Look at the big IT picture to ensure storage security

Imagine a situation where day-to-day storage administration is all you're responsible for; nothing else -- no users to deal with, no meetings to attend and no reports to your boss. All you have to worry about is keeping the storage environment chugging along. If it was only that easy. However, nearly all storage administrators have a lot more day-to-day IT stuff to worry about. If you don't, I'd suggest laying low and not telling anyone. Many others would do whatever they could to have that kind of 21st century IT role.

Storage security information Storage security and the firewall DMZ problem  Why and how your storage environment will be attacked The problem with unstructured information

Consider the importance of the relationship between storage administration and information security. Storage environments of the past have been sacred -- protected by four strong walls on top of a raised floor and never at risk. That doesn't exist anymore.

The vulnerabilities are there, the tools are available and the expertise required to compromise storage systems is often minimal. Sure, security may be addressed elsewhere in the network, but that doesn't mean storage security controls have to be lax or nonexistent. Without the proper storage security controls in place alongside automated security monitoring, it's just a matter of time before something happens.

Also, there's hardly an organization in business today that doesn't have to comply with the PCI Security Standards, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) or any number of the state breach notifications and international information privacy regulations. If anything, the incentive is there because of these regulations.

Businesses can't control their information risks unless everyone in IT is onboard. This includes not only network and email administrators, desktop support personnel and developers, but also storage administrators and others under the IT umbrella responsible for systems that process or house sensitive information. It can be argued that storage systems hold information and security controls protect information. So why shouldn't each team just focus on their own area? That can't be relied on -- it's like saying our homes store our belongings and the police are there to protect our belongings. Sure, it looks good on paper, but we cannot rely on it. With our complex networks and information systems currently running our businesses, we all have to take responsibility for building in security controls at every reasonable level to keep sensitive information under wraps.

If you take anything away from this, learn and remember the concept that information threats (i.e., a disgruntled yet trusted user) exploit vulnerabilities (i.e. storage flaws at the network, operating system and storage device levels), which leads to the business risks of falling out of compliance, not meeting business contracts, losing intellectual property and so on. Risks that your organization may or may not be willing to take on, especially in the storage environment where all things critical reside. It doesn't matter from what angle you are looking at IT -- from the network perspective, from the messaging perspective, from the operating system perspective or from the storage perspective, the threats, vulnerabilities, attack vectors, security management requirements and overall risks are all the same.

The more you think about these fundamental rules of security, the more they'll become ingrained into your subconscious. Thinking about security and relating it to what you do on your job every day will eventually lead to the point where you don't think much about security at all. It'll become a part of the way you work. You'll be making storage decisions with security in mind -- balancing what really doesn't matter with what needs to be addressed -- which benefits the business and everyone involved long term.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels series of audiobooks. Kevin can be reached at kbeaver ~at~ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Secure data storage,   Data Protection,   Data storage management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Secure data storage Throwing caution to the clouds Storage encryption essentials Vendors take steps to lock down cloud storage services Encryption Special Report: Key management stumbling block to securing data What you need to know about storage encryption products Isilon targets enterprise NAS with Backup Accelerator, N+2:1 parity Storage Decisions Chicago 2009 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (Chicago 2009) Storage Decisions Session Downloads: Data Retention & Retrieval Track (Chicago 2009) Data on the brink Data storage management Optimizing enterprise data storage capacity and performance to reduce your data footprint Is data deduplication right for your primary storage infrastructure? Fail-in-place systems: Avoiding hard disk drive failures Data storage resources needed to implement a virtual desktop infrastructure Storage encryption essentials Addressing storage performance bottlenecks in enterprise data storage Data archiving: Three key elements Archiving data to cloud storage: How to choose the right cloud storage provider How to buy a blade server Tips for an effective data deduplication implementation RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary hard drive shredder  (SearchStorage.com) Storage as a Service (SaaS)  (SearchStorage.com) storage encryption  (SearchStorage.com) storage security  (SearchStorage.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.