriving in his office. In this vintage TV example, each checkpoint is another "layer" of security, a model often referred to as "defense-in-depth."
- Storage security is no different; to be truly effective, encryption must be supported with things like access controls, strong authentication and monitoring.
- Security threats are always changing. Think about all the stuff you have to guard against on your PC: viruses, worms, spam, phishing, etc. The bad guys are discovering new attack vectors all the time. This means that the storage community has to remain in a constant state of security awareness. You have to make patching management servers and monitoring bug-tracking sites a priority, and ensure your staff is trained to know a scam when they see one.
- You can't manage (or in this case, secure) what you can't measure. I know this is a tired old business saying that everyone has heard from some dorky boss, but with security it's certainly a truism. If I don't capture baseline information, monitor changes and offer all this information up as reports, how can I tell how secure my storage is?
This was first published in May 2006