Information protection.Building scenarios of a security breach, IT executives often picture hackers as 'script kiddies' or con artists trying to crack through the defences they have put in place. But the reality is that around 70% of all security breaches come from within the organisation - either from an employee or from a business partner - where firewalls and perimeter security are almost irrelevant.
This worrying fact is now causing many IT decision-makers to reconsider their security strategies to see how they can keep their data secure from unauthorised insiders as well as outsiders. The conclusion that many are coming to is that the storage itself needs to be secure, not just enveloped en·vel·op
tr.v. en·vel·oped, en·vel·op·ing, en·vel·ops
1. To enclose or encase completely with or as if with a covering: "Accompanying the darkness, a stillness envelops the city" in layers of security, and vendors from both the storage and security markets are starting to waken to this need. This new evaluation of storage and security is also illuminating areas where both storage and security solutions can work together.
Many CIOs would be surprised by the thought that their data is unsecured, even to insiders. After all, there are passwords to prevent systems from being accessed by anyone without authorisation. Of course, there is always the possibility of passwords or systems being hacked, but proper password and patch management The installation of patches from a software vendor onto an organization's computers. Patching thousands of PCs and servers is a major issue. A patch should be applied to test machines first before deployment, and the testing environments must represent all the users' PCs with their unique policies can reduce that to a minimum.
Physical access to data can completely override any existing security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security . While IDs and passwords on a file server can stop people accessing data over a network, slip a hard drive out of its rack and connect it to another machine and anyone can read it. Aware of this problem, many organisations wipe the hard drives of corporate PCs, laptops and servers before disposing of them. Yet the truly motivated (and well-equipped) data thief can read the data off hard drives that have been reformatted or even demagnetised: nothing short of melting the drive down will get rid of 100% the data.
But there are even more direct ways into stored data. Ed Jones, sales director of online backup Using the Web to store copies of data for backup. There are numerous providers on the Internet that charge for storage, and fees are typically based on capacity. Online backup services provide offsite backup, which is essential for disaster recovery. See backup types. company Thinking Safe, describes how he sees many instances when companies have tried to retrieve data from tapes handled by a service provider, only to find they have been supplied with another company's data. With most backup data stored on tape without any kind of access controls, getting access to an organisation's data through its tapes is a distinct possibility.
The rise in networked storage has also increased the number of potential security risks. Storage area networks (SANs) are being used in approximately 57% of European companies It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
This is a list of companies from the countries in the European Union. today and yet their security is still inferior to that on most traditional direct attached storage solutions. Tony Reid Charles Anthony "Tony" Reid (born 9 April 1962 in Barbados) is a cricketer: a right-handed batsman and right-arm medium-pace bowler who plays for the United States. He is notable as the first man to take a wicket for the USA in a One-Day International. , director for solutions marketing EMEA (Europe, Middle East, Africa) Refers to that region of the world. For example, one might see products packaged differently for the UK, EMEA and Asia Pacific markets. for storage vendor Hitachi Data Systems See HDS. , says the concepts of trusted access and authentication are only now starting to be implemented and introduced by fibre channel vendors. "There have been a number of technical issues to overcome simply to make SANs work. There have been interoperability issues, getting switches from vendor X to work with vendor Y's. So these have been the natural focus - just getting the networks to work."
One common security flaw introduced by many organisations is to have their SAN run on a fibre channel island away from the regular network, says Simon Gay, consultancy practice leader at infrastructure service provider Computacenter. They then rely on that inaccessibility for security - but connect their switches up to the Ethernet so they can manage the systems.
Paradoxically, HDS's Reid adds that iSCSI, which uses regular Ethernet to create SANs, may actually be more secure. "People were more concerned about putting traffic over an IP network, so a raft of solutions to secure iSCSI were developed."
The other main problem the SAN has introduced is making storage a shared resource Sharing a peripheral device (disk, printer, etc.) among several users. For example, a file server and laser printer in a LAN are shared resources. Contrast with shared logic. . Yet, without a unified security framework, potentially dozens of different hosts, each with their own security policies, users and passwords, could be accessing the shared storage and granting access to data that other hosts would not.
For all these reasons, various organisations (and now storage vendors) have begun to look at encrypting data when it is at rest, whether that is on disk or tape.
"I've often asked why more organisations don't use encryption," says storage practice manager Darren Thorne of consultancy Logicalis. "It seems so obvious. No one seems to know why it hasn't been considered more seriously in the commercial space before now. The NHS NHS
National Health Service
NHS (in Britain) National Health Service is very aware of the sensitivity of its data. Central government and the MoD already regularly encrypt data."
Specialist vendors in this area, such as Decru and NeoScale, have been carving niches for themselves with hardware appliances that encrypt and decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. data to and from disk and tape at "wire speed" - that is, without introducing the latency and speed constraints that have traditionally accompanied encryption.
"The perimeter is porous now," argues Joanna Shields, VP EMEA at Decru. "Large businesses need to collaborate with their suppliers, their consultants, contractors and business partners. If you want to do that, putting up a firewall just isn't going to do the job since you need to give these people access to your information."
The appliances sit between the storage system and the servers so that the data is encrypted as it is generated and stored. When host users try to access it, provided they have the appropriate permissions, the data will be decrypted transparently.
Since the data is encrypted it is possible to pass the storage unit or indeed the data to third-parties without concern that it will be misappropriated mis·ap·pro·pri·ate
tr.v. mis·ap·pro·pri·at·ed, mis·ap·pro·pri·at·ing, mis·ap·pro·pri·ates
a. To appropriate wrongly: misappropriating the theories of social science. , something that companies that outsource their data storage are starting to appreciate, Shields says.
By encrypting data, says Shields, an organisation is able to separate two job functions that are normally combined: the ability to manage data and the ability to read data. Once data is encrypted, any appropriate systems administrator can handle it, without there being concerns of whether he or she should be allowed to have access to it.
Encryption is also being posited as a necessary response to certain laws and compliancy com·pli·an·cy
Noun 1. compliancy - a disposition or tendency to yield to the will of others
complaisance, obligingness, compliance, deference regulations. Bob Zimmerman, an analyst with Forrester Research Forrester Research is an independent technology and market research company that provides its clients with advice about technology's impact on business and consumers. Corporate facts
Decru is not the only company that has woken up to encryption. IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) has added encryption facilities to its DS6000 product and EMC (1) (EMC Corporation, Hopkinton, MA, www.emc.com) The leading supplier of storage products for midrange computers and mainframes. Founded in 1979 by Richard J. Egan and Roger Marino, EMC has developed advanced storage and retrieval technologies for the world's largest companies. plans to build encryption and data compression data compression
Process of reducing the amount of data needed for storage or transmission of a given piece of information (text, graphics, video, sound, etc.), typically by use of encoding techniques. into its Centera system - it already secures information using computer-generated software key codes.
StorageTek has also been looking at making storage more secure. An ATA (1) (AT Attachment) The specification for IDE drives. See IDE.
(2) See analog telephone adapter.
ATA - Advanced Technology Attachment blade server A server architecture that houses multiple server modules ("blades") in a single chassis. It is widely used in datacenters to save space and improve system management. Either self-standing or rack mounted, the chassis provides the power supply, and each blade has its own CPU, memory and with built-in hardware encryption is in the works for this year, with support for fibre channel and serial SCSI Running SCSI on Fibre Channel, SSA or FireWire. SCSI is a parallel bus, and the parallel signals must be converted to serial transmission to ride over different transport systems. See Fibre Channel, SSA, FireWire and SCSI. blades due early 2006. Before then it is also promising a 'content engine'. Like the hardware appliances of Decru and NeoScale, the content engine sits between the host and the storage, encrypting and decrypting, while presenting itself as a simple CIFS/NFS disk image. Designed primarily to work with nearline storage Nearline storage (where Nearline is a contraction of Near-online) is a term used in computer science to describe an intermediate type of data storage. It is a compromise between online storage (constant, very rapid access to data) and offline storage (infrequent , rather than higher performance systems, the system can not only encrypt data, but move SAN management away from the host and down to the storage system itself.
Laurence James, ILM solutions business manager at StorageTek, says the content engine should solve the problem posed by centralised storage. "If you've thousands of different hosts, access control is unmanageable. So you have to move security down into the box." Rather than using the standard 'users' and 'groups' approach to granting access rights, the content engine will be more business focused, managing pieces of content according to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
The content engine will also tackle another aspect of storage security: showing that data has not been changed or viewed by anyone other than authorised users. Like EMC's Centera, the content engine will use content addressing, generating filenames and digital signatures based on content metadata, such as modification data.
Logicalis security consultant Emlyn Everitt also highlights the management issues associated with integrated storage and security solutions. "What you really need, for instance, is not just a mechanism of encryption but an entire encryption management framework."
Windows has the ability to encrypt its hard drive data, yet few organisations use it, Everitt says, because of the problems of key management. "You have different keys from different systems stored all over the place. Someone encrypts the information using something based on his own password and user name, but if he's sick or leaves the company, what happens then." Only by ensuring that both security and storage teams work together to develop common policies and frameworks for handling enhanced storage solutions will the benefits be realised.
The secure storage architecture of the future might look very different. Gerhard Eschelbeck, CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. of security firm Qualys, argues that a data-centric architecture will ultimately be the best way to secure data.
"Probably the biggest problem is that trust comes from the operating system used to access the data," he says. "We have to move to a model where each and every data stream is capable of protecting itself."
The approach will have data stored as objects that are capable of encryption and authentication by themselves, independently of any operating system.
The data will also be able to protect itself from being moved from one medium to another.
Eschelbeck predicts the first implementations will be available commercially in roughly two years.