Safe at rest

So LifeBridge executives figured if they were breaking the bank to implement new data entry capabilities, they better think about employing equally cutting-edge platforms to securely store that information, especially in the event of an unexpected disaster or unplanned downtime.

LifeBridge deployed EMC centralized storage solutions at its largest member, Sinai Hospital, which it says allows for ease of management and instantaneous data replication to another server at nearby Northwest Hospital.

"The impetus was that if we're going to depend on this [computer] technology so much, we're only going to be successful if we have backup technology in place," Panagiotopoulos says.

It seems that ever since SB1386, California's data breach notification law, took effect in the summer of 2003, storage has become one of the information security space's most active domains.

In the past, perimeter security dominated the focus of IT minds within an organization. Administrators mainly concerned themselves with stopping external malware attacks and other threats that could compromise network integrity, while storage protection was somewhat forgotten with the hope that ‘security by obscurity' would save the day.

Then, California passed its law in 2002, mandating that businesses notify residents should an unauthorized person acquire their personal information. Twenty-two other states followed suit, and by 2005, the public began hearing in earnest about massive data breaches caused by lost backup tapes and insider attacks. A fundamental shift within IT departments took shape as professionals began recognizing the value of information lifecycle management (ILM), a new industry buzzword that describes monitoring data throughout its lifespan.

"The real key is to understand what you have, and to classify it to the point where you know what you have and where it is, and establish policies within companies to determine what needs to be protected and at what level," says Sal Capizzi, Yankee Group's senior research analyst.

This year, the storage market has made headlines in ways other than breaches, most notably EMC's $2 billion purchase in July of Bedford, Mass.-based RSA Security. The deal highlights a trend toward convergence as storage firms realize the benefit of integrating security into their offerings. It also demonstrates an emerging cash cow for storage vendors catering to organizations bound by compliance requirements. Storage sales amounted to nearly $6 billion in 2004, according to Gartner.

There also exists a trend among organizations to enhance business continuity and disaster recovery strategies, especially in light of Hurricane Katrina. "Your data is your lifeblood," says David Hill, principal of industry analyst firm Mesabi Group. "Sure, people and processes are critical, but what would you do without your data?"

The value of encryption

When it comes to securing data at rest, encryption is typically tossed around as the most obvious solution. On the surface, the concept makes sense: Should an organization's confidential information be breached, the thief will not be able to read it. Plus, because it is encrypted, the organization is able to avoid the embarrassment of notifying its customers.

"There have been some high-profile banking customers that have lost tapes in transit," says Bob Lockhart, chief systems architect at Milpitas, Calif.-based storage security firm NeoScale Systems. "If personal information was exposed and wasn't encrypted, they're forced to report that breach. We're also seeing more auditors getting savvy. That's going to be a driver for more encryption solutions."

Paul Howard, managing director of Disuk, a U.K.-based data storage company, recommends backing up all mission-critical data on tapes and encrypting them. Howard and his company point to the numbers. According to Disuk and the Privacy Rights Clearinghouse, half of the 10 largest data losses since February 2005 were related to lost or stolen backup tapes, with an average personal information loss of 790,636 people.

Because most breach notification laws treat encryption like a get-out-of-jail-free card, the technology is gaining momentum. "Encryption is on everybody's mind because laws are being written that if you are encrypted you won't have to announce [a breach]," says Dennis Hoffman, vice president of information security at Hopkinton, Mass.-based EMC. "But it wasn't the silver bullet [before the laws], and it's not the silver bullet today."

The vast challenge of managing keys is keeping some people turned off. Some organizations only encrypt the most critical of data, while others avoid the measure all together. Even Disuk, an encryption company, reveals in its "Paranoia Audit" that of 115 IT directors polled 57 percent admit encryption of backups is not part of their corporate security policy.

"Encryption becomes a real nightmare because if you lose the key, basically you lose the data," Capizzi says. "In theory, it's not practical on a widespread basis. It's going to be too much of an administrative nightmare."

Howard disagrees, saying the "nightmare" lies in trying to selectively encrypt data. Instead, organizations should operate less complicated key management solutions to increase efficiency.

Consolidation and access

Encryption may be the most heralded control to secure data at rest, but the process should always begin with centralizing data in servers and maximizing access control, Hoffman says.

"Put all your eggs in as few baskets as possible," he says. "The more distributed you are, the more likely you are to have issues. You have more things to watch over."

And as the insider threat grows the need for controlling employees with stringent policies is paramount.

"If storage security means securing the storage, it begins with access control, not encryption," Hoffman says. "How do I keep people off storage that shouldn't be there? Well, I should challenge them for something other than a password. It all comes down to access. A lot of people are starting with encryption, but that's the last step."

But access is not only about authentication. Organizations also must limit the information available to an employee depending on their capacity within the company. "The problem is even someone who is authorized can make a mistake, and they may not have the training or skill set to know what they're doing," Mesabi's Hill says.

At LifeBridge Health, for instance, employees are limited to what they can access, Panagiotopoulos says. Receptionists can only reach the patient scheduling module, whereas physicians can access a full array of patient data.

Ken Spickler, director of engineering at Technicolor's DVD Production Services, responsible for compressing and authoring DVD titles for movie studios, says the company needs strong access controls to prevent the theft of precious Hollywood film.

Besides implementing strong login controls that require passwords to be complex and changed every 60 days, Technicolor also deploys a Senforce Technologies solution that prevents users from transmiting data from endpoints to removable storage devices — likely something a movie pirate hacking into the network would attempt.

Data protection

As organizations make efforts to secure data, they also focus on protecting their stored data from non-malicious risk vectors, such as human errors, mechanical breakdowns or disasters. And in a world that requires round-the-clock access to data, availability is key. Corrupt data, therefore, can be much more dire than information that was knocked temporarily offline for one reason or another.

Removable storage devices, such as tapes and disks, are effective for backup and archiving — but each has its downsides.

Disks typically are faster and more reliable in that they can find a file easier, critical to businesses should they need on-demand availability for data in the event of a compliance audit, Howard of Disuk says. But the average 400-gigabyte disk costs about $500. Compare that to an 800-gig tape, which costs about $100, Howard points out.

Experts have predicted the demise of tapes for years, but they continue to last because they provide inexpensive, high-capacity storage options for companies required to store data at off-site locations.

Tapes do suffer from risks such as degradation, experts say. That is why it is wise for organizations to replace them every five years or implement solutions that will detect the start of erosion.

But whether by tape or by disk or in another form, the experts concur that data must be protected. "The battlefront is moving from securing perimeters to managing and protecting information," EMC's Hoffman says. "Companies own gobs of firewalls and anti-virus, but it's not doing anything to prevent them from losing their data."


Lesser vulnerabilities

Most people are familiar with the obvious risks that could lead to data theft, such as shoddy authentication measures or stolen or lost portable media devices, such as laptops and backup tapes.

But there also are less heralded vulnerabilities within storage area networks (SANs) and network-attached storage (NAS).

SANs are sub-networks of shared storage devices — but they are vulnerable because of sequence weaknesses in fibre channel frames [technology used to connect servers], which could lead to session hijacking, says David Hill, principal of analyst firm Mesabi Group.

Meanwhile, network-attached storage, devices that can be accessed over the network rather than being directly attached to the computer, experience authentication issues, Hill says. Sometimes when passwords are delivered through the common internet file system (CIFS), they are not encrypted.

"These are the type of ‘deep' storage issues that have not received a lot of public visibility," Hill says. "Really, storage vendors need to stand up and show how they are going to address them. Security by obscurity...cannot last forever." — DK


Storage administrators

Add storage administrator to the list of job titles that have risen to prominence within the ever-evolving and increasingly complex IT security space.

The specialty role is separate from network and system administrators. Requirements include maintaining storage environments throughout an organization. And nowadays, in light of compliance requirements and improved corporate awareness about the value of data, storage administrators are becoming more safety minded too.

"What's ended up happening is storage administrators were more concerned about the reliability of the system, but now with security becoming so much more in the spotlight, you're starting to see that storage administrators need to be more security aware," says Yankee Group senior research analyst Sal Capizzi.

Storage administrators can validate their understanding of advancing storage networking technologies by becoming certified in one of four accreditations offered by the Storage Networking Industry Association (SNIA). — DK

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.