Goodbye storage security; hello information lifecycle security
Information lifecycle security is a new approach to securing data based on the value of the content.
SINCE JOINING THE Enterprise Strategy Group (ESG) in 2003, I've done a ton of research, analysis and consulting on storage security requirements and best practices. I've talked to hundreds of storage professionals and given dozens of presentations about storage security at industry events.
What I quickly learned in talking with storage professionals is that what I thought of as obligatory storage security "blocking and tackling" was beyond the capabilities of many sophisticated storage shops. Some smart storage executives dismissed the need for security, or equated storage security with basic SAN configuration stuff and backup/restore operations. Others agreed that a storage security problem existed, but they didn't have the skill or resources to address it. What's more, they received little help from their vendors. The situation was grim.
First steps to security
Fast forward to today, and there's an obvious change in the market. More than ever, users get it--CIOs, storage executives, compliance officers and legal teams are pushing their storage vendors to add security features to products. The refreshing thing is that vendors get it, too--they're adding security features to all kinds of storage products. Storage industry leaders like Computer Associates, EMC, Hewlett-Packard, IBM and Symantec have introduced professional service offerings focused on storage security. These include a variety of assessment services, data classification, storage infrastructure security and security implementation. System vendors are actively partnering with security firms like CipherOptics, Decru and NeoScale, while others like Quantum and Spectra Logic are adding cryptographic capabilities to their technologies.
These are extremely worthwhile, albeit long overdue, developments in my view, and a logical first step to finally addressing security. If you were going to secure your house, it would certainly be prudent to start by inspecting the condition of all the windows, doors and locks before installing motion detectors and alarms. I applaud this essential effort, but I'm here to tell you that it's just not enough anymore.
What's the problem? Basic storage security presumes that the storage environment is relatively static. By focusing on storage security, we tend to view storage in isolation as a basic I/O infrastructure that houses a bunch of ones and zeros--heck, even the term "storage security" sounds like a niche discipline. The storage crowd shouldn't take this news too hard; security professionals have made this same mistake for years, implementing a bunch of firewalls and intrusion-detection systems to secure the network instead of instituting comprehensive defenses to protect the business.
Today's storage is intelligent, distributed and intertwined with all the other layers of the IT infrastructure. As an industry, we've even defined a new term--information lifecycle management (ILM)--to describe how intelligent storage systems can add value to the business. This is precisely the leap of faith now needed regarding information security. With that in mind, ESG believes storage security as a concept is obsolete and should be replaced with a new discipline called information lifecycle security (ILS).
I know this sounds like analyst mumbo jumbo, but bear with me as there's a fundamental difference here. While storage security concentrates on physical devices and discrete infrastructure, ILS focuses on the information itself. Furthermore, as the name implies, ILS defenses change over time as information ages and its value decreases.
ILS has many moving parts, including the following:
- INFORMATION CLASSIFICATION. Data classification and reclassification--spanning the phases of information creation, modification, retention and destruction--is a cornerstone of ILS. Information classification is matched with ILS policies that determine how the information is monitored and protected over time.
- INFORMATION FLOW. Information goes through a constant process of distribution and change. For example, information in an employee database containing healthcare and salary information may be replicated to numerous other applications, shared among benefits providers, and imported into desktop applications like Microsoft Access and Excel. To keep track of this information flow, ILS tags and tracks information movement and modification.
- INFORMATION ACCESS. ILS maps information access directly to users. This may seem like nothing new, but distributed application architectures often aggregate user accounts into a single system account when accessing information, so it's difficult, if not impossible, to accurately gauge who's accessing what data. ILS is designed to address this shortcoming.
- INFORMATION USAGE. ILS has a digital-rights management component to it. A CEO may have carte blanche to do whatever they want with company information, while a human resources administrator isn't allowed to print, save or e-mail regulated information. This is where ILS policy is actually monitored and enforced.
- INFORMATION RISK MANAGEMENT. ILS includes information security and data protection. In other words, protecting information aggregates security, backup, offsite storage and disaster recovery activities.
ILS obviously extends beyond the realm of storage professionals and technologies, but the storage gang plays a pivotal role in the entire process. Storage technologies will likely provide some key ILS components, including the following:
- ILS POLICY ENGINES. As previously noted, once information is classified, protection schemes will be determined by business policies configured in a centralized policy engine. Given the work being done around ILM, it's likely that this policy engine will reside within the storage infrastructure. Policy rules will live within the data as it flows and changes.
- TAGGING AND META DATA REPOSITORIES. To communicate and enforce ILS policies, structured and unstructured information must be "tagged" with a universally understood identity and set of policy rules. Again, storage vendors will be part of this vision, although the overall success of the ILS model depends on a set of tagging and meta data standards that ensure interoperability among vendors and data types.
- SECURE FILE SYSTEMS. Distributed file systems will have to recognize and interoperate with policy engines, information identities and meta data tags. To enforce and monitor policies, disparate file systems (NAS boxes, PCs, mobile devices, etc.) will have to communicate back to central management as information is altered. When a financial analyst changes the name of a confidential file on their PC, for example, the local file system will alert central management.
- CENTRALIZED MANAGEMENT. If the storage tier contains a policy engine and a meta data repository, it will likely also house a centralized logging service. Logging is necessary to monitor data flow, access and usage at all times. Log files will be supported by event and incident management, as well as analytics for auditing and reporting.
Get ready for ILS
It's time the industry looked beyond technology and infrastructure and focused on how to secure the information itself, and that's exactly what ILS will do. At this point in time, ILS is a blue sky vision, but storage professionals should still pay attention. Securing the storage environment in isolation is important, but it remains focused on technology rather than on information defenses. Within ILS, storage professional and vendor roles will evolve into a superset of current responsibilities. This won't happen overnight and, of course, ILS may require an unprecedented level of vendor cooperation. On the other hand, some form of ILS is certain to come. I hope the storage world is ready.