Printer Friendly
The Free Library
14,701,494 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

10 things to know when selecting a storage security solution.


With data threats and security breaches at an all time high, protecting data both at rest and in flight is a major concern for organisations around the world. Today, terabytes of business-critical data sits in storage networks around the world. For the most part this data is housed in cleartext format and remains unprotected from unauthorised or inappropriate access by insiders--such as company employees or contractors--and outsiders, including hackers. As a result, protecting data from misuse is a critical requirement for all organisations.

Securing data is also a key concern as organisations seek to grow their businesses and increase efficiency. By locking down sensitive data, organisations can consolidate storage, protect business critical information such as source code and even outsource securely if needed. However, not all security solutions are created equal. Before selecting a storage security solution, organisations must evaluate their options based on the following criteria.

1.0 Iron-clad security--An organisations security is only as strong as its weakest link.

* Hardware-based encryption and key management is critical. Encryption hardware must be physically tamper-resistant. In addition, key management is often the weakest component of encryption systems. Encryption keys, tickets, and credentials must not be exposed in cleartext in an open operating system--otherwise, the system is only as strong as the OS itself. Keys must be wrapped in encryption whenever they are exposed outside of secure hardware. Key management systems must automate key backups to ensure that hardware failures are easily recoverable.

* Storage security solutions must employ industry -standard, strong encryption algorithms such as AES, SHA SHA - Secure Hash Algorithm , and ECC (1) (Error-Correcting Code) A type of memory that corrects errors on the fly. See ECC memory.

(2) (Elliptic Curve Cryptography) A public key cryptography method that provides fast decryption and digital signature processing. . Because stored data must be kept confidential for decades, sufficiently AS 256 should be used. Further, encryption algorithms must be exportable to all major industrialised Adj. 1. industrialised - made industrial; converted to industrialism; "industrialized areas"
industrialized

industrial - having highly developed industries; "the industrial revolution"; "an industrial nation"  nations.

* Storage security solutions must provide tamper-evident logs of sensitive administrative and user actions, including file accesses.

Administrators must not have the ability to erase or modify logs without detection.

2.0 Fast and invisible

Deployment of a security solution must be transparent to existing infrastructure, applications and workflow. It must not require custom integration with applications, servers, or desktops, and must be easily deployed without taking key applications offline. Further, storage security platforms must provide multi-gigabit throughput and sub-millisecond latency performance to support mission-critical applications.

3.0 Works everywhere

Organisations manage enormous amounts of sensitive data across heterogeneous environments. A storage security platform must provide a single, integrated platform for securing data, regardless of where it resides (NAS (1) See network access server.

(2) (Network Attached Storage) A specialized file server that connects to the network. A NAS device contains a slimmed-down operating system and a file system and processes only I/O requests by supporting the popular , DAS, SAN, tape).

4.0 Low maintenance

Storage security solutions must be easily and securely managed via Web and CLI (1) (Call Level Interface) A database programming interface from the SQL Access Group (SAG), an SQL membership organization. SAG's CLI is an attempt to standardize the SQL language for database access.  interfaces. Clusters of devices should be manageable as a group, and common tasks should be scriptable. Compatibility with SNMP (Simple Network Management Protocol) A widely used network monitoring and control protocol. Data are passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device (hub, router, bridge, etc.  monitoring is required. Administrator access should be secured by two-factor authentication (e.g. password and smart card or other token).

5.0 Agent software is optional

The cost and complexity of deploying agent software across thousands of desktops and servers is substantial. Moreover, the wide variety of operating systems and versions, as well as ongoing updates and patches, makes this approach unreliable for stand-alone enterprise-wide deployment. The solution must be deployed with an appliance, the hardware should perform all primary functions transparently with optional features delivered in software agent format.

6.0 Compartmentalise Verb 1. compartmentalise - separate into isolated compartments or categories; "You cannot compartmentalize your life like this!"
compartmentalize, cut up  

Increasingly in today's environment, cost and manageability concerns are driving consolidation of applications onto shared storage systems. Storage security solutions must provide the ability to cryptographically compartmentalise data on shared devices or networks, and customise access controls and security requirements for each 'vault.' This is particularly important in protecting data from the risk of insider theft.

7.0 Granular access controls

The storage security platform must combine back-end encryption with authentication and granular access controls for users and applications. Per-user and per-file ACL See access control list.

1. ACL - Access Control List.
2. ACL - Association for Computational Linguistics.
3. ACL - A Coroutine Language.

A Pascal-based implementation of coroutines.

["Coroutines", C.D.  support are required for NAS environments. The platform should integrate with existing authentication and directory services including Active Directory, LDAP (Lightweight Directory Access Protocol) A protocol used to access a directory listing. LDAP support is implemented in Web browsers and e-mail programs, which can query an LDAP-compliant directory. , and NIS Niš or Nish (both: nēsh), city (1991 pop. 175,391), SE Serbia, on the Nišava River. An important railway and industrial center, it has industries that manufacture textiles, electronics, spirits, and locomotives. .

8.0 Plays well with others

The storage security platform must interoperate seamlessly with all major operating systems, network vendors, and storage vendors. Interoperability testing and certification with major vendors, such as IBM, UP, EMC (1) (EMC Corporation, Hopkinton, MA, www.emc.com) The leading supplier of storage products for midrange computers and mainframes. Founded in 1979 by Richard J. Egan and Roger Marino, EMC has developed advanced storage and retrieval technologies for the world's largest companies. , NetApp, Hitachi, McDATA, Brocade, Veritas, Legato and Cisco is highly desirable.

9.0 Tried, tested and true

Encryption algorithms and implementations must have been validated and certified by third-party evaluation labs. Official certifications such as FIPS (Federal Information Processing Standards) A series of publications issed by the U.S. National Institute of Standards and Technology (NIST) that specifies information security guidelines for federal government departments and agencies.  140-2 Level 3, NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology.  encryption certification, and Common Criteria are highly desired.

10. When All Else Fails -- In case the worst happens, sensitive recovery operations must be protected by security measures such as two-factor authentication and quorum requirements (the 'two-man rule').

Steve Willson, EMEA (Europe, Middle East, Africa) Refers to that region of the world. For example, one might see products packaged differently for the UK, EMEA and Asia Pacific markets.  Decru
COPYRIGHT 2005 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Security Supplement
Author:Willson, Steve
Publication:Software World
Date:Mar 1, 2005
Words:754
Previous Article:Software engineering easy for Mac OS X.(SOFTWARE WORLD)
Next Article:Fighting the future of spam.(Security Supplement)
Topics:



Related Articles
Answering The Co-Location Storage Question.(Industry Trend or Event)
An Empirical Study on Internet-based Business-to-Business E-commerce in Singapore.(Industry Overview)(Statistical Data Included)
VARGAS COULD BE KO'D TEST POSITIVE FOR BANNED STEROID.(Sports)
Assessing the impact of continuous change on the storage industry.(Enterprise Networking)
Storage security: issues and answers.(Storage Management)
Sys-Con Media to launch "Information Storage & Security" & quarterly in May.(Brief Article)
WORM-enabled tape storage: early birds get compliant.(Storage Networking)
Sarbanes-Oxley: compliance meets technology.(Business of Technology)
Also, TechTarget has partnered with IT publisher Saga Technology (Sofia) to develop Bulgarian-language supplements of "Storage" and "Information...
TechTarget (Needham, MA) has formed a partnership with Australian b2b publisher Westwick-Farrow Publishing (Sydney) to produce web sites for the...

Terms of use | Copyright © 2009 Farlex, Inc. | Feedback | For webmasters | Submit articles