True Data Security Goes Beyond Encryption
Enterprises have never stored as much data as they do today and -- thanks to legislation, regulatory requirements and media coverage of hacker attacks -- the consequences of that data being compromised or stolen have never been graver.
Add in the trend toward server virtualization and the consequent move to shared storage, as well as the counter-intuitive move back to direct attached storage as part of virtual SAN appliances,and it's pretty clear that anyone responsible for storage security has got rather a lot on his plate right now.
When it comes to the absolute security of data, the answer is actually surprisingly easy: Encrypt your data with a long key, destroy that key, and no one will be able to access it again in the foreseeable future. That's certainly secure, but not in any way useful. The tricky part is securing your data using encryption, while still allowing those that need to access it to do so. That includes people within your organization, but increasingly it may also include customers, suppliers and other third parties.
As a starting point for security, Clive Longbottom, an analyst at Quocirca, recommends adopting a classification system of public, private or confidential for all stored data. Clearly, sales documents and publicly available price lists do not need the same protection as commercial correspondence and quotes, which in turn are less valuable, and confidential, than corporate intellectual property, merger and acquisition plans, and customers' personal data and billing records.
These classifications can then be used to allow or deny access to users or groups of users by policy in Active Directory or other directory systems. "Ideally you want to be able to wrap each piece of intellectual property up and then say 'only these roles and names, in these contexts (such as at an office PC, but not from a laptop in a Chinese airport) can see this data,'" said Longbottom.
The next step is the enforcement of password and world wide name identification (for Fibre Channel) and logical unit number (LUN) authorization to ensure that only authorized users, devices or applications can access data, and to implement LUN masking so that particular storage volumes can only be seen by authorized users, devices or applications.
Two other key security measures that Longbottom believes enterprises should be considering are:
- Enterprise rights management, provided by companies like Gigatrust, which allow companies to make their data available only to specified customers or suppliers outside the corporate network, and enables such data to be "timed out" and rendered in accessible to these third parties at a later date if necessary.
- Strong data loss prevention (DLP) systems that detect and stop data if it starts to make its way out of the corporate network without proper authorization.
None of this changes the fundamental fact that encryption is the most powerful weapon in an administrator's armory for protecting data at rest in a storage system. But the best way to carry out encryption -- and indeed where the encryption should be carried out -- depends on a number of factors.
Full disk encryption (FDE) using self-encrypting disks is one solution, and it certainly provides data security in the event that disks are stolen from a data center or lost while being moved. However, anyone with access to files on such a disk has potential access to all the data stored on it. FDE may be implemented by storage vendors. One such example is NetApp Storage Encryption (NSE), which uses self-encrypting drives from various manufacturers. A solution like NetApp's NSE has the benefit that because encryption is carried out just before data is stored to disk, it is compatible with storage efficiency features, such as deduplication and storage compression carried out by the storage system. "This kind of solution is useful for enterprises that have a fairly broad need for protection of data at rest for reasons like compliance," said Michael Wong, a NetApp technical marketing engineer.
Another approach, which has been adopted by Maryland-based data protection company SafeNet, is the use of an encryption appliance such as its StorageSecure, a hardware device deployed on the network either inline or connected to a switch, which acts as a virtual proxy. This requires no changes to the network, it is completely transparent to end users, and it works with heterogeneous storage devices.
A disadvantage of encrypting data before it hits the storage system is that because encrypted data is indistinguishable from random data it cannot then be compressed or deduped. This has a consequent adverse effect on storage efficiency. In mitigation, appliances such as SafeNet's offer a high degree of granularity, so that public data can be left unencrypted, and can therefore be deduped and compressed. "There is certainly a degree of trade-off between security and dedupe and compression, but since our appliances can be very granular, you may find that only 10 percent to 20 percent of your data actually needs to be encrypted," said Chris Winter, SafeNet's director of product management, Data Encryption and Control.
Other approaches include:
- Agent based encryption can be effective in small organizations, but in larger enterprises the need to install, update and administer a client on every corporate endpoint may render such solutions impractical.
- Switch-based encryption solutions such as Brocade's Encryption Switch for Fibre Channel SAN environments are expensive, but they offer the potential for very fast encryption and decryption of enterprise data for an entire storage fabric.
Since encrypted data must be decrypted so that it can accessed by authorized users, there is always the risk that it may be accessed by unauthorized users too, so any storage encryption setup must include strong access logging and auditing capabilities, as well as some form of log management system. "At the turn of the millennium, log management was about security. Then from about 2002 the market shifted from security to compliance," said Ross Brewer, a vice president at LogRhythm, a Colorado-based log management vendor. "But now there's been another fundamental shift and log management is moving back into the realm of cyber-security," he said.
Other more esoteric systems for detecting unauthorized access to storage systems include ones that use "beaconized" decoy data that is planted in storage systems and which should never legitimately be accessed. A company called Allure Security Technologies has developed such a system which reports back to a control server and alerts administrators if any of the beaconized documents are opened or copied. This has the potential to be particularly effective against insiders who can get around the storage security layer posed by encryption: If employees know that storage systems have been seeded with beaconized data then they know that any data they access without authorization could result in their detection, according to Salvatore Stolfo, the computer science professor behind the company. "We force the attacker to consider whether the data they are stealing is actually real or if it has been poisoned with misinformation, and if it is being tracked," he said.
Finally, a storage platform that's increasingly being used by enterprises is cloud storage, so it's worth asking what considerations there are when it comes to cloud storage security. In fact, there's only one thing that needs to be considered, according to Quocirca's Clive Longbottom. He says that as long as security measures such as encryption, ERM and DLP are in place, the only difference between cloud storage and local storage is a lack of control over the place where the storage hardware resides. "Cloud storage is just another platform, so only physical security matters. And physical storage is actually the one thing that you can be fairly sure a cloud provider can do better than you," he concluded.
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.