Problem solve Get help with specific problems with your technologies, process and projects.

Secure DAS without breaking the bank

Whether you're using direct-attached storage (DAS) for primary data storage, backups or archiving, there are a ton of security issues affecting storage confidentiality, integrity and availability. Here are four DAS security issues SMBs can't afford to overlook.

Whether you're using direct-attached storage (DAS) for primary data storage, backups or archiving, there are a ton of common security issues affecting storage confidentiality, integrity and availability. Here are four DAS security issues SMBs can't afford to overlook:

Not knowing where you stand on DAS security issues

Arguably the greatest security risk to an organization is not knowing what's vulnerable and how each weakness can affect the business. Simply put, you can never assume that all is well. The solution is very straightforward: Perform a security assessment using ethical hacking techniques and see where your weaknesses are.

If you don't find any, you're probably not using the right tools or looking hard enough. Hire an outsider if you have to. Obvious or not, it's important to remember that there are security vulnerabilities such as missing patches, misconfigured systems and lax user permissions in your DAS environment.

Relying on users to do the right thing

It's easy to put up a firewall and claim that everything is secure, but it doesn't work that way with data storage. Insiders are your greatest threat and the most stringent policies in the world aren't going to make things right if basic internal controls aren't in place. Perform a user permissions audit and scan for unstructured information that everyone on the network has access to. Then lock permissions down and even segment your network in order to keep critical DAS systems out of harm's way.

Not adequately patching server software

Unpatched operating systems and applications are still a problem. In my work, I see it time and time again, presumably because servers aren't that easy to patch. It's often believed that any sort of risk applying a patch could introduce, is simply not worth it. Someone on the inside -- and even the outside via Web applications and wireless vulnerabilities -- could take complete control of a server on your network. Once they're in, anything and everything on the DAS system is at their disposal and no one will ever know about it. Make patching a priority.

Fault tolerance and business continuity testing

Vendor claims and RAID standards have little to do with how well your particular DAS will stand up to a hardware failure or emergency situation in your specific environment. In my years of security assessment work, I've seen one business that actually performed a continuity/recovery test of their DAS systems. Yes, one out of hundreds!

We all know what assumptions will ultimately bring us, so do yourself and your business a favor and test your storage system resiliency. This means performing focused and realistic system failure scenarios (i.e., the storage hardware dies or your data center gets damaged or destroyed). There's no doubt you'll need to rely on it one day so why not find out where it's weak now while things are calm.

Information is much more vulnerable at rest. The direction many SMBs are headed with virtualization -- and the associated system complexities and increased attack surfaces -- only compounds the problem. Combine that with the lack of time and resources I'm seeing in IT shops in SMBs across the board and you've got some formidable storage security issues in the making.

Even with relatively basic DAS configurations, no SMB can afford to overlook the security element. The good news is that you don't have to spend a ton. In fact, most of the controls you need are right before your eyes. Look at the existing controls built into your storage devices, applications, operating systems and network infrastructure devices. Focus on the principle of least privilege so that people can only access what they need to access and nothing more. Then it's just a matter of making it happen.

About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC, where he specializes in performing independent information security assessments and audits.

Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.

Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for SearchSMBStorage.com.

This was last published in November 2008

Dig Deeper on Data storage strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDisasterRecovery

SearchDataBackup

SearchConvergedInfrastructure

Close