The concept and practice of securing storage is gaining momentum, but it still hasn't taken off.
Below are 10 business reasons why storage security must be addressed if any semblance of information risk management is to be achieved.
- Most storage environments are no longer protected like they were in the good old days. Any storage-related system that's connected to the network, somehow, some way, can be reached (and breached) from many different angles on the network.
- Many administrators, managers and especially executives overlook the fact that storage is where "the goods" are. They don't realize how much information is accessible. They haven't thought about just how dependent the business is on that information being available when it's needed, keeping it confidential and intact. This all boils down to the fact that most organizations don't bother to inventory and classify their information -- a big mistake in today's world.
- Building on reason No. 2 is the fact that many administrators and managers still aren't acknowledging the vulnerabilities associated with unstructured information scattered about the network. In most environments, I see there are no limitations on where sensitive information can/will be stored and no compensating controls to eliminate the weaknesses. On any given network, it's almost guaranteed that within 30 minutes, a basic network user with the most limited privileges can find sensitive information -- healthcare, financial, intellectual property, etc. that he should not have access to. All it takes for a security breach in this context is a determined insider with a network share finder, a text search tool and some common sense.
- Internal security policies typically include everything related to information systems -- from Web usage to wireless networks to passwords and beyond -- but say nothing about protecting storage. It's a gap in a large percentage of organizations that needs to be addressed.
- Odds are against you that insiders have, can and will find a way inside your storage environment. They likely already have access either by design or oversight. It's a small percentage, but all it takes is one person doing bad deeds to exploit a SAN, NAS, DAS or even unprotected laptops and other mobile devices.
- The real business risks are associated with data at rest, not data in transit. Every Web site says it: "Your data is secure with us because we encrypt everything using SSL." Who cares! There's a slight chance that someone can capture sensitive information as it crosses the wire, or the airwaves in the case of wireless, but that's only a tiny sliver of risk compared to unprotected data that sits waiting to be accessed in your storage environment the other 99.9% of the time.
- Contrary to popular opinion and marketing attempts, encryption is not the answer to storage security. There's a misperception that as long as information is stored in an encrypted fashion, then all is well. Not true. There's a multitude of factors that introduce weaknesses into encrypted information, including passphrase complexity, key management and trusted insiders misusing their privileges. There is no one magic solution for keeping storage secure. A layered approach that's proactively managed is required -- hence the importance of integrating storage security with overall information security.
- Storage vulnerabilities have been proven. In fact, many weaknesses are very easily exploited providing illicit access to everything electronic in your business. Some serious gotchas that are often overlooked include: lack of adequate access controls on shares and files, lack of sufficient audit trails and vulnerable Web-based storage management interfaces accessible from both inside and outside the network. There are thousands of possibilities, but all it takes is one flaw to be exploited to put your storage systems at risk.
- Generic network security and storage-specific hacking tools are available that can and may be used against you. There's a responsibility in business to use the same tools and techniques the bad guys use to find security flaws before they're exploited. This basic "ethical hacking" process is the only realistic way storage vulnerabilities can be minimized.
- Most government and industry regulations cover every aspect of IT, including storage systems. The regulation verbiage may be vague and storage may not be addressed specifically, but I've yet to see any privacy or security regulation that cannot be tied back to storage security in some way.
If you're proactive in protecting your storage environment, you won't be caught off guard or at least you will be better prepared to respond to the problem. Keep your storage security in check because given our information system complexities and growing motivations, the problem is likely to be around for a while.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments revolving around compliance and risk management. Kevin can be reached at kbeaver at principlelogic.com.
This was first published in August 2007