Storage Security Back In The Spotlight
With public concern over lost and compromised data growing, the time is right to take another look at storage security best practices.
In your IT duties, perhaps you implemented some security procedures for Y2K, or are considering expanding the scope of your security operations in the light of Sarbanes-Oxley, HIPAA, or SEC requirements. You've collected lists and maybe filed them away, but now's the time to open the folder and take a look at what to practice and how to do it in the context of daily operations.
As an IT manager, your number one best practice is to tie every decision to your enterprise bottom line. Your number two best practice is to keep your enterprise data safe and secure, and given the potential cost of a security breach or data loss, the effect on your company's bottom line can be substantial.
Every company should have a storage security policy in place. Bare bones or robust, your table of contents should include how to authenticate access, what types of information should be kept confidential, backup and restore requirements, and required levels of monitoring and auditing. Bearing in mind that data in transit needs protection at least, if not more, than data on internal storage devices, define your policies to protect operations across the breadth of your storage network, and eliminate, or at least control, potential attack points. Common sense indicates that only proven solutions and technologies should be introduced into your system, and that any upgrades be tested first on a non-production system.
With your policy in place, you can then look at actions you can take to improve network and data security. Rick Bauer, technology director at the Storage Networking Industry Association (SNIA), recommends developing a "best practices orientation" for your organization.
"It's more than authoring a document and sending an e-mail that passes for security training," Bauer says. "It's effectively communicating to every level of the organization the vital nature of information security. It's getting buy-in from everyone in the company, and it's about policies and procedures that are actually followed ... with appropriate penalties and rewards for adherence."
Bauer offers an example of one company that understood security.
"I heard about a formal reprimand given by a manager for a Post-It note password left on a computer screen," Bauer says. "I thought to myself, 'There's a company that gets security.' Security has to be more than the concern of the IT or storage departments."
Some Best Practice Recommendations
SNIA teaches storage security best practices in its education tutorials (http://snia.org/education). Some of the recommendations are:
- Make the management of storage secure. Are you still using your manufacturers' default passwords? If so, change them immediately, and also think about separate IDs and passwords for each user on a device. Expand your security thinking to incorporate remote access security and protecting against viruses.
- Identify and monitor all storage interfaces. Do you know where they are? What they are? How they are managed? What and who is using storage resources? The answers to these questions will define the effectiveness of your current security processes.
- Monitor and control physical access to the network. Are unused ports disabled? Have all lockable racks and cabinets been locked? Do you monitor access to removable media? An ounce of prevention is worth a pound of cure.
- Deliver IT support of data security compliance requirements. In an age of growing data retention and protection regulations, IT is more closely tied to business practices than ever. Are you implementing the appropriate authenticating, authorizing, and access control to all those who support the system? Have you considered write once, read many (WORM) and encryption confidentiality methods? Do you shred data? How? These are questions with potential legal and regulatory implications, so consider them carefully.
- Incorporate extra protection for remote data. It's always a good idea to implement this practice before you wish you had. Is all critical, sensitive or regulated data protected when it leaves your control? Are all offsite backup tapes of sensitive or regulated data encrypted, with encryption keys stored separately? Is data transferred to remote data centers also encrypted before it leaves the main facility? Recent corporate experiences with backup tape loss has moved the cost-benefit ratio for encryption over into the "worth it" column. Tapes may get lost, but you don't want to worry if data has been stolen. Just ask Bank of America.
Implementing Best Practices
If your time is like most IT professionals, you'll want to find the most effective ways to implement best practices. Research think tank The SANS (SysAdmin, Audit, Network, Security) Institute provides intensive immersion training to master the practical steps necessary for defending systems and networks against active threats. The group's Global Information Assurance Certification (GIAC) validates the skills of security professionals, and its Web site provides tools for creating security policies.
SANS training and GIAC certifications address a range of skill sets from entry level to Information Security Officer, and cover broad-based security essentials and advanced subject areas such as audit, intrusion detection, incident handling, firewalls and perimeter protection, forensics, hacker techniques and Windows and Unix operating system security.
Alan Paller, director of research at The SANS Institute, says the focus of the institute is on "the technical aspects of security, from front-end protection to the impact of accidentally opened back doors that allow malicious code to enter the network and hackers to steal critical information."
While most of those taking classes or contributing to research are security professionals, auditors and network and system administrators, Paller anticipates increased interest from storage professionals as the importance of security grows within organizations. Internet security vulnerabilities are a focus across a wide swath of industry areas, and the SANS 2004 Top 20 list of Internet security vulnerabilities are used by many companies to target potential internal attack hotspots.
Security is an ongoing process. Risks, benefits and costs must be balanced and managed as new threats emerge. Planning your strategy and acquiring the skill set to implement it may be time-consuming, but just ask those companies who did not protect their data and paid the price — they'll tell you those steps are worth it.
For more storage features, visit Enterprise Storage Forum Special Reports