When I joined the Enterprise Strategy Group (ESG) in 2003 to begin an information security practice, the company decided that a good place to start was at the intersection between security and storage. ESG was well known in the storage community, so why not become the voice of storage security?
We discovered a few things very quickly. First, storage technology is extremely insecure from top to bottom. Whether you're talking about Fibre Channel, admin tools, switch configuration or management interfaces, security holes are rampant. These problems exist even in large data centers at Fortune 500 firms with detailed security policies, meticulous procedures and dedicated staff. It's not hard to imagine how much worse these problems are at the departmental level, in remote offices or in smaller businesses.
Discovering the overall poor state of storage security was accompanied by another epiphany: Storage folks don't pay much attention to security. This startling realization applies to IT storage professionals and vendors. Let me provide a few data points to support this assertion. Thirty percent of respondents to a 2004 ESG survey said their corporate information security policies don't encompass storage technologies. Furthermore, 37% of users didn't believe their knowledge of security issues was adequate to make appropriate decisions to protect corporate storage assets.
When ESG saw this data, we thought we had something big. Multimillion-dollar storage assets with the sole purpose of storing, managing and protecting critical information were sitting ducks for security breaches. The woeful state of storage security would surely light a fire under executives and vendors, right? Wrong. The storage industry greeted this news with a big ho-hum. Why? Because the historical (and inaccurate) belief still persists that storage sits behind hosts and host security is more than adequate to protect storage.
In security, it's often the case that users believe they're protected until some very public security event exposes intrinsic weaknesses--scaring IT professionals, technology vendors and legislators into action. We need to get ready for this type of transition in storage security.
Lost backup tapes
At the end of February, Bank of America announced that it had lost a number of computer tapes containing confidential information from the General Services Administration accounts of 1.2 million federal employees from approximately 40 federal agencies, including the Department of Defense and the U.S. Senate. It appears these tapes were stolen while in transit on a commercial airline flight. While the bank says it has no evidence to suggest that the tapes have been accessed or misused, it has declared that "The tapes are now presumed lost."
Still think you're protected with host security? Think again. ESG believes the Bank of America security breach could be a watershed event in the history of storage security. This isn't a cheap shot at Bank of America; backup tapes are lost and stolen all the time. This event just got more publicity than the others, and reaction is likely to be swift. Don't be surprised if you hear talk about more federal regulations, too. In fact, California Senator Dianne Feinstein has already proposed national identity theft regulations based on the California Security Breach Information Act (SB 1386).
What can realistically be done here? The obvious answer is to fix the backup and offsite tape rotation process so that the problem goes away. But that's easier said than done. In a typical backup process, there's no shortage of weak links to exploit. Weekly full backups are normally performed once a week at a regularly scheduled time by low-level IT operations staff (affectionately referred to as "tape monkeys" by some). Sometimes tapes are duplicated at this point to be sent to multiple offsite locations. Once the files are written, the tapes are bulk ejected from tape subsystems and media bar codes are recorded in a tape management system. The tapes are then packed into boxes, moved to the loading dock and picked up by couriers to be transported to offsite vaults for storage.
This methodology is rife for exploitation. For starters, I could bribe the tape monkeys into making a third backup copy or have them put the wrong tapes into the wrong boxes. I could substitute a phony box of tapes for the real ones when no one is paying attention. I could pull the same trick at the loading dock as well. Finally, because these backups occur at regular intervals, I could anticipate the tape pickup by monitoring courier pickup schedules, and then find (or create) the right situation to grab the boxes off the truck. This might sound like spy movie stuff, but it happens all the time.
Theoretically, a determined firm could fix these weak links, but ESG believes this is an instance where brute force makes much more sense. Within the next two years, most leading enterprises should simply adopt backup tape encryption. This is a big call to make; according to our research data, only 28% of users do any form of tape encryption today. But we believe this will change for three primary reasons:
- Executive attention will translate into action. You'd have to be a real gambler to bet that existing backup processes provide "good enough" protection. Risk and security officers aren't paid to make stupid bets--their job is to find and quantify risk, and to come up with effective countermeasures. Tape encryption seems much more efficient than business process reengineering across multiple departments and constituencies. Over the long term, laggard companies will be forced to deal with this issue, as identity theft legislation is inevitable.
- Storage vendors will see the light. The big storage shops that have been sitting on the sidelines with regard to security will now see defensive and offensive reasons to get into the game. The last thing a vendor wants is to hear a customer who has experienced a tape security breach say that the vendor never mentioned security options like encryption. Offensively, the storage gang will finally realize that security expertise can drive incremental revenue.
- Encryption has become cheap and easy. Backup software has had encryption functionality for years, but encryption incurs a performance penalty as advanced mathematical functions consume a lot of processor horsepower. This alone turned most customers off. Those who did opt for encryption often used 56-bit DES encryption, a weak algorithm that was cracked several years ago. But times have changed. Using a Hardware Security Module, encryption and key management can be offloaded to a high-performance, secure appliance. This fast-growth market will continue to gain momentum.
The one objection ESG hears consistently is that the storage security appliance market is dominated by startups. Customers claim they would be far more comfortable with products blessed by a major player such as EMC, Hitachi Data Systems or Network Appliance. But there are two forces currently at work:
- Storage security is still a maturing market, so many of the new security tools are coming from startups. This will change as the storage security industry consolidates over the next few years.
- Slowly, but surely, the larger vendors are catching on. The momentum in this arena usually starts with federal sales then spreads to financial services and so on. This cycle is well under way for storage security.
Backup and offsite tape rotation is a security breach waiting to happen. Fixing the process means exploring every possible hole, which could take years to accomplish. In this case, brute-force encryption products from companies like Decru, Kasten Chase or NeoScale offer a much more pragmatic approach. Hmm ... maybe Symantec merging with Veritas makes sense after all.