|
 |
|
General Information
|
Add To My Personal Library |
August 29, 2008
• Vol.30 Issue 35
Page(s) 1 in print issue
|
Storage At Risk
Where Is Your Enterprise Vulnerable When It Comes To Storage?
|
 They say a pot of gold lies at the end of every rainbow. In the enterprise space, that pot is filled with data, and intruders ride the rainbow directly to that data using any of a variety of attack methods. Because data is the primary target of today’s breaches, storage architectures are quickly coming under fire for their lack of security.
“Human error is probably the most critical security vulnerability facing storage environments in small and medium-sized enterprises,” says Andre Muscat, director of engineering at GFI Software (www.gfi.com). “IT administrators in SMEs are often overworked and required to do tasks that an administrator in a large business would never dream of doing. However, SMEs do not have the resources to employ huge IT teams, so all the work falls on one or two people . . . it should not come as a surprise that some vulnerabilities arise because administrators do not have the time to think about security.”
 Where Are You Vulnerable?
Due to the nearly limitless expanse of storage across any given IT architecture—including all the devices that access that storage—the vulnerabilities that can emerge are numerous. According to Muscat, one of the most common is the failure to implement the concept of least privilege—giving administrator rights on employees’ machines or full, unaccountable access to all data and share and file level.
Another, he says, is the use of portable devices on the network. “Endpoint security is often overlooked by administrators who fail to realize that the USB sticks or iPods the employees bring to work every day are a perfect tool to copy data to or from the network. In a worst-case scenario, a ‘trusted’ but ‘disgruntled’ employee can bypass encryption, copy huge amounts of data, or upload malicious software, effectively bringing the network down or deleting important data,” Muscat says.
The threats don’t end there. Muscat explains that many SMEs do not have a secure storage area for their file and database servers. For example, if servers are kept in a box room or under a staircase, they can be easily removed if there is a break-in. Greg Gendron, worldwide enterprise systems tape manager for IBM (www.ibm.com), adds that many SMEs run Windows Server or Unix environments with few security measures, such as authentication, because they can be complex and difficult to implement.
Lock It Down
According to Kevin Daly, CEO of iStor Networks (www.istor.com), data is vulnerable in only two situations: when it’s in transit and when it isn’t. Vulnerabilities surrounding data in transit originated when organizations moved from internal storage (DAS, or direct-attached storage) to network-oriented storage (NAS and SANs), and while IP-based network storage certainly can be vulnerable, Daly says data in transit can be effectively protected by practices and policies.
Data at rest, on the other hand, is another story. Assuming an enterprise configures a first level of defense by setting up and maintaining access permission structures to create a control structure for who can and cannot access data, there remains the issue of what happens when the data comes to rest on a physical hard drive. A straightforward way of preventing unfettered access to this data, Daly says, is encrypting it before it goes on the drive. But he says that even those who are willing to live with the steep performance hits caused by encryption don’t always use encryption because of the consequences—such as loss of data—of any errors while using it.
“There is a light at the end of this particular tunnel, however,” Daly says. “Disk drive manufacturers are beginning to provide drives that encrypt and decrypt the data in the drive. This addresses many—but to be honest, not all—of the issues associated with protecting data at rest on disks. It is not common yet, but its use will be growing, and it will significantly mitigate the vulnerability of disk-based data.”
Daly recommends several “first-order actions” that organizations can take to protect themselves against storage vulnerabilities: Organize data to limit the use of (and access to) sensitive, critical, and valuable data; use systematic permission structures and access control lists; centralize the storage of critical data as much as possible; use VPNs where possible; minimize or eliminate the use of removable media; encrypt drives wherever possible (particularly in mobile devices); design (or redesign) the backup and restore process with security in mind; and train and educate all users about their responsibilities for data security.
Don’t Forget Policy
There’s a rising tendency to rely on technology to address storage-related security issues, but some experts feel that policymaking and employee awareness are similarly effective in keeping storage secure. Jame Ervin, product manager for DNF Security (www.dnfsecurity.com), says that employees are the first line of defense against data breaches.
“Many of the widely publicized security breaches involved a loss of physical control over the data—stolen laptops, missing backup tapes, and so on. In many cases, employees could have added an additional layer of protection with password-protected computers or backup tapes. Organizations should have a defined policy for access to data leaving the premises and for data inside the office and act accordingly,” Ervin says.
There are three key requirements to implementing an effective storage security policy, says Gary Brown, director of storage solutions for Forsythe Solutions Group (www.forsythe.com). First is executive sponsorship of the security policies, policy enforcement, and continuous auditing of policy effectiveness, followed by the identification of the stakeholders and owners of the security policies. These people must accept their roles to participate and respond to inquiries and requests in a timely manner.
Finally, “You need to architect a data protection environment that can support the policies and that is flexible enough to support potential future requirements,” Brown says. “This includes selection of both software solutions and physical hardware that will support policies, protection, performance, and availability of information. Too often, we see organizations look at storage hardware devices that provide storage functionality but may never support a good storage security policy.” 
by Christian Perry
Top Vulnerability: Data Leaving The Building
Data within the walls of an enterprise can be locked down with heaps of security, but as soon as it leaves those walls, it’s up for grabs. Laptops, PDAs, smartphones, USB key drives, portable hard drives, backup media, and other items often hold plenty of sensitive company-related data that can create big trouble if it ends up in the wrong hands.
“It is emotionally difficult for employees to appreciate that a one-half-ounce, $20 thumb drive can hold enough information to cost the organization millions of dollars in losses, disruptions, and fines, but it can,” says iStor Networks CEO Kevin Daly (www.istor.com). He recommends using encryption to protect drives in mobile devices and to protect backup media. He predicts that all portable business devices will eventually have encrypted storage devices, but in the meantime, organizations must use what’s available to protect data leaving the building. |
|
|
