Struggling under the weight of legislative requirements, increased access demands and costly or embarrassing breaches, many senior managers are seeking ways to better secure their enterprises' stored data.
Compared to a year ago, they seem to be asking more tough questions about their storage security needs, say experts, and are attempting to address vulnerabilities, either through established security practices or solutions. The question of budget is less important, since legislation is forcing specific executives to ensure their companies comply with sundry privacy and security rules or else face fines and, in some cases, jail time.
"Even in the past six months, there's been a move from talk to internalizing," says Barbara Hoey Nelson, president and CEO of storage security company Neoscale. She says companies are now planning and budgeting for ways to implement more stringent protections for their stored data.
Despite more conscious efforts to improve safeguards for secure area networks (SANs) and other storage infrastructures, however, corporate leaders are still having some difficulty working through the various compliance requirements, and understanding what sorts of security solutions and practices they should put in place.
"A lot of companies are starting to put a lot more information [on the SAN] – kind of putting all their eggs in one basket. Then the question comes up: 'Is this a trusted infrastructure?'," says Brandon Hoff, a board member with the Storage Security Industry Forum (SSIF), which is a sub-group of the Storage Networking Industry Association (SNIA), and security business manager with McData. "Security has to touch everything you do."
Basic steps and threats
To establish trust, organizations are looking at the basics. Hoff says these entail authorization, authentication and audit, plus encryption and centralized management of various security mechanisms deployed to secure the SAN.
This should go a long way in fighting any of the threats that often plague stored data, adds Carl Herberger, senior director of information security professional services at SunGard. These threats, he says, run the gamut, but often come down to common thievery.
Hackers might try to steal creditcard details or other private customer data, as well as valid company credentials such as user IDs and passwords, to sell. They may also go after enterprise information that might reveal bad corporate citizenship and prove embarrassing to the company if made public.
Then there are the intentional internal breaches caused by disgruntled employees, and the accidental, but potentially detrimental, problems that arise as a result of insider mistakes. Such errors might lead to the loss of a tape housing confidential information, or a botched upgrade to the company system, exposing stored data in clear text, says Neoscale's Nelson.
And, she adds, identity theft has become a huge problem. Primarily affecting financial organizations, this form of attack has become so common that, to put it into context, the number of people who have had their identities stolen is now equal to the number of people who have gone on cruises. "And how many people do you know who have gone on a cruise?" she asks.
Security breaches affect 90 percent of corporations, and cause some $17 billion in damage every year, according to the Harvard Business Review. Such figures are only intensified by the fact that back-end systems are now becoming more web-enabled, with demand for access to these systems rising from both employees and partners.
Because storage environments have become more networked, they have become more vulnerable. But, adds SunGard's Herberger, "the more web-enabled back-end databases are, the more you've thought about robust [security]."
In addition to increased connectivity, and rising incidents of identity theft and other attacks, demands from legislators are starting to prompt executive interest in storage security. An Ernst & Young Global Information Security Survey finds that, while 90 percent of organizations see security as a high priority, only 34 percent say they are compliant with various legislative mandates.
Legislators are focused on making companies get security right for all their systems, says SSIF's Hoff. If something goes wrong, they want to know what the company is going to do about it, and who is going to take responsibility for that breach of private information, he adds. This legislative intervention is being coined "government assigned liability."
From the Health Insurance Portability and Accountability Act to Gramm Leach Bliley, from Sarbanes Oxley to Senate Bill 1386 in California, plus still more legislation, federal and state governments are holding organizations and their leaders responsible for keeping private customer information and other proprietary data safe – at the risk of the fines and jail time mentioned earlier.
Companies are asking what such rules and regulations mean, says Hoff, and what they must do about them in regard to stored data.
"One thing we've seen a lot in the industry, especially with the new compliance rules and regulations, is that a lot of the executives are asking 'is this secure?'. And that has [many] connotations to it, as in: 'What does that mean?', 'What should be done?', 'What technologies should we [deploy]?', as well as 'What can we leverage from groups like SNIA?'," says Hoff.
Such government mandates demand the need to maintain the integrity of stored data, and reclaim it quickly when necessary. L.D. Weller, senior product manager at Symantec, says that, as a result, a key trend in the storage security market is retrievability.
"I would say an alarming number of organizations think of themselves as protecting their data, but when they actually need to retrieve it, it's 50:50 whether they're going to get it," warns Weller. "So what's happening is that all these legislation issues, which are forcing personal accountability and dictating archival standards, are going to force each company to re-evaluate their solutions in terms of retrieval, rather than storage."
Therefore, when it comes to finding the right solutions, he believes companies should look for "a virtual certainty that everything they back up will be retrievable. And as far as the security aspect of that, you have to really look for vendors who are focusing on encryption ... across the entire process, not just one specific area. You just don't password-protect a file. Make sure the password is encrypted, make sure the entire file is encrypted, make sure the entire data stream is encrypted."
Securing it all
But, says Neoscale's Nelson, encryption is only part of the security solution for stored data. Protecting data storage involves user authentication and access, high availability of data – especially mission-critical information – integrity of data, and encryption key management, as well as encryption itself.
Latency when moving data should also be reviewed: "From a performance perspective, you have to be absolutely seamless with the storage applications," she says. Additionally, you should be able to quickly retrieve back-up files and archived materials.
"You have to look at your security infrastructure from beginning to end," adds Nelson. "It's really taking the layered approach that has served security professionals well for years now ... taking that [approach] fully to the end where the information is stored."
There are various companies that can help organizations meet their security demands for storage, says Roger Cummings, technical council member for the SNIA and senior staff software engineer for Veritas. Companies such as Neoscale, Decru, McDATA, Ingrian, his own company, among others, offer solutions to help protect stored data.
But products are only part of the solution, he adds. People and processes are as much a component of securing data as is the deployment of protective tools.
To account for all these elements, a gap analysis must be undertaken to list all the vulnerabilities in the system, and then must be noted all the controls necessary to plug these – including possible technical solutions, remediation controls, and plans that involve people and the processing of information.
Luckily, most organizations understand this, says Herberger, and are taking action to achieve it – whether they are simply moving from passive to active listening, or whether they are actually making and implementing security plans for stored data.
"They're beginning to understand: 'Wow, I can delegate authority for security, but I can no longer delegate the responsibility'."