|
 |
|
General Information
|
Add To My Personal Library |
November 7, 2008
• Vol.30 Issue 45
Page(s) 11 in print issue
|
Storage At Risk
Focusing On Storage Security Can Hold Off The Rising Surge Of Enterprise Data Leaks
|
| Key Points
• Organizations must understand what data is critical to the business and how and where that data is being used.
• Network monitoring can track access of stored data and provide crucial information should a breach occur.
• Storage security policies are necessary to ensure that stored data doesn’t get into the wrong hands. | | Today’s storage landscape covers a massive amount of territory that spans both internal and external enterprise real estate. Unlike storage landscapes of ages past, managers now must grapple not only with a seemingly endless array of storage devices but also with an increasing number of methods by which employees—or even outsiders—can access enterprise data.
According to Gary Brown, director of storage solutions for Forsythe Solutions Group (www.forsythe.com), the security concerns surrounding this landscape can be boiled down to three areas. The first is network-attached storage, which continues to increase in deployments and in users accessing that storage, which in turn boosts the potential of unauthorized access to confidential information. The second is data mobility, where the increase of mobile media such as flash drives and removable disks, as well as other portable storage, such as tapes, can put information and its owners in jeopardy.
 The third area, Brown says, is endpoint data. “Mobile devices, primarily laptops, often have sensitive information and can be a source of data leakage. As mobility of the work force increases, so does this threat,” he says.
 Obtain A Clear View
Experts contend that the first step in effectively addressing storage security issues is determining which parts of a storage architecture are at risk. Jame Ervin, product manager for DNF Security (www.dnfsecurity.com), says that organizations must define what information is critical, determine if they are liable in case of data breach, and, if so, examine what the consequences would be. To do this, a round of questions is in order, she says.
“For data leaving the building, how has it been secured? Is it encrypted? Will it be transported safely? Will the final resting point also be safe? For managing data in the building, don’t forget to look at the network for managing devices. . . . Is the monitoring network safe and secure, or is it on a public network? If it is, this opens up a big hole in your infrastructure. And then the last critical piece is controlling access to data in general. Who is able to see the contents of the storage system, and are there ways unauthorized users can also access it?” she says.
To accommodate the perpetually growing demands of their users, IT managers inevitably spend a good deal of time and resources providing adequate storage. But if similar time and resources are not spent on watching what happens with that storage, the likelihood of a security breach can increase dramatically. Andre Muscat, director of engineering at GFI Software (www.gfi.com), says that the failure to monitor network activity and audit activity is a common storage-based vulnerability at small and midsized enterprises.
“For a single administrator, monitoring event logs and carrying out regular audits is a massive undertaking, time-consuming, and often manually impossible,” he says. “However, even if this is not done throughout the network but within the confines of the storage environment, it is not only information security best practices, but logs have proven to be a source of great value if a security breach occurs and an investigation ensues. Log analysis transcends all of this, as it is not only a post-event type of tool but it also allows you to better understand the way your resources are being used and allows for improved management of it—coupled with security hardening.”
The Encryption Question
In theory, encryption is an incredibly staunch barrier against storage-based security threats, and SMEs unfamiliar with encryption technologies might experiment with them to shore up their defenses. But in practice, the use of encryption brings its own set of barriers that can impede everyday business processes, according to Kevin Daly, CEO of iStor Networks (www.istor.com).
"There is a conceptually straightforward way to prevent [unauthorized storage access]: Encrypt the data before putting it on the drives. But no one does this because the impact of encrypting all of the data going to storage is very large from a performance perspective, and the process of managing the keys that are required to access the data is almost conceptually impossible. Even those willing to live with the performance impacts of encryption don't do it because the consequence [i.e., the loss of data] of any screw-up in the process—and there are lots of possibilities—is too ugly to think about,” Daly says.
However, Daly still recommends encrypting drives whenever possible, particularly in the case of mobile devices. He says that encryption (using either hardware or software techniques) is also valuable when protecting backup media.
Push Policy
Monitoring, encryption, permissions, VPNs, and other technologies and techniques can go a long way toward protecting a storage infrastructure, but experts generally agree that a well-defined policy is equally important.
“A common mistake made by IT administrators in SMBs is that once they have deployed a security product, they put their mind at rest that the network is secure,” says Muscat. “Wrong. Technology alone will not protect a company’s data. Strong and enforceable security policies, as well as employee and management awareness, will go a long way toward improving the level of storage security in the organization.”
Muscat says that a storage policy must be effective, easy to understand, and, most importantly, enforceable without creating other problems. After all, he says, it is useless to tighten access controls if the end groups of employees will not be able to effectively do their jobs. Further, the security policies should be updated regularly to account for new threats, developments in the organization, and changes in processes and/or data storage requirements. 
by Christian Perry
Biggest Problem: The Human Factor
IT managers are quick to point at notebooks, flash drives, and other devices when attempting to identify prime storage vulnerabilities. Yet these devices are only as unsafe as the employees who use them.
“Very few employees would purposely expose thousands—or millions—of innocent customers, partners, or clients to identity theft,” says iStor Networks CEO Kevin Daly (www.istor.com). “The terrifying reality, however, is that many of your employees have the power to do these or similar things by compromising data resources. No matter what technology you employ, your employees must have access to your critical data and, therefore, they represent an inherent vulnerability. This means that they have the opportunity to expose, lose, misuse, or otherwise compromise this data. Modest technology solutions coupled with an informed, motivated, and aware workforce are much more effective than extreme technology solutions with an ignorant, unaware, or demotivated workforce.”
Greg Gendron, worldwide enterprise system tape manager for IBM (www.ibm.com), agrees, noting that SMEs cannot secure their systems with technology alone—they must take action around employee awareness and policy to ensure that the technology remains deployed. However, he warns that reliance on a policy alone puts too much trust in employees, which in turn holds immense risk. |
|
|
