IT departments at enterprises and midmarket companies are spending money on traditional desktop, perimeter and network security infrastructures with the top five areas being anti-spam, antivirus, intrusion-detection systems (IDS) and firewalls. What about storage? Although storage security hasn't made Morgan Stanley's top 10 list yet, there's a cottage industry of vendors addressing this space. Companies such as Decru, NeoScale and Vormetric Inc. manufacture appliances that sit in the data path and encrypt and decrypt data as it flows to and from the storage tier. According to these security vendors, encrypting the data at rest provides companies with an extra layer of protection because data on storage devices will effectively be turned to gibberish, alleviating the threat of information espionage.
Should IT managers invest
Requires Free Membership to View
When you register for SearchStorage.com, you’ll also receive targeted emails from my team of award-winning editorial writers. Our goal is to keep you informed on the hottest topics, the latest news and the biggest challenges you face as a storage professional today.
Rich Castagna, Editorial Director
in this new breed of storage security devices? Perhaps, but throwing technology alone at storage security is a mistake because other security holes may expose corporate data to all kinds of deviants. For example, if a hacker can gain root access to a Unix server, storage security appliances will willingly decrypt and serve up its data gobbledygook as the security breach is out of its domain. To enhance security, storage managers must unite with their IT and business brethren to build a comprehensive, enterprisewide security strategy.
Five steps for building your company's security strategy
A strong security commitment should include the following:
1. Executive management leadership. In spite of all of the IT-related activity, security is a business, not a technology issue. The CEO and board of directors must recognize this fact and actively participate in setting policy, weighing and prioritizing risks and monitoring vulnerabilities and progress. Of course, chief executives can't be responsible for day-to-day security operations. CEOs in large companies should appoint chief security officers (CSOs) to manage both physical and information security. To maximize efficiency, CSOs should report directly to the CEO and have their own budgets and staffs. These newly appointed CSOs will work with the storage team as part of an overall information security effort.
2. Strong security policies. Part of a security undertaking is examining all business and technology processes for risk and vulnerabilities, then reacting to problems with the appropriate policies and procedures. The CSO's team should be responsible for setting policy and overseeing security management, but works in collaboration with the IT team on day-to-day operations. Security groups will work with the storage team to assess storage risks, implement policies and technologies and monitor results. In addition to technical concerns, the storage team should also prepare for more invasive security policies. Given that storage administrators work on technology that houses critical information assets, companies would be well advised to do background checks on all storage personnel and monitor them closely thereafter.
3. Employee training. Most companies focus their security efforts on the unknown threats beyond the firewall, yet 50% to 75% of security attacks--depending upon whose numbers you believe--are perpetrated by insiders. Some of this is malicious activity by highly skilled workers, but many of the problems stem from sloppy employee execution: an employee who uses their pet's name as their password; an overburdened system administrator that fails to delete user accounts; a software developer whose code is fraught with buffer overflows. To overcome these problems, all employees should be required to go through general and specific security training classes. The CSO's group--along with HR--should run general classes on global issues such as sound password management. Specific classes for IT personnel would center on job-related security issues. Storage administrator training would focus on storage networking security features, such as zoning and LUN masking, storage network administration, network-attached storage (NAS)-based access control lists (ACLs) and general best practices.
4. Physical security. A security services specialist I know recently related this story to me. He was doing a security audit for a large bank in New York City. In an introductory meeting, the CIO boldly proclaimed, "I don't really know why we are doing this security audit. I run a tight ship, and you won't find any holes in our network." The next day, the CIO was aghast to see that the consultant had a spreadsheet with all of the IT salary information. How did this happen? The network was in fact quite secure, so the service professional simply put on a WorldCom T-shirt, got past the reception area, walked into the data center and grabbed a DLT tape. The lesson for storage professionals is obvious: Physical access to IT resources and storage devices must be extremely tight, constantly policed and monitored for intrusions. Internal alarm bells should go off whenever a stranger is present, especially if they're touching equipment, regardless of what type of clothing or identification they're wearing.
5. Strong IT governance. Common wisdom says that information security attacks are the digital equivalent of massive terrorist attacks that lead to widespread damage. In fact, most security attacks are more like the "death by a thousand cuts" theory. An attacker cases your network looking for weaknesses and targets, then exploits them for various purposes. For example, I heard of an incident in which an IT administrator took advantage of a vulnerability with an Apache Web server running on Linux to store several hundred gigabytes of MP3 files on company equipment.
This was first published in July 2003