This article can also be found in the Premium Editorial Download "Storage magazine: Low-cost storage pieces fall into place."
Download it now to read this article plus other related content.
Many shops with an abundance of firewalls, intrusion detection systems (IDS) systems and virus protection software fail the physical security test. When it comes to physical security and storage, be sure to:
- Place storage equipment in locked cages in the data center. During the client/server days, the general philosophy was to collocate systems with the users they supported. This was done for technical reasons (slow LAN speeds) and political reasons (distributed IT budgets). Those days are gone.
- Adhere to a strict tape management policy. Security books are full of stories where rogue IT workers steal backup tapes to extort money from their employers. This opportunity is created through poor tape management practices. Take the necessary steps to avoid this problem through appropriate tape labeling, off-site rotation, backup encryption and secure tape storage procedures.
Policies and procedures
Although the storage group won't be called on to develop security policies, compliance is mandatory. Particular attention should
- Change and configuration management: Sloppiness here inevitably leads to security vulnerabilities and downtime. Work with the entire IT staff to develop change management policies, procedures and documentation standards.
- Data classification: Information value, age, useful life and personal association is often used to classify data into private sector categories such as public, sensitive, private and confidential. Once data is classified, the storage group is instrumental in the implementation process. Data classification is difficult, but it leads to improved security, lower costs and easier compliance with regulations.
- BC/DR: The storage team plays a starring role in backup/restore procedures through BC and DR planning. Storage and security should work together on this.
The storage staff must be prepared to participate in the enterprise security effort. This will require:
- Background checks: Experience with EMC, Brocade and Veritas can't forgive a rap sheet of felonious activities. All personnel must be screened appropriately.
- Training: To add security skills to the mix, the storage team should receive specific security training on storage vulnerabilities, fixes and general security prevention, detection and reaction techniques. It's worthwhile to encourage the storage staff to take the Certified Information Systems Security Professional (CISSP) exam to broaden their knowledge base.
There's an old security saying that states the enterprise security chain is only as strong as the weakest link. The storage team should do what it must to ensure that it avoids this weakest-link distinction. The team should take proactive steps to fix existing people, process and technology security holes while preparing for future challenges.
This was first published in October 2003