Whether it's caused by a limited budget or lack of management buy-in, many small and midsized businesses (SMBs) often struggle to achieve reasonable information security. Once you throw critical storage systems into the mix, you've got the potential for some really interesting IT issues. Ensuring data storage security can be distilled down to a few key areas:
Find out where you're vulnerable. No firewalls, IPS or access controls are going to provide 100% security. It's almost guaranteed that something is vulnerable somewhere in your data storage environment. Storage-related systems connected to the network can almost always be breached with the right tools and techniques. Look at your systems from every possible angle -- both logged-in and not logged-in, inside the network and out.
Take an inventory of what's where. In any organization, there can be an unbelievable amount of unstructured information scattered across the network that is unprotected. Chances are some of this information is housed in your storage area network (SAN), network-attached storage (NAS) or direct-attached storage (DAS) systems. In order to protect what you have in your storage environment, you have to determine what files are where and who has access.
Do what you can to get management's ear on storage security issues. The business needs storage security and you must be able to communicate why. At a minimum, you've got show what can happen when critical storage systems are not properly protected. Present storage security issues to management in the context of the industry and your business. Also, keep them in the loop by showing how security controls are minimizing risks to the business.
Put together storage information security policies and get a commitment from management to support them. Policies not only serve to guide the organization but they also come in handy if and when something does happen. Properly written and well-communicated policies can literally be the saving grace for your business if a breach is contested or goes to court. Some specific policies that should include storage security within their scope are:
Remember that storage falls into the scope of literally every security regulation. From HIPAA to SOX to PCI, if your storage environment is not secure, then compliance is merely an assumption. Be sure to include all storage-related systems in your overall security management.
Test your storage systems for security holes just like you would any other system. Look for network, OS and application-specific vulnerabilities as well as storage-specific flaws that can be exploited. Running security tests periodically and consistently, and using ethical hacking tools and techniques plays a key role in minimizing storage weaknesses. Unfortunately, it's often overlooked or taken for granted.
Focus your efforts where they count by protecting data at rest rather than data in transit. Odds are that someone is going to abuse sensitive information when it's sitting in your storage environment.
Don't rely on storage encryption 100% of the time. Encrypting data at rest can be a great last line of defense, but it can be pricey for SMBs. Furthermore, if it's not implemented and managed correctly, any intended benefits are quickly sapped away. So think and plan ahead before you proceed. Once you've implemented some of the simpler controls outlined here, move on to storage encryption.
Don't be afraid to admit you can't do it all. Storage can be complicated. There's no shame in bringing in a storage expert to help with implementation or administration, or a security expert to help with security efforts.
With too little time and too little budget, SMB storage security is often an afterthought. If you go through this list and spend some minimal resources wherever possible, you'll have accomplished one of the most important feats of information security: locking down the crown jewels in your storage environment.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent information security assessments. Kevin has authored/co-authored seven books on information security including "Hacking For Dummies" and "Hacking Wireless Networks For Dummies" (Wiley). He's also the creator of the "Security on Wheels" information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at email@example.com.
Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.
Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for SearchSMBStorage.com.