Moderator: Peter Burris
Analyst: David Floyer
For many years storage security was seen primarily as managing physical security for storage devices and media from unauthorized access or theft. Storage security was carried on largely in isolation, with little reference to security efforts at the application or network levels. While physical security remains important, particularly in the era of increasingly small and portable storage media, the development of pervasive networking has changed the nature of the threat and made integration of storage with network and application security vital.
In recent years emphasis has shifted from physical to logical security, with the new concerns of protecting data as it crosses the network and preventing unauthorized access from outside either by individuals (hacker penetration) or logical devices (viruses, worms and key loggers) predominating the security discussion. However, this is only part of the security picture; in fact, 90% of data security exposure originates not outside the organization but inside, with individuals who use legitimate access for legitimate activities. An adequate storage security plan must recognize this and take both logical and physical threats into account. It must also recognize that total security is impossible to achieve while providing the data access the organization requires to operate. Thus the correct security approach is to quantify the amount of risk the organization can tolerate and then provide security that reduces the exposure to that risk level, recognizing that breaches will still be possible.
The natural reaction to this realization is to want to encrypt every piece of data. While this would certainly provide excellent protection against unauthroized access, it comes at a high cost that makes this simple plan impractical. Encryption and decryption of large amounts of data adds a tremendous processing load to servers. Also deduplication and compression is impossible once data is encrypted, driving huge growth in storage requirements. Also, it does nothing to diminish the security exposure from individuals with legitimate access to the data, who have access to the encryption keys.
It is therefore imperative that storage security administrators adopt a risk mitigation approach to security, classifying different data pools according to their exposure, determining the degree of security that each data pool requires, and building appropriate security methods into the procedures for handling that data pool. At the one end, public data -- for instance data describing products and the company, itself, and for publicly held companies, quarterly and annual reports -- requires only low levels of access control, and security needs to focus on preventing unauthorized changes to the material. On the other end of the scale, corporate financial data, information on products under development, and data such as personally identifiable medical information for which access is tightly regulated by law, require very high levels of read as well as access and write security.
As a result, we see four basic classes to security for different sets of problems and data:
1. For go-to-jail data (e.g., medical records, product research information, customer account information) data encryption is an absolute requirement, both when it is being moved over the network and when stored on media. 2. Other data must be kept “in the clear”. However, audit technology should be applied to all storage pools, whether encrypted or not, to record who accesses what data when and who changes what data when, and both read and write access should be restricted as appropriate. That at least allows security personnel to determine who is responsible after an exposure or alteration is discovered, and at best allows security to employ pattern analysis to identify suspicious activity early and prevent exploits. 3. All automatic copying routines must be identified and either shut down or incorporated into the data security plan to ensure that proper security levels are maintained. Often data centers have low-level batch copy routines in place to move data from one application to another, or in some cases to share that data with business partners. The problem is that the application receiving the data may not operate at as high a security level as the data requires, while moving data outside the organization completely has obvious security implications. 4. On the physical side, data administrators must fully consider the implications of the increasing portability and plug-and-play characteristics of storage media such as tape and disk cartridges. We believe the best solution is for vendors to build RFID into their portable media cartridges, allowing IT to institute procedures based on those used by the large package movers (UPS, Federal Express, etc.) to track the movement of these devices.
It is also imperative that storage administrators remove artificial barriers between storage and network and application security to create a single, seamless security strategy across the enterprise. For instance, network security rather than storage security should control access to iSCSI ports on storage devices, while network and application security must recognize the specific needs of storage, for instance to audit all data access.
Action item: Storage administrators should regard security as an onion with multiple layers ranging from the physical up through logical, transport, etc. They should work with security administrators at other levels in IT and the organization at large, particularly application and network organizations in IT and physical security in the larger organization to develop a single integrated plan. This plan should provide the optimal levels of security to reduce threat exposure to the organization’s level of acceptable risk with minimum disruption to legitimate activities. This will allow storage security administrators to focus on the specific layers that fall primarily under their purview ensuring proper storage practices, starting at physical and moving out to more logical issues such as audit and data access.
Action Item:
Footnotes: