This article can also be found in the Premium Editorial Download "Storage magazine: Tips for lowering the cost of storage support contracts."
Download it now to read this article plus other related content.
|Regulations drive security concerns|
Much of the concern over data security within IP circles is driven by government regulations. On the business side, an equal concern is the threat of litigation. One of the most frequently cited regulations is the Sarbanes-Oxley (SOX) Act of 2002, which requires that certain financial data have an audit trail back to its source. But SOX is only the tip of the iceberg.
California's Information Practices Act, also known as SB-1386, has broad implications. It requires companies that have experienced theft of personal information data to notify any customers potentially affected. SB-1386 has driven many companies to implement encryption so they can protect their customers' private data.
The Graham-Leach-Bliley Act of 1999 and HIPAA also require companies to protect personal data. In addition, the Payment Card Industry (PCI) Data Security Standard has strict requirements for credit card processors. Companies affected by any of these regulations should strongly consider encryption technology and assess whether their storage networks are vulnerable to data theft.
It's important to remember that the stereotypical teenage hacker attacking your systems from across the Internet reflects only a small portion of actual security breaches. You're far more likely to suffer a breach in the confidentiality, availability or integrity of your data at the hands of an insider, whether malicious or not.
There have been numerous press reports of insiders who have absconded with critical data and it's likely there are exponentially more cases that go unreported. Preventing unauthorized employee access to data has become more critical in light of regulations like the Sarbanes-Oxley Act of 2002, HIPAA and the Payment Card Industry Data Security Standard (see "Regulations drive security concerns," at right). Sadly, no current IT technology allows storage managers to understand the importance of the data contained in the bits and bytes they manage. Enabling this kind of security will require a whole new level of interaction between IT and business units.
Not all security breaches are malicious. Many common breaches are accidental or caused by an interaction of unrelated system components. For instance, a system admin could take down a RADIUS server not realizing that it was authenticating storage traffic. Or a backup administrator could restore all files in a directory instead of just the requested one.
A final element to consider is that storage is one of the lower-level slices of the IT systems layer cake. No matter how secure your storage array and network are, data will always be vulnerable if a server or app is compromised. "The focus today is more on securing your servers--if you have access to the server, then you have access to the storage," says LeftHand Networks' Spiers. No amount of encryption or authentication will prevent access by a program or user who's supposed to get in. In the end, all storage admins can do is keep their system reliable and hope others do the same.
This was first published in May 2007