A CIO's first security priority is to protect corporate assets. Information, in the form of stored data, is often identified as the glue that holds a business together. Reliance on data and the potential for exploiting new business opportunities from stored data are just some of the business drivers prompting the CIO to focus on securing stored data.
Given a growing collection of storage security technologies and vendors, it is not a straightforward one-step problem to simply "secure" the data. The CIO must establish the business priorities that drive the use of data.
In order to secure data, the data needs to be first classified as follows:
1. Evaluate securing data in flight vs. data at rest. Data in flight includes the corporate data that is in transit over the corporate network or the Internet. Specific security schemes may be targeted to secure data in flight such as VPNs. For data at rest, there are emerging security appliances to can afford data protection.
2. Evaluate in-band data vs. out-of-band data. In-band data in storage networks pertains to the data that traverses using the normal data flow such as the Fibre Channel. Out-of-band data is often over Ethernet ports using IP. Different security schemes would be required to protect each of the data types.
Finally, and more importantly, it is critical to consider the data content. Not all data needs to be secured let alone encrypted.
There are three major categories to classify data:
1. Management and configuration data: This data is transferred over the networks to configure or manage the network resources. Such data needs to be protected from alteration. Security schemes include securing management zone such as the SMZ by McDATA or using technologies such as SSL, SSH or SNMP version 3.
2. Secret data: This data includes the passwords, PINs or other secrets necessary to operate and manage the corporate network. Secrets must be encrypted to ensure privacy.
3. Customer data: Customer data includes all kinds of information belonging to various parts of the corporation. Each business needs to classify its data files based on the corporate priorities and legal requirements.
Some of the key aspects to consider are:
- Separation of data between organizations; e.g. employees should not have access to HR data.
- Level of secrecy required, e.g. corporate earnings estimates are sensitive information before the earning announcements, but not as sensitive after the announcements.
- Audit and other legal requirements, e.g. some laws require protecting individual health-related information of you employees (HIPAA) or keeping financial records to satisfy IRS requirements.
Securing customer data may include selective encryption of sensitive data, ensuring data integrity of most of critical data, and ensuring secure perimeter for stored data.
Finally, your data is only as secure as its weakest link. A well-coordinated and thought out security policy should include the above analysis and crisply specify the security technologies required to protect each type of data outlined above.
This was first published in May 2003