This article can also be found in the Premium Editorial Download "Storage magazine: A look inside Hitachi's TagmaStor high-end arrays."
Download it now to read this article plus other related content.
|Security pros less confident in storage safety|
In a post-Sept. 11 world, companies take information security seriously. In our survey, 63% of the respondents described their IT departments as extremely diligent when it comes to information security, and about half of that number said their IT groups address information security when necessary. But when asked if their storage infrastructure was secure, 8% of storage professionals said it was insecure, while 16% of security experts concurred (see "Security pros less confident in storage safety"). Those numbers may seem modest, but when it comes to security, 8% and 16% are significant figures.
Storage security still lags behind the efforts that IT departments put into securing other information processing resources. In many IT shops, the storage group is a security island. Networking, application and system groups often collaborate on security policies, procedures and technologies, while storage teams are left on their own. This was confirmed by the 30% of respondents who said their security policies and procedures didn't include storage arrays, storage area network (SAN) switches and storage management software.
A knowledge gap also contributes to lax storage security. The survey suggests that storage staffs are undereducated about security and security gurus lack storage intelligence. Storage teams often relegate security to zoning and LUN masking, which are small parts of the total picture. And security pros typically focus on defending the network with firewalls, antivirus software and intrusion detection systems--a long distance from the SAN infrastructure. With the growing use of network technologies, Internet applications and distributed storage, the groups need to learn more about each other's worlds.
|Storage not immune to security breaches|
Storage security breaches
One of the more alarming survey statistics relates to storage security breaches that could result in business disruption or intellectual property theft. While 73% of users didn't have a storage security breach, 7% said they had. Additionally, 12% didn't know if they'd had a breach, while another 8% said that they couldn't tell. Taken together, the 27% adds up to a significant number of real or potential threats (see "Storage not immune to security breaches").
Of the respondents who experienced a security breach, 64% also said their companies were diligent about security; 9% of those whose security practices included storage reported having had a breach. An optimistic analysis might conclude that companies with a commitment to security are far more likely to find storage security breaches and may also have policies in place to minimize the damages. But another perspective reveals a more ominous trend. If firms with strong security processes report the highest percentage of security breaches, it's logical to assume that the potential for storage security problems are even greater for companies with less-dedicated security efforts.
Three-quarters of the survey respondents said the source of a storage security breach is likely to come from within the company. Forty-one percent felt that the probable source would be a deliberate attack by an IT employee, while 33% said human error was the most likely culprit.
Strong physical security and well-defined HR policies can help mitigate security threats related to malicious employees. Physical security improvements may include data center access controls, security cameras and careful screening of visitors accessing IT resources. HR policies can include employee background checks, security training and strict penalties for violations.
This was first published in September 2004