For years, storage professionals measured their technology using two criteria: performance and availability. Storage pros may have paid lip service to security, but they often viewed it as an afterthought. These attitudes were illustrated in "Storage Security Perspectives," a July 2004 Enterprise Strategy Group (ESG) research study that surveyed 388 storage and 128 security professionals. The data pointed to a consistent pattern of...
user and vendor storage security indifference, such as:
- Thirty percent of storage professionals admitted their security policies and procedures don't encompass data storage technologies such as storage arrays, SAN switches and storage management software.
- Twenty-seven percent of users had experienced a storage security breach, didn't know if they'd experienced a storage security breach or couldn't tell if they'd experienced a storage security breach.
- In spite of the risks associated with offsite transportation and storing critical backup data, only 7% of organizations claim they "always" encrypt data as it's backed up to tape. At the other end of the spectrum, 60% of organizations said they never encrypt their backups.
- Only 43% of users believed their storage vendors' commitment to security was strong, while 47% rated it as marginal or weak.
Has anything changed?
Since that report, information security has been a newsworthy topic because of a series of visible security breaches and increasing government regulations. In terms of storage, there have been several highly publicized security breaches that have generated particular interest. At Bank of America and Time Warner, for example, backup tapes containing confidential information were either lost or stolen while in transit to offsite storage facilities.
Recent ESG research indicates that these high-visibility security events have spurred the lethargic storage community to action. In its latest survey, ESG asked 232 storage professionals the following question: "How has the recent wave of incidents involving organizations having their backup tapes lost or stolen changed your organization's approach to security as it pertains to the data protection process?" The responses indicate an encouraging trend: 47% say these events have prompted their organizations to take some type of storage security action. For the first time, ESG is seeing security activity.
Organizations are taking a number of steps toward better storage security, including:
- A little more than 25% of respondents say they're reviewing their offsite tape storage providers' policies and procedures. They want to know about the number and types of security incidents these service providers experience and how frequently they occur. To ease business executives' fears, many are also touring offsite storage facilities and auditing their processes.
- Almost 25% of users have accelerated their deployment or evaluation of data encryption technologies. On the demand side, vendors like Decru, Kasten Chase and NeoScale Systems report lots of incoming calls from users with a specific interest in tape encryption.
- Nearly 20% of users conducted or plan to conduct a security-focused audit of their data protection process. For many, this will be their first storage security audit.
This enterprise scrutiny makes sense as large organizations tend to have terabytes of data traveling offsite all the time, sensitive security and compliance issues, and are aggressively addressing security vulnerabilities. Citibank, for example, has a model five-year plan to bolster its information security architecture and implement best practices. Large firms also tend to suffer the most damage from a PR black eye like a security breach.
One other interesting data point: 17% of users claim to have multiple security activities under way, while 30% are pursuing a single security action. These guys get it.
Should vendors react to this storage security push? Yes, and the reason is simply because it's what their customers expect them to do. When ESG asked, "Do you believe that data protection solutions should increasingly incorporate information security features such as data encryption and access management?," 88% of respondents said "Yes." However, 52% of all users (and 59% of those that said "Yes") believe these features should be included only if they're offered for free.
Right direction, wrong effort
Clearly, storage professional are worried about security and are finally motivated to take some action. On the other hand, they seem to want their storage vendors to step in like superheroes and address their security concerns on the house. There's a real disconnect here.
The time has come for action, but what additional steps should storage professionals take? ESG believes storage professionals must embrace a storage security lifecycle methodology that reduces risk and responds to problems on a continual basis.
A storage security lifecycle has four phases:
- Baseline the current storage infrastructure. How secure or insecure is the existing storage infrastructure? You won't know until you turn over every rock, looking at both technology and processes. Are storage management apps running on unpatched servers? Do numerous staffers have administrator passwords on the Fibre Channel switches? Are the IP interfaces on the storage devices visible to anyone with network access? Your analysis should be exhaustive because a missed vulnerability could lead to a security incident.
- Build a storage security priority list. Once you know what's broken, you'll have to decide what to fix and in what order. Work with business executives to prioritize the work based upon business risk, technical vulnerabilities and remediation cost. Before you touch any piece of equipment, make sure all affected groups agree that the plan maps to business priorities.
- Build measurable controls and remediate technology problems. With business needs clearly defined, it's time to make necessary changes. Filling security holes in critical storage infrastructure is important, but many companies forget to address their processes as well. Establish controls that help you restrict access to storage systems, and then audit who touches them and what they do.
- Monitor for security on a continuous basis. Many companies that put the time and resources into addressing security problems don't follow through with nonstop vigilance. Security isn't a point-in-time solution because the storage infrastructure is subject to daily moves, adds and changes that can cause new vulnerabilities. It's important to recognize this and to remain alert for problems.
Finally, too many storage professionals equate security with encryption. Security people talk about layered security or defense in-depth. Think of encryption as an important layer, but without these other security steps, encryption can be easily circumvented.
Storage professionals are beginning to turn the corner on security, but the pace is still slow and they remain misguided. By following a storage security lifecycle approach, storage professionals can cover their bases, build repeatable processes and measure progress.