Tip

Look at the big IT picture to ensure storage security

What you will learn: Though storage administration and information security are often handled by two separate groups, getting storage administrators onboard with storage security can greatly help reduce

Requires Free Membership to View

risk of a breach.

Imagine a situation where day-to-day storage administration is all you're responsible for; nothing else -- no users to deal with, no meetings to attend and no reports to your boss. All you have to worry about is keeping the storage environment chugging along. If it was only that easy. However, nearly all storage administrators have a lot more day-to-day IT stuff to worry about. If you don't, I'd suggest laying low and not telling anyone. Many others would do whatever they could to have that kind of 21st century IT role.

Storage security information
Storage security and the firewall DMZ problem 

Why and how your storage environment will be attacked

The problem with unstructured information
Consider the importance of the relationship between storage administration and information security. Storage environments of the past have been sacred -- protected by four strong walls on top of a raised floor and never at risk. That doesn't exist anymore.

The vulnerabilities are there, the tools are available and the expertise required to compromise storage systems is often minimal. Sure, security may be addressed elsewhere in the network, but that doesn't mean storage security controls have to be lax or nonexistent. Without the proper storage security controls in place alongside automated security monitoring, it's just a matter of time before something happens.

Also, there's hardly an organization in business today that doesn't have to comply with the PCI Security Standards, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) or any number of the state breach notifications and international information privacy regulations. If anything, the incentive is there because of these regulations.

Businesses can't control their information risks unless everyone in IT is onboard. This includes not only network and email administrators, desktop support personnel and developers, but also storage administrators and others under the IT umbrella responsible for systems that process or house sensitive information. It can be argued that storage systems hold information and security controls protect information. So why shouldn't each team just focus on their own area? That can't be relied on -- it's like saying our homes store our belongings and the police are there to protect our belongings. Sure, it looks good on paper, but we cannot rely on it. With our complex networks and information systems currently running our businesses, we all have to take responsibility for building in security controls at every reasonable level to keep sensitive information under wraps.

If you take anything away from this, learn and remember the concept that information threats (i.e., a disgruntled yet trusted user) exploit vulnerabilities (i.e. storage flaws at the network, operating system and storage device levels), which leads to the business risks of falling out of compliance, not meeting business contracts, losing intellectual property and so on. Risks that your organization may or may not be willing to take on, especially in the storage environment where all things critical reside. It doesn't matter from what angle you are looking at IT -- from the network perspective, from the messaging perspective, from the operating system perspective or from the storage perspective, the threats, vulnerabilities, attack vectors, security management requirements and overall risks are all the same.

The more you think about these fundamental rules of security, the more they'll become ingrained into your subconscious. Thinking about security and relating it to what you do on your job every day will eventually lead to the point where you don't think much about security at all. It'll become a part of the way you work. You'll be making storage decisions with security in mind -- balancing what really doesn't matter with what needs to be addressed -- which benefits the business and everyone involved long term.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels series of audiobooks. Kevin can be reached at kbeaver ~at~ principlelogic.com.

This was first published in May 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.