As with any risk mitigation initiative, storage security requires IT organizations begin by assessing the situation at hand. Making storage security a natural extension of storage pools and classification efforts will simplify the process.
Users need to identify information assets, their relative value, degree of exposure and liklihood of a breach. This can be done with a simple matrix that assesses exposure (loss potential) and probability of an event. It is advisable to enlist the stakeholders of the information in the process as they ultimately decide the value of data. However as is often the case with prioritization efforts, everyone believes his data is most important and should reside on the highest performance, most reliable systems. In the case of storage security the complicating issue often greater degrees of security will reduce flexibility, and business lines are typically willing to compromise security to preserve flexibility. These countervailing pressures should be considered and addressed in a relative manner in any assessment, in order to provide a clear picture to executive decision-makers.
In any event, the notion of a maximum acceptable loss (MAL) should be an outcome of the assessment. This threshold should guide storage managers and set the water mark for where discretionary decision-making can occur (i.e. if losses are kept below the MAL then it's up to the discretion of the IT organization to implement the right technologies and processes).
What follows are strategies to mitigate losses based on this assessment. This may involve:
- Putting controls in place
- Eliminating the risk
- Transferring or sharing the risk
- Accepting the risk (e.g. for low impact events)
All of this should be done with an understanding of the costs, potential losses and residual exposures that can exist for assets that cannot be protected fully due to costs or other factors.
Action Item: Storage security starts with a proper assessment of the assets being secured. IT should use a common framework that can be applied to cut through the politics of decision-making and, if necessary, used as a 'stick' to cajole stubborn lines-of-business who are willing to trade adequate security for flexibility.