Enterprise Strategy Group
Published: 13 Sep 2004
- Storage security exposes significant weaknesses. Many companies--even those with strong commitments to security--revealed problems with storage security knowledge, IT processes and technology management.
- Storage security breaches are a real threat. While most users haven't experienced problems, a significant percentage have suffered a storage security breach or aren't sure if their storage security has been compromised.
- Storage vendors aren't pulling their weight. Users often rely on their storage vendors for help in dealing with storage security issues, yet many companies don't believe that storage vendors are committed to information security issues.
|Security pros less confident in storage safety|
In a post-Sept. 11 world, companies take information security seriously. In our survey, 63% of the respondents described their IT departments as extremely diligent when it comes to information security, and about half of that number said their IT groups address information security when necessary. But when asked if their storage infrastructure was secure, 8% of storage professionals said it was insecure, while 16% of security experts concurred (see "Security pros less confident in storage safety"). Those numbers may seem modest, but when it comes to security, 8% and 16% are significant figures.
Storage security still lags behind the efforts that IT departments put into securing other information processing resources. In many IT shops, the storage group is a security island. Networking, application and system groups often collaborate on security policies, procedures and technologies, while storage teams are left on their own. This was confirmed by the 30% of respondents who said their security policies and procedures didn't include storage arrays, storage area network (SAN) switches and storage management software.
A knowledge gap also contributes to lax storage security. The survey suggests that storage staffs are undereducated about security and security gurus lack storage intelligence. Storage teams often relegate security to zoning and LUN masking, which are small parts of the total picture. And security pros typically focus on defending the network with firewalls, antivirus software and intrusion detection systems--a long distance from the SAN infrastructure. With the growing use of network technologies, Internet applications and distributed storage, the groups need to learn more about each other's worlds.
|Storage not immune to security breaches|
Storage security breaches
One of the more alarming survey statistics relates to storage security breaches that could result in business disruption or intellectual property theft. While 73% of users didn't have a storage security breach, 7% said they had. Additionally, 12% didn't know if they'd had a breach, while another 8% said that they couldn't tell. Taken together, the 27% adds up to a significant number of real or potential threats (see "Storage not immune to security breaches").
Of the respondents who experienced a security breach, 64% also said their companies were diligent about security; 9% of those whose security practices included storage reported having had a breach. An optimistic analysis might conclude that companies with a commitment to security are far more likely to find storage security breaches and may also have policies in place to minimize the damages. But another perspective reveals a more ominous trend. If firms with strong security processes report the highest percentage of security breaches, it's logical to assume that the potential for storage security problems are even greater for companies with less-dedicated security efforts.
Three-quarters of the survey respondents said the source of a storage security breach is likely to come from within the company. Forty-one percent felt that the probable source would be a deliberate attack by an IT employee, while 33% said human error was the most likely culprit.
Strong physical security and well-defined HR policies can help mitigate security threats related to malicious employees. Physical security improvements may include data center access controls, security cameras and careful screening of visitors accessing IT resources. HR policies can include employee background checks, security training and strict penalties for violations.
|Users see better policies leading security efforts|
How to upgrade storage security
Most companies believe that the best way to improve storage security is to improve policies and procedures, but users also want technology solutions. Forty-nine percent of respondents plan to add security features to existing storage products, while 17% say they will buy new storage-specific security products (see "Users see better policies leading security efforts").
But there's some question as to whether storage vendors are prepared to effectively support their customers. Asked to rate their storage vendors' commitment to security, 39% of the respondents said it was marginal; 7% said it was weak. (See "Vendors' security commitment in doubt")
Our survey sought to determine whether companies were aware of or needed storage security encryption and key security management technologies. Thirty-five percent said they weren't fully aware of the new technologies, and the 60% who were familiar with them either didn't see a need or needed more information (see "Encryption awareness high, use low"). It's likely that as storage networks continue to grow in capacity and geographically, encryption of data in flight will become a requirement.
Many companies are adopting security policies where users, IT administrators and digital packets are viewed as "untrustworthy." All connections are monitored, logged and filtered, and sophisticated tools are being used to capture and review behaviors.
|Vendors' security commitment in doubt|
To achieve a strong storage security profile, companies should:
- Integrate storage into corporate security policies. Thirty percent of respondents said their company's security policies didn't include storage. Security professionals must define secure storage products, configurations and operations. Storage managers must work with the security team to adapt security rules to storage and business requirements.
- Enhance storage security monitoring. Aligning storage with corporate security policies will help alleviate breaches by hardening storage equipment and mandating security methodologies. But breaches aren't the only problem--evidenced by the 20% of respondents who didn't know if they even had a storage security breach. Storage teams must monitor data center and storage system access as well as storage device log files.
- Increase cross training. Storage staffs don't know enough about security, and security teams aren't up to speed on storage. CIOs should mandate ongoing cross-training programs where the groups train each other.
- Articulate security needs to vendors. While 46% of respondents felt vendor commitments to storage security were marginal or weak, 52% of the users who said their IT departments were diligent about security rated their vendor commitment as strong. This suggests that users who insist on security get security, while more passive users don't. Storage managers must make storage security a priority in all vendor interactions, pushing vendors on feature sets and configurations.
|Encryption awareness high, use low|