Storage at risk

A new survey of Storage magazine readers by the Enterprise Strategy Group reveals that storage security is weak. IT staffs--with help from storage vendors--need to do more to secure storage.

This article can also be found in the Premium Editorial Download: Storage magazine: A look inside Hitachi's TagmaStor high-end arrays:

Survey methodology:
The Enterprise Strategy Group (ESG) conducted a survey in March and April of 2004 with selected Storage magazine subscribers to assess attitudes regarding storage security. ESG surveyed 388 storage and 128 security professionals in 10 industry segments. Company size varied from less than $50 million in revenue to more than $5 billion. Quantitative analysis was supported by interviews. The data presented here reflects the responses of storage professionals unless otherwise noted. For more information, send an e-mail to info@enterprisestrategygroup.com.
From the boardroom to users' desktops, data security is a critical issue, yet storage security remains underserved, often leaving data vulnerable. Based on the results of a survey conducted by the Milford, MA-based Enterprise Strategy Group (ESG) in conjunction with Storage magazine, ESG concluded that:
  • Storage security exposes significant weaknesses. Many companies--even those with strong commitments to security--revealed problems with storage security knowledge, IT processes and technology management.
  • Storage security breaches are a real threat. While most users haven't experienced problems, a significant percentage have suffered a storage security breach or aren't sure if their storage security has been compromised.
  • Storage vendors aren't pulling their weight. Users often rely on their storage vendors for help in dealing with storage security issues, yet many companies don't believe that storage vendors are committed to information security issues.
For more details on how the survey was conducted, see "Survey methodology".

Security pros less confident in storage safety

Securing storage
In a post-Sept. 11 world, companies take information security seriously. In our survey, 63% of the respondents described their IT departments as extremely diligent when it comes to information security, and about half of that number said their IT groups address information security when necessary. But when asked if their storage infrastructure was secure, 8% of storage professionals said it was insecure, while 16% of security experts concurred (see "Security pros less confident in storage safety"). Those numbers may seem modest, but when it comes to security, 8% and 16% are significant figures.

Storage security still lags behind the efforts that IT departments put into securing other information processing resources. In many IT shops, the storage group is a security island. Networking, application and system groups often collaborate on security policies, procedures and technologies, while storage teams are left on their own. This was confirmed by the 30% of respondents who said their security policies and procedures didn't include storage arrays, storage area network (SAN) switches and storage management software.

A knowledge gap also contributes to lax storage security. The survey suggests that storage staffs are undereducated about security and security gurus lack storage intelligence. Storage teams often relegate security to zoning and LUN masking, which are small parts of the total picture. And security pros typically focus on defending the network with firewalls, antivirus software and intrusion detection systems--a long distance from the SAN infrastructure. With the growing use of network technologies, Internet applications and distributed storage, the groups need to learn more about each other's worlds.

Storage not immune to security breaches

Storage security breaches
One of the more alarming survey statistics relates to storage security breaches that could result in business disruption or intellectual property theft. While 73% of users didn't have a storage security breach, 7% said they had. Additionally, 12% didn't know if they'd had a breach, while another 8% said that they couldn't tell. Taken together, the 27% adds up to a significant number of real or potential threats (see "Storage not immune to security breaches").

Of the respondents who experienced a security breach, 64% also said their companies were diligent about security; 9% of those whose security practices included storage reported having had a breach. An optimistic analysis might conclude that companies with a commitment to security are far more likely to find storage security breaches and may also have policies in place to minimize the damages. But another perspective reveals a more ominous trend. If firms with strong security processes report the highest percentage of security breaches, it's logical to assume that the potential for storage security problems are even greater for companies with less-dedicated security efforts.

Three-quarters of the survey respondents said the source of a storage security breach is likely to come from within the company. Forty-one percent felt that the probable source would be a deliberate attack by an IT employee, while 33% said human error was the most likely culprit.

Strong physical security and well-defined HR policies can help mitigate security threats related to malicious employees. Physical security improvements may include data center access controls, security cameras and careful screening of visitors accessing IT resources. HR policies can include employee background checks, security training and strict penalties for violations.

Users see better policies leading security efforts

How to upgrade storage security
Most companies believe that the best way to improve storage security is to improve policies and procedures, but users also want technology solutions. Forty-nine percent of respondents plan to add security features to existing storage products, while 17% say they will buy new storage-specific security products (see "Users see better policies leading security efforts").

But there's some question as to whether storage vendors are prepared to effectively support their customers. Asked to rate their storage vendors' commitment to security, 39% of the respondents said it was marginal; 7% said it was weak. (See "Vendors' security commitment in doubt")

Our survey sought to determine whether companies were aware of or needed storage security encryption and key security management technologies. Thirty-five percent said they weren't fully aware of the new technologies, and the 60% who were familiar with them either didn't see a need or needed more information (see "Encryption awareness high, use low"). It's likely that as storage networks continue to grow in capacity and geographically, encryption of data in flight will become a requirement.

Research implications
Many companies are adopting security policies where users, IT administrators and digital packets are viewed as "untrustworthy." All connections are monitored, logged and filtered, and sophisticated tools are being used to capture and review behaviors.

Vendors' security commitment in doubt

To achieve a strong storage security profile, companies should:

  • Integrate storage into corporate security policies. Thirty percent of respondents said their company's security policies didn't include storage. Security professionals must define secure storage products, configurations and operations. Storage managers must work with the security team to adapt security rules to storage and business requirements.
  • Enhance storage security monitoring. Aligning storage with corporate security policies will help alleviate breaches by hardening storage equipment and mandating security methodologies. But breaches aren't the only problem--evidenced by the 20% of respondents who didn't know if they even had a storage security breach. Storage teams must monitor data center and storage system access as well as storage device log files.
  • Increase cross training. Storage staffs don't know enough about security, and security teams aren't up to speed on storage. CIOs should mandate ongoing cross-training programs where the groups train each other.
  • Articulate security needs to vendors. While 46% of respondents felt vendor commitments to storage security were marginal or weak, 52% of the users who said their IT departments were diligent about security rated their vendor commitment as strong. This suggests that users who insist on security get security, while more passive users don't. Storage managers must make storage security a priority in all vendor interactions, pushing vendors on feature sets and configurations.

Encryption awareness high, use low
This was first published in September 2004

Dig deeper on Secure data storage

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSolidStateStorage

SearchVirtualStorage

SearchCloudStorage

SearchDisasterRecovery

SearchDataBackup

Close