Let’s confront the two-ton elephant in the corner of the storage management room that no one wants to mention, let alone clean up after — yes, we’re talking about enterprise storage security. While your company undoubtedly wants to improve business performance by providing more access to information, securing critical corporate data almost always entails limiting access to it.
With such a dichotomy, security can become a big job, absorb all your time and energy, and, at the end of the day, demand a big investment with no apparent effect on the product you deliver — except that it really does affect product delivery. Without it, you might not be able to deliver product or services; in fact, without it, you might even lose the business. Yikes!
You may be the one who brought the elephant into the room, especially with the call to action from experts in the field like the following from the Yankee Group: “In 2003, storage security will become an essential aspect of customers’ deployment strategies as they find ways to expand their disaster recovery planning, deploy new storage networks that mix multiple network protocols, and develop plans to connect or consolidate disparate storage systems using metro SANs.”
But like most of us, you may still be peeking into the corner and just beginning to face up to the immense storage security challenge, so here are a few tips to get started.
- Make everyone understand that security is their responsibility, too. Yes, everyone in your organization. Remind them that if they write their passwords in the corner of their top left drawer or enter them in their PDAs, or if they tell a friend their password when the friend says, “I forgot mine and need to use your account to get something off the system,” the security measures you install are useless.
If your employees think that IT will make sure all systems are secure, then they’re perched right on the end of that elephant’s trunk. Get your management, and their management’s management, involved and thinking of everyday ways to protect the enterprise’s corporate data assets and communicate them throughout the organization.
- Convince your management that you need specific security measures on your storage network — general enterprise security simply isn’t enough. Start with these three facts:
- Theft of proprietary data costs the organization the most time and dollars. Help your management understand that it’s important to have security on all your storage resources, including the ones that leave with your employees every night (i.e. laptops).
- Bone up on your regulations (or at least the basics) to explain how financial, securities, and government regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Securities and Exchange Commission (SEC) Rule 17a-4(f), and the Food and Drug Administration (FDA) 21 CFR Part 11 can require your company to ensure data privacy. We’ll talk more about these in a future column.
- Remind management that not all security breaches come from one direction — into the enterprise — as a large percentage may come from disgruntled employees, contractors, or staff with access to confidential data inside the firewall.
- Theft of proprietary data costs the organization the most time and dollars. Help your management understand that it’s important to have security on all your storage resources, including the ones that leave with your employees every night (i.e. laptops).
- Establish your security goals. Remember the regulation requirements you researched in tip #2 and anticipate them with a focus on confidentiality, integrity, and availability. Identify how each goal affects your business success and survival.
Page 2: Security Tips Continued…
- Conduct a storage security audit. During your audit take an accounting of all your back end storage resources (see tip #2) to point out where vulnerabilities are most likely to occur and include these in your report. A storage security audit can be as simple as a checklist of compliance with policies and procedures. The checklist guides a step-by-step inspection of hardware, software, logs, and records.
Let your security goals guide your audit design and the amount of effort you put into it, and use existing checklists as models to help you with the design. Be sure to tailor your checklist to your organization and get buy-in from leaders and participants. Security experts from the Storage Networking Industry Association (SNIA) recommend these checklists as models:
- The STRIDE risk assessment model focuses on six security risks: Spoofing, Tampering, Repudiation, Information disclosure, DoS, and Escalation of privilege. STRIDE is described in more detail in a sample chapter on Threats and Risk Assessment online from Microsoft Press.
- OCTAVESM is a general security assessment documented by CERT at Carnegie Mellon. OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation.
- A technical tutorial, “Storage Network Security,” is offered by SNIA and outlines ten steps to identify storage security risks.
- A checklist of storage-specific security items is provided in SNIA’s Storage Security Industry Forum (SSIF) Risk Assessment Tool.
- The STRIDE risk assessment model focuses on six security risks: Spoofing, Tampering, Repudiation, Information disclosure, DoS, and Escalation of privilege. STRIDE is described in more detail in a sample chapter on Threats and Risk Assessment online from Microsoft Press.
- As you design your checklist and conduct your audit, look at several key areas in your storage network, including:
- Host and application servers, for vulnerable access points where host and application servers are connected to the Ethernet backbone.
- The transport system itself, for outside threats of wire-tapping, traffic redirection or interception, or attacks via the gateway.
- Your storage systems and media, for data vulnerabilities. Threats to data, especially archived data not accessed regularly but still critical to the organization, can cause permanent damage to an enterprise if the threats are successfully executed.
- How and who has access to the management console. You may have all available security systems installed in your network, but one unauthorized person or system getting into your network through the console can negate all your efforts.
- Host and application servers, for vulnerable access points where host and application servers are connected to the Ethernet backbone.
- After you conduct your security audit, prepare a plan to address:
- Who has access to the network and why.
- How you will handle accidental or unintentional changes.
- What to do about denial of service attacks.
- What you will do if an attack comes from within the firewall.
- How to verify the configuration of your security system is correct.
- Speaking of a firewall, make sure you have one installed.
- Be sure to install all software patches from your manufacturer as soon as they become available. The community of Microsoft Windows users learned just how critical this lesson is with the recent Blaster worm experience.
- Keep learning about storage security. For more information on storage security, see the SNIA SSIF Web site. General security-oriented Web sites are also adding information about storage security. See Carnegie Mellon’s CERT Web site, the SANS Institute, and the Security Forum.
- It’s your elephant — even if you’re hesitant to admit it’s sharing the room with you — so the best tips about how to make security work in your enterprise are the ones only you know. If you’d like to share your ideas with your fellow security wardens, email us at feedback@enterprisestorageforum.com.
»
See All Articles by Columnist Marty Foltyn of BitSprings Systems