Published: 14 Jul 2003
Talk with any IT person these days and you'll hear that security concerns are on the top of their mind. Many of these folks were burned back in January by SQL Slammer, which affected 200,000 systems, did over $1 billion in damages, impacted major corporations such as Bank of America, Continental Airlines and Microsoft and ruined a lot of weekend plans. Severe problems like these lead to action. According to a Morgan Stanley survey of 225 CIOs conducted in December 2002, security spending tops their 10 highest priorities for 2003. In spite of the continued slow economy, security is one area where spending is real and sector growth is inevitable.
IT departments at enterprises and midmarket companies are spending money on traditional desktop, perimeter and network security infrastructures with the top five areas being anti-spam, antivirus, intrusion-detection systems (IDS) and firewalls. What about storage? Although storage security hasn't made Morgan Stanley's top 10 list yet, there's a cottage industry of vendors addressing this space. Companies such as Decru, NeoScale and Vormetric Inc. manufacture appliances that sit in the data path and encrypt and decrypt data as it flows to and from the storage tier. According to these security vendors, encrypting the data at rest provides companies with an extra layer of protection because data on storage devices will effectively be turned to gibberish, alleviating the threat of information espionage.
Should IT managers invest in this new breed of storage security devices? Perhaps, but throwing technology alone at storage security is a mistake because other security holes may expose corporate data to all kinds of deviants. For example, if a hacker can gain root access to a Unix server, storage security appliances will willingly decrypt and serve up its data gobbledygook as the security breach is out of its domain. To enhance security, storage managers must unite with their IT and business brethren to build a comprehensive, enterprisewide security strategy.
Five steps for building your company's security strategy
A strong security commitment should include the following:
1. Executive management leadership. In spite of all of the IT-related activity, security is a business, not a technology issue. The CEO and board of directors must recognize this fact and actively participate in setting policy, weighing and prioritizing risks and monitoring vulnerabilities and progress. Of course, chief executives can't be responsible for day-to-day security operations. CEOs in large companies should appoint chief security officers (CSOs) to manage both physical and information security. To maximize efficiency, CSOs should report directly to the CEO and have their own budgets and staffs. These newly appointed CSOs will work with the storage team as part of an overall information security effort.
2. Strong security policies. Part of a security undertaking is examining all business and technology processes for risk and vulnerabilities, then reacting to problems with the appropriate policies and procedures. The CSO's team should be responsible for setting policy and overseeing security management, but works in collaboration with the IT team on day-to-day operations. Security groups will work with the storage team to assess storage risks, implement policies and technologies and monitor results. In addition to technical concerns, the storage team should also prepare for more invasive security policies. Given that storage administrators work on technology that houses critical information assets, companies would be well advised to do background checks on all storage personnel and monitor them closely thereafter.
3. Employee training. Most companies focus their security efforts on the unknown threats beyond the firewall, yet 50% to 75% of security attacks--depending upon whose numbers you believe--are perpetrated by insiders. Some of this is malicious activity by highly skilled workers, but many of the problems stem from sloppy employee execution: an employee who uses their pet's name as their password; an overburdened system administrator that fails to delete user accounts; a software developer whose code is fraught with buffer overflows. To overcome these problems, all employees should be required to go through general and specific security training classes. The CSO's group--along with HR--should run general classes on global issues such as sound password management. Specific classes for IT personnel would center on job-related security issues. Storage administrator training would focus on storage networking security features, such as zoning and LUN masking, storage network administration, network-attached storage (NAS)-based access control lists (ACLs) and general best practices.
4. Physical security. A security services specialist I know recently related this story to me. He was doing a security audit for a large bank in New York City. In an introductory meeting, the CIO boldly proclaimed, "I don't really know why we are doing this security audit. I run a tight ship, and you won't find any holes in our network." The next day, the CIO was aghast to see that the consultant had a spreadsheet with all of the IT salary information. How did this happen? The network was in fact quite secure, so the service professional simply put on a WorldCom T-shirt, got past the reception area, walked into the data center and grabbed a DLT tape. The lesson for storage professionals is obvious: Physical access to IT resources and storage devices must be extremely tight, constantly policed and monitored for intrusions. Internal alarm bells should go off whenever a stranger is present, especially if they're touching equipment, regardless of what type of clothing or identification they're wearing.
5. Strong IT governance. Common wisdom says that information security attacks are the digital equivalent of massive terrorist attacks that lead to widespread damage. In fact, most security attacks are more like the "death by a thousand cuts" theory. An attacker cases your network looking for weaknesses and targets, then exploits them for various purposes. For example, I heard of an incident in which an IT administrator took advantage of a vulnerability with an Apache Web server running on Linux to store several hundred gigabytes of MP3 files on company equipment.
Given the complexity of IT infrastructure, it's easy to cut corners or get lost in details, but doing so can open security holes for would-be attackers. To overcome this, IT must structure day-to-day activities such as configuration management, change management and patch management. Storage administrators will need to adhere to enterprise IT processes here. The information technology infrastructure library (ITIL) and control objective for information and related technology (CobiT) are well-regarded models here. IT governance will require training and process changes for the storage team, but it will be worth the effort. Not only will security improve, but having standard processes will lower overall operating costs as well.
Once these five steps are accomplished, companies can move on to address industry and company-specific security concerns. For example, financial services firms need policies to deal with the Gramm-Leach-Bliley and USA Patriot acts, while health care companies must be concerned with HIPAA. With these policies in place, IT can finally expose security vulnerabilities and address them through the right security technologies.
Once again, before implementing storage-based security, storage professionals should coordinate with their peers in networking, application, database and systems groups to create a comprehensive security infrastructure that meets all the corporate objectives. As the protectors of the corporate data, storage professionals will be critical to achieving this goal.
Every IT professional should be concerned about security and storage is no exception. But acting on storage security alone is like putting a deadbolt on your front door while leaving all your windows open. Storage professionals should do all they can to secure their domain while working with business and IT peers to make security part of the IT and corporate culture. This will go a long way toward making storage and the corporation at large more secure.