Originating Author: Janet Engle

In the early days of the computer industry, storage systems were physically large and resided within the confines of a controlled data center environment. Storage systems have evolved into lightweight devices and are easily accessible over corporate networks, making them more vulnerable to security breaches. Fueled by the growing costs of recovering from intrusions, public concerns over privacy and identity theft, and increased government regulations, businesses are spending more time and money to develop or improve storage network security systems.

Data storage security is regulated by various state, federal, local and industrial ordinances. In many cases, failure to provide adequate security can result in legal sanctions against the company or executives.

Information security ordinances include:

Health Insurance Portability and Accountability Act (HIPAA)

• HIPAA regulates how Protected Health Information (PHI) can be used and to whom it may be disclosed. PHI includes health status, health care and health-related payment history that can be linked to an individual. HIPAA requires that companies make a reasonable effort to disclose PHI only to authorized recipients.

Gramm-Leach-Bliley Act (GLBA)

• GLBA requires that financial institutions have a written plan for data security and perform a risk analysis on their current practices. Institutions are required to protect consumers’ personal information.

California Information Practice Act (SB 1386)

• The California Information Practice Act requires businesses to notify California residents – whether they are employees, customers or clients – when there has been a verified or suspected data breach involving their personal information.

Storage network security capabilities

Storage network security is the protection of digital information as it is being stored (“at rest”) or transferred across local or public networks (“in motion”). Storage network security involves all procedures that limit the unauthorized access of data, from turning monitors away from public areas to using advanced encryption protocols.

Security for shared network storage devices typically address vulnerabilities by providing some combination of the following: 1) authentication and auditing capabilities which track who made changes to which data and when; 2) physical security, ranging from locked doors to bank-like procedures measuring the weight and metal content of people entering and leaving a site and 3) Encrypting data in arrays or tape systems which use keys to render data unreadable to non-authorized devices.

Specific operational goals of storage network security

The cost of implementing network security averages about 6% of a business's IT budget. For the standard WikiBon business model, this equals approximately $2.4 million. Yearly maintenance costs to keep security devices and software updated average 1.5% of total IT spending, or $0.6 million for the standard WikiBon business model.

Applying this to storage network security would indicate approximately 5-10% of the storage budget should be allocated to storage network security annually. This would equate to as high as $0.5M using the standard WikiBon business model.

Although many companies underfund information security efforts, investing in them can have a significant ROI. In 2006, companies spent an average of almost $5 million on security because of storage network breaches. The average cost to recover a single lost record is $140.

Security breaches that are the result of noncompliance can result in hefty fines. On 1/26/2006, nearly a year after 163,000 records were breached, ChoicePoint of Alpharetta, GA settled with the Federal Trade Commission (FTC) for $15 million in penalties.

Depending on the type of and sensitivity of the information being stored, data security efforts may be geared toward a combination of several goals:

• To protect against data theft.
• To limit the possibility of legal penalties and public backlash because of unauthorized access to data.
• To prevent unauthorized changes to data records, whether malicious or accidental.
• To establish the authenticity of information records and transactions.
• To increase business activity uptime.
• To comply with industry-specific regulations.

In addition, if approached properly, storage network security can feed corporate compliance systems and save on reporting costs.

Storage network security implementation risks

There are several risks that can threaten the successful implementation of a storage network security system, including:

• Encryption. Encryption involves tradeoffs. For example, if encryption occurs too early in the process it can negatively impact data compression rates. If encryption goes wrong (for example if keys are corrupted or lost) data becomes unreadable.
• Availability impacts. Storage network security involves substantial changes to management software and processes which can negatively impact application availability during the adoption phase.
• Attitude, culture and mindset. Adding unfamiliar or more complicated protocols to access data may frustrate programmers and employees, negatively impacting morale and productivity.
• Storage network security standards are evolving somewhat rapidly, especially outside of traditional mainframe environments. What's implemented today may be outdated in the near-to-mid term.
• Applying storage security to remote disaster recovery systems complicates an already complicated and expensive process.

In addition, using outside contractors to develop, deploy or audit a security system creates more access points where insider, close-in and distribution attacks can occur. Screening contractors and using reputable companies can help reduce this risk.

Storage network security initiative

Broadly, there are three types of storage network security safeguards:

Administrative

Administrative security safeguards include written policies and procedures about who is authorized to access data, protection plans, contingency plans in case of data emergencies and security breaches, and network security training. Administrative strategies attempt to reduce malicious and nonmalicious insider attacks.

Physical

Physical security measures include controlling physical access to data records. This includes removing workstations from high traffic areas, disposing of retired equipment in a way that doesn’t jeopardize data, controlling where data is physically stored, and monitoring the use of hardware and software inside and outside of the company’s facilities.

It is likely that most security breaches can be prevented by increased physical safeguards. In a 2006 study, The Poneman Institute found that 49% of security incidents were the result of lost portable devices. Another 26% were the result of lost electronic backup devices.

Physical strategies are generally focused on protecting against insider and close-in attacks.

Technological

Technological safeguards are means to prevent data communications from being accessed by anyone other than the intended recipient and protecting all devices involved in the storage network from unauthorized access. Technological safeguards include password systems, external authentication, two- or three-way handshakes, centralized logging and digital signatures.

Technological strategies help protect against active, passive and distribution attacks.

Depending on degree of risk, complexity, cost and skill sets, these approaches will be implemented to varying degrees through the analyze, design and deploy phases of a storage network security project.

Expectations (Out-of-scope)

The following items are necessary and should be in place for a successful storage network security implementation:

• An overall IT and network security risk assessment study has been completed including threat probabilities and overall business impacts. This will set a context and basis to develop a credible storage network security plan.
• Overall IT security objectives and advised spending levels and budgets are in place so that a storage security plan can be developed in context.
• Requirements for compliance reporting have been established such that the storage network security component can feed the overall reporting system.

Analyze phase

Acceptance test considerations

The analysis phase is complete when the current storage network security system and the current and future security needs have been identified, documented and the following items have been agreed with the overall IT security group ('Security Czar'):

• The risks have been identified and quantified including cost of exposure down to the storage network level.
• Analysis and strawman solution for each of the areas of risk has been put forth (e.g. audit, authentication, physical, encryption).
• High level gap analysis identifying weaknesses in current architecture, auditing and authentication.
• Cost of the project has been generally estimated and agreed.

Key analysis milestones

1. Candidate data identified and potential threats classified
2. Security priorities assessed
3. Security features gap analysis conducted between current system and desired state
   • Are they up-to-date?
   • Do they protect the data at every point from which it can be accessed?
   • Has it adequately protected the network against previous attacks?
4. Perimeter of storage network determined
   • Does the data flow to or from remote locations?
   • Do you exchange information with other companies?
5. Applicable regulations researched and documented
   • Does the current security system meet or exceed industry and government requirements
6. First pass (strawman) design proposed
   • Complete cost estimates as a baseline for design phase
7. Recommendation finalized as to how to proceed
   • Order of storage network security measures to be implemented identified

Design phase

Acceptance test considerations

The design phase is complete when a plan for meeting the company’s storage security needs has been developed and accepted by the IT security decision-making group.

Key design milestones

1. Attack points determined for potential data threats
   • Penetration tests that simulate attacks on the storage network can help locate vulnerabilities
2. Network security requirements prioritized
   • Develop functional rollout plan accordingly for storage network components
3. Physical threat policies developed
4. Intrusion prevention system (IPS) and Intrusion detection system (IDS) architected within the storage network
   • An IDS constantly monitors the storage network, looking for activity that indicates a data security breach
   • If a suspicious pattern in noticed, the IPS immediately shuts down all data flow to the suspect part of the storage network and alerts appropriate individuals
5. Authentication and auditing software researched and selected.
   • Authentication and auditing software identifies applications trying to access data and determines if the access should be allowed or denied
6. Secure backup and remote data recovery measures developed
7. Reporting procedure developed
   • Emphasize a reporting procedure so employees can inform appropriate IT professionals if they are unable to access necessary data or services
8. Process to feed compliance reporting system designed
9. Testing procedures for deploy phase designed

Deployment phase

Acceptance test considerations

The implementation phase is complete when the new storage security system is built, tested and brought into service. The system should be evaluated regularly by independent security auditors throughout its lifespan.

Key deployment milestones

1. Highest priority components of storage network strategy implemented
   • Implement appropriate auditing, authentication, physical security and encryption strategies as specified in design phase.
2. Testing completed
   • Check of compliance with test scripts recommended in design phase
   • Perform tests
   • Verify system behaves as expected
3. Training completed
   • Develop courseware
   • Develop rules, regulations and clear penalties for violations
   • 100% of relevant professionals trained, certified and informed of changes in policies
4. Change management processes and procedures established
5. Follow-up penetration tests performed
   • Comparison protocols defined and implemented - regularly comparing two or more sets of the same data helps reveal unauthorized modification or destruction of information and ensure the integrity of the network
   • Regularly scan, test and audit storage network activity
   • Record all user activity and review on a regular basis
6. Security rules and procedures updated

Initiative summary

Implementing storage network security is a journey that should be taken in steps starting with the highest risk data and the strategies that will give the best return on investment. Frequently auditing and authentication are good starting points and will provide meaningful impacts. Physical security can often provide excellent benefits and is generally straightforward. Encryption, while potentially powerful and often critical, carries the greatest degrees of complexity and risk.