New rules force a focus on data

With so many other exciting technologies around to keep us interested, storage tends to get a raw deal. But although disks might seem boring to most of us, they form a crucial part of the system infrastructure and need to be included in any discussion of security.

The reasons are obvious. If you cannot guarantee the security, availability and integrity of your data, then all other security measures are a waste of time.

And the need for strong information security has never been greater. All the new regulations and legislation about corporate governance and privacy that we have seen introduced over the past couple of years demand that data is protected from unauthorized access, reflect the truth, and has not been altered either by accident or design.

So the results of Enterprise Storage Security, a recent study from the San Francisco-based Emmes Group (, make for chilling reading. They show that most organizations believe that by installing the traditional defenses such as firewalls, anti-virus and intrusion detection, they and their data are protected.

"Our hypothesis going into this study was that most IT shops have a false sense of security and a general misunderstanding of the real issues involved with security of data, whether at rest or in transit," writes Arun Taneja in the forward to the report.

"We were only surprised by the extent to which this is true."

Based on in-depth interviews with 555 senior executives in IT and security, the report reveals that storage security receives little attention compared with the effort that goes into protecting networks and the desktop.

The Emmes report suggests several reasons for the lack of storage security. It makes the point that security budgets have been stretched in recent years, and that few organizations are willing to acknowledge internal breaches of security. It adds that storage-area networks (SANs) and network-attached storage (NAS) are relatively new, and suppliers have been slow to introduce security features. Special purpose security storage appliances exist, but they too are very new and are poorly understood.

It emphasizes that existing LAN tools are inadequate for securing data in flight or at rest, even though these tools are used by some 85 percent of the respondents in the survey to secure their SANs and NASs.

More seriously, two-thirds of respondents said that any new system deployments would not be delayed by a lack of stored data security – their organizations would carry on despite having no security provisions in place. The same number thought their organizations did not comply with industry and international guidelines or U.S. privacy regulations relating to the data they stored.

Should we care? Well, a recent case illustrates that we must.

In mid-June, Texas-based consulting firm Perot Systems was asked by a European court to supply all the emails relating to a certain former employee, going back six years.

Michael Johnson, who had worked as a contractor for Perot at UBS Warburg in early 1999, claimed that defamatory information had been supplied to an employee-screening service and had cost him a job at Deutsche Bank.

He called for email evidence to be supplied, but Perot argued that the cost of finding the information after such a long time would cost around $7 million. The request was turned down by the court, but Johnson has appealed and the case continues.

The request in this case was made under U.K. data protection legislation, but the growing body of new governance and privacy regulations in both the U.S. and Europe raises the specter of more similar cases occurring.

The impact of the new rules places a heavy burden on organizations. Not only do they require data to be stored for longer periods, and protected from unauthorized access, but they demand solid proof that the data has not been changed or tampered with. This means that data management and protection will need to be given much more attention in future.

Which brings us to a new acronym to memorize, Information Lifecycle Management (ILM). ILM covers the process of handling data from the moment it enters the organization, by whatever means, is processed, and then moves through to the stage where it needs to be archived to meet legal compliance. It is a well-known concept in the world of paper documents, but is still relatively new in IT.

"We need to see documents in a legal framework," explains David Smith, a marketing manager with Hewlett-Packard's storage business. "A lot of people don't realize that if there is a dispute, they need to be able to retrieve all the records and prove they have not been changed."

Courts no longer make any distinction between paper and electronic records, he says, so companies must prove the information has not been tampered with. This means having the right technology and processes that will stand up to scrutiny under questioning. "You need to be able to prove just how good your processes and technologies are," he says.

It also implies having an audit trail in place and tamper-proof storage, such as WORM (write-once read many times) media. HP's answer is the RISS technology it acquired through its takeover of Persist Technologies last December. This manages archive material with sophisticated encryption of both content and keys.

One other big implication underlined by the Perot case is that companies need to be able to retrieve archived data easily and quickly.

"In building storage attached networks, many companies have ended up with islands of consolidated storage," says Chris Vance, an engineering manager for Brocade in Europe. "The challenge now is to bring them together and to make them easy to manage."

This is complicated by the need to manage soaring volumes of data, says Colin Privett, a regional vice-president at database specialist Princeton Softech. "If, for instance, you're storing customer data, you cannot just purge it. It has to be retained in case of a dispute."

That could have disastrous effects on the performance of production databases, so companies need to have processes in place for moving aged data off the production systems and on to nearline or offline storage that can be accessed easily if necessary. "In the past, the answer has been to throw money at it," says Privett. "More storage, more robots and more WORM devices."

Now companies need to develop proper policies and processes to manage what data goes where. And the benefits of such as an approach go far beyond merely achieving compliance. Databases work more efficiently when stripped of dormant files, and money can be saved by shifting information on to tape or some other archive medium.

The processes are also integral to business continuity and disaster recovery, where encryption of data needs to come as standard. "Data at rest is far more vulnerable to attack than data on the fly," says Joanna Shields, European managing director for storage company Decru. "If you wanted to steal a car, for example, you'd steal a parked car, rather than one speeding along at 60mph."

But with data encrypted, companies need be less concerned about outsourcing their data storage management, and having their files stored on the same machines as those of other companies.

The technologies exist to achieve all this. But as the Emmes report demonstrates, some attitudes within the IT industry need to change. For a start, storage management needs to be regarded with a lot more enthusiasm.

"Business has to take ILM seriously," says Hamish Macarthur, managing director of Macarthur Stroud, an analyst company specializing in storage issues. "A lot depends on how the keepers of the IT resources respond. Auditors don't think that IT people are up to it."

He believes that this is an excellent opportunity for IT people to "get closer to the true business issues, and protect the business from risk."

However, given the findings of the Emmes report, there is obviously some way to go before that happens.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.