This article can also be found in the Premium Editorial Download "Storage magazine: Storage Products of the Year 2005."
Download it now to read this article plus other related content.
Nearline data is vulnerable
According to the ESG research, I'm not "el lobo solo." Almost a quarter of the survey respondents said online or nearline disk-based archives pose a "significantly increased vulnerability," while another 48% claim archival presents a "moderately increased vulnerability." Interestingly, those users with archival solutions in place were more likely to believe that archiving introduced a significant vulnerability. It's also important to note that large enterprises in the survey had the highest number of archival solutions installed.
Allow me to analyze this data a bit. Large organizations with data archival solutions deployed were most likely to claim that this introduced a significant vulnerability. On the security front, these folks are also the most likely to have skilled security professionals, sophisticated security technologies in place, rigid controls and active security monitoring. My point is that this relationship is no coincidence. If organizations with highly developed security people, processes and technologies are concerned about the security impact of data archiving, shouldn't this sound a universal alarm?
Smart storage managers will take this information to heart and include security defenses as part of their data archiving planning and implementation. This is a broad statement, but from a storage perspective, it's important to do the following:
- EXAMINE PHYSICAL SECURITY.
- Most respondents indicated that their data would be archived to disk rather than to tape. This isn't a surprise because it echoes other storage trends like the growth in disk-to-disk backup. With regard to security, it's important to assess where this disk storage is located and who has physical access to systems. Is it located in a data center with strong access control? Can the organization monitor who enters and exits? Are racks locked? Are visitors escorted into data center facilities? Do these policies include vendors? Are vendor technicians allowed to work in these facilities alone? These may seem like basic questions, but almost 25% of organizations consistently fail to enforce them. Rather than assume that these controls are in place, it's worth a look.
- ASSESS THE DATA ARCHIVAL INFRASTRUCTURE. Smart storage networks can automate the process of tagging, archiving and logging the movement of confidential data from primary storage to a separate archive. This provides a paper trail for archiving, but it's important to look at the entire infrastructure to flesh out any other vulnerabilities. Is there an authentication mechanism between primary and archival storage? If not, the archival solution could be vulnerable to a spoofing attack. Is the archival data transmitted in clear text? If so, it's susceptible to snooping or tampering. Is the data archival server on a hardened platform and patched on a regular basis? It's important to look at every piece of the infrastructure--if you don't, the bad guys will.
- LOCK DOWN ACCESS CONTROLS. This is an area where storage people are constantly behind the times. Passwords like "password" or "admin" are far too common in the storage domain and even in high-security shops; it's not uncommon for storage administrators to have access to everything--systems, Fibre Channel switches, backup software, etc. Most chief risk officers will reach for the aspirin when they think about the combination of these sloppy authentication and access controls with an archival solution full of confidential data. ESG research data shows some promise here as 72% of respondents said they'll deploy software access controls to protect their data archives.
- LOOK AT ENCRYPTION SOLUTIONS FOR DATA AT REST. As a final layer in data archival security, encryption will help you sleep better at night. Decru, NeoScale Systems and Kasten Chase are veteran players, while tape encryption is now supported by IBM, Quantum and Spectra Logic directly on the drives. As you evaluate solutions, make sure to ask vendors about their support for the IEEE 1619 standard for encryption of data at rest and examine your vendor's encryption-key management tools. These are the areas that will quickly separate the experts from the posers.
Data archiving has moved from an upper-crust luxury to a mainstream requirement, and storage people are definitely implementing solutions. Savvy companies will protect these critical solutions with the right level of security protection. Foolish companies will find that while their heads were in the sand, their confidential archived data was hacked.
This was first published in February 2006