Storage security: issues and answers - Storage Management

Computer Technology Review, Oct, 2003 by Peter C. Conway

In an age when virtually all corporate data spends 99% of its lifetime in storage, the risks of illicit and malevolent access to storage facilities can affect a company's survival--and the rights of its customers. This issue has become so critical that several legislative actions have already been taken. In 1999, for example, the Gramm-Leach-Bliley Act addressed the need for privacy in the financial industry; and in 2003, the Health Insurance Portability and Accountability Act (HIPAA) did the same for the healthcare industry. More recently, California law SB 1386 required reporting of any theft of personal data unless that data is encrypted when stored--a requirement that is now being considered at the federal level, as well. And, the European Union has also been active in this arena, issuing several data privacy directives.

Determining Risks

The message is clear: unless stored data is securely protected against Internet hackers, disgruntled employees, common thieves, and damage from simple human errors, consequences can be significant--and take a toll counted in dollars that far exceed the cost of an effective security solution.

Threats may be geographic, political, internal or competitive in nature, and may be active, passive, malicious or accidental. However, unless a company knows what these risks actually involve, they cannot be minimized. Once known, risks must be categorized by their potential for business loss and their legal impact. Alternately, companies may decide that some risks are acceptable, and decide that the costs of addressing them outweigh potential losses. In other words, how storage is secured is a business decision and must be addressed from a cost/benefit perspective.

To determine business risk, threats (such as identity spoofing or data disclosure) and vulnerabilities (disgruntled employees, availability of a disaster recovery plan, environmental and political conditions, etc.) must be identified. Then the likelihood of a loss due to these threats and vulnerabilities actually occurring must be calculated. A fairly good idea of real business impact can be derived by multiplying these probabilities by the estimated dollar losses associated with such events. Companies can determine risk by answering these six questions:

* How secure is my data?

* Can I prevent data from being taken?

* Can I protect data from being made incorrect?

* What is the probability of those losses actually occurring?

* How much would it cost to protect data resources from theft and corruption?

* What could the losses be if risk mitigation steps are not taken?

New Storage Technology

When evaluating storage security, enterprises also need to consider higher-level technology trends within their networking environment. For example, while automated networked storage certainly carries a wide range of benefits, it also exposes enterprises to new threats and vulnerabilities. And, with storage facilities linked on an IP network, risk exposure can be far greater than with the defined access links of a Fibre Channel network. Risks are compounded with remote services that extend storage access across the entire fabric of the Internet. In short, IP storage opens new communications paths to storage that demand new levels of protection a technology trend whose benefits must be carefully balanced against its risks and the costs of mitigating those risks.

True, security is addressed by IP storage standards--both iSCSI and network attached storage protocols rely on IPsec for network encryption, and iSCSI mandates the use of the Challenge Handshake Authentication Protocol (CHAP) for host identification. But these protocols are only the beginning, laying the foundation for additional levels of protection through storage compartmentalization technologies such as zoning, LUN masking or network encryption.

Additional security can be obtained by using digital fingerprint systems that render specific content as addressable storage. Storage protected this way is only accessible to those having the right digital signature--a paradigm similar to claim checks being required to retrieve a suit from a dry cleaning store.

Not to be overlooked in securing storage management access is role-based access authorization. By linking access privileges to job function, administrative controls can be increased dramatically, enabling, for example, night backup operators with access to different capabilities than day operators.

An Enterprise Solution, Not a Single Application

Corporate security is highly individualized and dependent on specific corporate locations, operations and workflows. If employees are not given access to the Internet, then outside hackers may have little opportunity to penetrate corporate storage facilities.

As threats, vulnerabilities and the probabilities of real business losses increase, so too must defensive actions. Whatever storage security measures are taken, must be taken in the context of the enterprise's operational requirements, its existing infrastructure, and its business practices.