Published: 08 Feb 2004
According to my cohort Jon Oltsik, geeks and spies--not business people--are running around corporate America scheming and implementing security in IT worlds. And that's a big mistake.
I've been telling you that security is going to matter when it comes to storage, so pay attention now. Security sucks--it's just our best effort to stop it at the gate. We put up firewalls and antivirus programs and hope.
Ask any CEO this question: "Mr. CEO (They like formality and politeness. It makes them feel worthy of their suits.), do you know how many IT people in your company have root privileges?" He/she/it will invariably say, "I'm not exactly sure," which means: "What the hell are root privileges?"
You let the CEO know that there are 500 people or greater in any multinational corporation that can pretty much see everything there is to see when it comes to electronic information. Odds are that one in 500 may have a bone to pick.
CEOs already know that 80% of attacks come from within. What they and we are naÏve about is thinking that we're going to prevent bad things from happening. It's irresponsible not to do what's necessary to get whole quickly once all hell breaks loose.
Sure, we need geeks and spies, firewalls, antivirus software and any other tools which are designed to stop attacks before they occur. What we need most, though, is to figure out how to survive the attacks that do get through. So, here are the new rules:
New Rule No. 1: Encrypt all data that matters, which is all data. It's the only way to keep Malicious Root Man from seeing the data. It's the only way to prevent corporate espionage. And it's also the only way to keep someone from stealing. It's not enough to protect data in flight with IPsec--you have to protect data at rest, where it is most of the time.
New Rule No. 2: Learn to speak security. Storage and security camps speak totally different languages, and storage guys need to understand and be assertive, or get run over. Smart business logic will prevail here--and there hasn't been much of that lately.
New Rule No. 3: Get on the new wave of disk-based recovery systems. It's only a matter of time before you're going to get killed by a virus. The only way to get back from the gates of Hell will be with a time machine. Imagine being able to recreate your entire IT environment just before a virus strikes. Talk about the perfect killer app--The Doomsday Undo. What Fortune 2500 company wouldn't pay for that piece of insurance? This bodes well for the FilesX, Revivio, StorageTek and the likes that make these way-back machines. Even traditional backup implementations are possible with this feature, as Atempo has proven.
Disaster recovery is about security. Everything is about security. Do you wanna talk information life cycle management? Don't have a conversation without understanding the potential security requirements at every step--they most likely will differ. Data protection means protecting the zeros and ones spinning on a disk drive. Everything else emanates from that.