How to build a storage security strategy for your enterprise


This article can also be found in the Premium Editorial Download "Storage magazine: Evaluating the benefits of IP SANs."

Download it now to read this article plus other related content.

Talk with any IT person these days and you'll hear that security concerns are on the top of their mind. Many of these folks were burned back in January by SQL Slammer, which affected 200,000 systems, did over $1 billion in damages, impacted major corporations such as Bank of America, Continental Airlines and Microsoft and ruined a lot of weekend plans. Severe problems like these lead to action. According to a Morgan Stanley survey of 225 CIOs conducted in December 2002, security spending tops their 10 highest priorities for 2003. In spite of the continued slow economy, security is one area where spending is real and sector growth is inevitable.

IT departments at enterprises and midmarket companies are spending money on traditional desktop, perimeter and network security infrastructures with the top five areas being anti-spam, antivirus, intrusion-detection systems (IDS) and firewalls. What about storage? Although storage security hasn't made Morgan Stanley's top 10 list yet, there's a cottage industry of vendors addressing this space. Companies such as Decru, NeoScale and Vormetric Inc. manufacture appliances that sit in the data path and encrypt and decrypt data as it flows to and from the storage tier. According to these security vendors, encrypting the data at rest provides companies with an extra layer of protection because data on storage devices will effectively be turned to gibberish, alleviating the threat of information espionage.

Should IT managers

Requires Free Membership to View

invest in this new breed of storage security devices? Perhaps, but throwing technology alone at storage security is a mistake because other security holes may expose corporate data to all kinds of deviants. For example, if a hacker can gain root access to a Unix server, storage security appliances will willingly decrypt and serve up its data gobbledygook as the security breach is out of its domain. To enhance security, storage managers must unite with their IT and business brethren to build a comprehensive, enterprisewide security strategy.

Five steps for building your company's security strategy

A strong security commitment should include the following:

1. Executive management leadership. In spite of all of the IT-related activity, security is a business, not a technology issue. The CEO and board of directors must recognize this fact and actively participate in setting policy, weighing and prioritizing risks and monitoring vulnerabilities and progress. Of course, chief executives can't be responsible for day-to-day security operations. CEOs in large companies should appoint chief security officers (CSOs) to manage both physical and information security. To maximize efficiency, CSOs should report directly to the CEO and have their own budgets and staffs. These newly appointed CSOs will work with the storage team as part of an overall information security effort.

2. Strong security policies. Part of a security undertaking is examining all business and technology processes for risk and vulnerabilities, then reacting to problems with the appropriate policies and procedures. The CSO's team should be responsible for setting policy and overseeing security management, but works in collaboration with the IT team on day-to-day operations. Security groups will work with the storage team to assess storage risks, implement policies and technologies and monitor results. In addition to technical concerns, the storage team should also prepare for more invasive security policies. Given that storage administrators work on technology that houses critical information assets, companies would be well advised to do background checks on all storage personnel and monitor them closely thereafter.

3. Employee training. Most companies focus their security efforts on the unknown threats beyond the firewall, yet 50% to 75% of security attacks--depending upon whose numbers you believe--are perpetrated by insiders. Some of this is malicious activity by highly skilled workers, but many of the problems stem from sloppy employee execution: an employee who uses their pet's name as their password; an overburdened system administrator that fails to delete user accounts; a software developer whose code is fraught with buffer overflows. To overcome these problems, all employees should be required to go through general and specific security training classes. The CSO's group--along with HR--should run general classes on global issues such as sound password management. Specific classes for IT personnel would center on job-related security issues. Storage administrator training would focus on storage networking security features, such as zoning and LUN masking, storage network administration, network-attached storage (NAS)-based access control lists (ACLs) and general best practices.

4. Physical security. A security services specialist I know recently related this story to me. He was doing a security audit for a large bank in New York City. In an introductory meeting, the CIO boldly proclaimed, "I don't really know why we are doing this security audit. I run a tight ship, and you won't find any holes in our network." The next day, the CIO was aghast to see that the consultant had a spreadsheet with all of the IT salary information. How did this happen? The network was in fact quite secure, so the service professional simply put on a WorldCom T-shirt, got past the reception area, walked into the data center and grabbed a DLT tape. The lesson for storage professionals is obvious: Physical access to IT resources and storage devices must be extremely tight, constantly policed and monitored for intrusions. Internal alarm bells should go off whenever a stranger is present, especially if they're touching equipment, regardless of what type of clothing or identification they're wearing.

5. Strong IT governance. Common wisdom says that information security attacks are the digital equivalent of massive terrorist attacks that lead to widespread damage. In fact, most security attacks are more like the "death by a thousand cuts" theory. An attacker cases your network looking for weaknesses and targets, then exploits them for various purposes. For example, I heard of an incident in which an IT administrator took advantage of a vulnerability with an Apache Web server running on Linux to store several hundred gigabytes of MP3 files on company equipment.

This was first published in July 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: