According to the Computer Security Institute/FBI 2006 study, the risks of data loss or unauthorized access account for 37% ($19 billion) of security related losses.
Security, like Shrek, ogres and onions, has layers. Ensuring authorized access to data is in the data network layer. Ensuring security of data that is transported over networks, especially IP and iSCSI, is also a data networking layer issue. The technologies are known and well understood, and technologies such as encryption over the network are relatively low cost.
Ensuring physical security is a storage data center layer. The technologies include encryption of tapes when they are physically transported, using FCsec to ensure that devices are not removed from the network, and physically separating and isolating different storage pools according to the data security requirements of each pool. In “Storage security starts with a proper assessment” it is suggested that storage pools are used to classify storage on a security dimension. Physical separation of these will conflict with operational flexibility, but be necessary for the highest layers of security requirement.
Within this layer, the costs of security rise significantly. According to some estimates over 80% of losses come from inside people who have authorization. Most important for this layer is the ability to know what data has been accessed, when, and by whom. Security logs and security audits of those logs are vital tools to make would-be thieves believe that they will be caught.
The final layer uses techniques such as encrypting data within the database or file system, and only holding encrypted data on the disk. There are high costs for holding the data on disk fully encrypted, both for the database servers and for storage. As the data is random, techniques for data reduction such as compression and data duplication are no longer valid. Loss of flexibility in storage operations can be a significant cost.
Action item: Chief information security officers (CISOs) need to understand the technologies available, and organize them into a layered defense. They should assume that the failure of any layer will be complete. They should trust nobody and verify. The decision of where to place data should be shared between the business and IT, but the technology costs should be budgeted for and borne by the business.
Action Item:
Footnotes: