Watch your back: The mounting risks of unauthorized data access, theft and corruption in secondary storage - SAN

Computer Technology Review, Feb, 2003 by Scott Gordon

Secondary storage, such as backup and replication, equates to greater application availability, recovery and business continuity. It is also associated with greater data volume than primary storage. In practice, we are talking about managing large backup processes and tape libraries, cataloging and storing (distributing, vaulting and scratching) numerous tapes, pooling and virtualizing backup resources for better economies. It may also allow transferring images and data outside the glass house to peer data centers or service providers. In some cases, some or part of backup, vaulting or recovery projects are outsourced. Today, these storage functions are handled by more people, transferring stored data to more locations and placing sensitive data on more dispersed mediums. While backup and replication inherently preserves data, the risk of unauthorized data access, theft or corruption in secondary storage is mounting.

Risks

Tape media is considered the most reliable and most prevalent source for enterprise data recovery. These backup tapes are small, portable and typically stored outside the confines of the data center for offsite disaster recovery purposes. Most stored data on tapes is left in the clear on removable media-- with tape loss or qualified access being discovered long after the fact. Unauthorized users have more time to readily read tape data, analyze confidential information and, in some cases, rebuild entire systems. Tapes used for bulk data transport can be misdelivered, lost or accessed with little owner awareness.

With replication, system snapshots are duplicated and often stored at various stages outside the primary site. Replication and tape virtualization capabilities offer better automation for system and data recovery purposes. It is this automation that can also increase liabilities should access be breached and images copied.

Lastly, storage administrators and service providers who manage and support backup processes/resources have greater knowledge about, and more immediate access to, this stored data. While enterprises have implemented access controls and tighter infrastructure management provisions, such safeguards fall short of protecting access to the tape media and data repositories. Additional safeguards should be reviewed to further enhance data integrity and confidentiality--namely, stored data authentication and encryption.

Security Building Blocks

What terms are used to describe strong security besides physical access controls? Strong encryption converts clear data (plain text) into an unreadable form called "cipher-text" using a secret key or password that is unbreakable without the particular decryption key. Authentication is a process to validate a transmission, message or originator by assuring the identification a given user or system--typically in the form of passwords or digital certificates (issued by a trusted authority). Authorization determines what an authenticated entity is granted permission to do or access. Integrity is a process that establishes that data has not been modified. A key is a value that when applied to a cryptographic algorithm can be used for strong data encryption, authentication, and integrity. Key management determines how keys are created, protected, distributed, recovered, updated and terminated. Strong encryption, authentication, authorization, data integrity, and centralized key management are the means to best miti gate the access exposures in tape media, virtualized tape systems and replicated images critical for authorized data/system recovery.

Given the distributed nature of secondary storage, considerations must be made regarding data management (e.g. compression), key management and data recovery. An ideal solution would support transparent deployment, enforce a security policy, enable central and remote management and be simple to implement--if not abstracted from day-to-day administration. It would also need to address the unique persistent storage requirements involved with ensuring archival and recovery processes. For recovery purposes, encrypted tapes may need to contain metadata that securely reference the encryption system used to protect the tape. This can be implemented at the host, the storage subsystem or in a tape media security appliance.

Solution Characteristics

Security is more likely to be adopted when it is transparent and non-obtrusive. Secondary storage data protection should accommodate different devices form factors, media types, volumes, media pools, interfaces, host types, media rates and so on. It should not impede the performance (read-write data rates) of the tape device--especially true for virtualized tape (disks that look like tape libraries). Operators should be able to continue to perform their tasks normally with functionality that can be deployed/enforced online, offline and nearline.

Keys will need to be mapped to media catalog data (which is vendor specific) to avoid affecting long term archival recovery. These keys will have a longer life--thus they will require protection against brute force attack (e.g. 56-bit DES will not suffice) and reasonable rekeying techniques (replacing an original key used in data protection with a new key). These characteristics ensure that storage administrators can add security into their functions without compromising data recovery or normal operating policies, processes, and procedures.