Imagine a situation where day-to-day storage administration is all you're responsible for; nothing else -- no users to deal with, no meetings to attend and no reports to your boss. All you have to worry about is keeping the storage environment chugging along. If it was only that easy. However, nearly all storage administrators have a lot more day-to-day IT stuff to worry about. If you don't, I'd suggest laying low and not telling anyone. Many others would do whatever they could to have that kind of 21st century IT role.
The vulnerabilities are there, the tools are available and the expertise required to compromise storage systems is often minimal. Sure, security may be addressed elsewhere in the network, but that doesn't mean storage security controls have to be lax or nonexistent. Without the proper storage security controls in place alongside automated security monitoring, it's just a matter of time before something happens.
Also, there's hardly an organization in business today that doesn't have to comply with the PCI Security Standards, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) or any number of the state breach notifications and international information privacy regulations. If anything, the incentive is there because of these regulations.
Businesses can't control their information risks unless everyone in IT is onboard. This includes not only network and email administrators, desktop support personnel and developers, but also storage administrators and others under the IT umbrella responsible for systems that process or house sensitive information. It can be argued that storage systems hold information and security controls protect information. So why shouldn't each team just focus on their own area? That can't be relied on -- it's like saying our homes store our belongings and the police are there to protect our belongings. Sure, it looks good on paper, but we cannot rely on it. With our complex networks and information systems currently running our businesses, we all have to take responsibility for building in security controls at every reasonable level to keep sensitive information under wraps.
If you take anything away from this, learn and remember the concept that information threats (i.e., a disgruntled yet trusted user) exploit vulnerabilities (i.e. storage flaws at the network, operating system and storage device levels), which leads to the business risks of falling out of compliance, not meeting business contracts, losing intellectual property and so on. Risks that your organization may or may not be willing to take on, especially in the storage environment where all things critical reside. It doesn't matter from what angle you are looking at IT -- from the network perspective, from the messaging perspective, from the operating system perspective or from the storage perspective, the threats, vulnerabilities, attack vectors, security management requirements and overall risks are all the same.
The more you think about these fundamental rules of security, the more they'll become ingrained into your subconscious. Thinking about security and relating it to what you do on your job every day will eventually lead to the point where you don't think much about security at all. It'll become a part of the way you work. You'll be making storage decisions with security in mind -- balancing what really doesn't matter with what needs to be addressed -- which benefits the business and everyone involved long term.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels series of audiobooks. Kevin can be reached at kbeaver ~at~ principlelogic.com.
This was first published in May 2007