Storage and security: why storage solutions and data security must go hand-in-hand.For years, the Years, The the seven decades of Eleanor Pargiter’s life. [Br. Lit.: Benét, 1109] See : Time data storage industry has continued to improve the availability, reliability and security of its storage subsystems The part of a computer system that provides the storage. It includes the controller and disk drives. See storage system. . These key attributes have continually been addressed by improving the reliability of the disk drives, introducing RAID capability, and providing a variety of data replication techniques such as mirroring, snapshot copy and journaling. These solutions delivered significant improvements for protecting data from a variety of storage hardware and subsystem failures. [ILLUSTRATION OMITTED] With devices becoming increasingly more reliable in protecting against device and component failures, valuable data is now being exposed to even higher risks as a result of destructive worms, viruses and spam E-mail that is not requested. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). as the wave of hackers and terrorists worldwide gains momentum. Recovery from an intrusion is difficult and the impact of an intrusion is destructive as permanent data loss frequently results, unless special procedures are implemented. The looming looming: see mirage. threat to delivering high data availability Refers to the degree to which data can be instantly accessed. The term is mostly associated with service levels that are set up either by the internal IT organization or that may be guaranteed by a third party datacenter or storage provider. is now the "intrusion factor" and storage security has become the newest storage management discipline. These threats can be either internal or external in origin. In reality, there is no silver bullet No Silver Bullet - essence and accidents of software engineering is a well-known paper on software engineering written by Fred Brooks in 1986. Brooks argues that there will be no more technologies or practices that will serve as "silver bullets" and create a twofold in place to implement a bulletproof Refers to extremely stable hardware and/or software that cannot be brought down no matter what unusual conditions arise. See industrial strength. bulletproof - Used of an algorithm or implementation considered extremely robust; lossage-resistant; capable of correctly and secure IT infrastructure; however, minimizing security risks has become the top priority for many IT organizations and accomplishing this task is possible, though costly. New Types of Threats Human error, hardware failure, software, and natural disasters have been the major causes of data loss. In 2003, four out of five businesses were hit by a virus or worm and threatened data integrity, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a survey of 404 security decision makers by The Yankee Group (the Yankee Group, Boston, MA, www.yankeegroup.com) A major market research, analysis and consulting firm founded in 1970 by Howard Anderson. It provides general consulting and strategic planning in the computer and communications field. . Denial of service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. were cited by two out of five businesses as the second most common threat. Even the most well prepared and security-aware business can be exposed. For example, if an employee's mobile notebook computer A laptop computer that weighs in a range from five to seven pounds. The term originated when laptops were routinely more than 10 pounds, and those that became lighter were placed in a special "notebook" category. In practice, notebook computer and laptop computer are synonymous. is infected in·fect tr.v. in·fect·ed, in·fect·ing, in·fects 1. To contaminate with a pathogenic microorganism or agent. 2. To communicate a pathogen or disease to. 3. To invade and produce infection in. with some type of spy-ware and the user later logs on to the corporate network, the corporate infrastructure becomes vulnerable and can be attacked. A business has no control of what type of software someone installs at home. Hackers are more common than one might imagine, as they now have quarterly meetings and publish "The Hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. Quarterly" magazine. Storage Security Arrives As a result of events in the past several years, storage and security now go hand-in-hand. Storage security has become a relatively new and critical discipline for the IT industry, integrating important security aspects from both the storage and network industries. The key objective of a solid storage security strategy is to maintain the availability and integrity of data. Some businesses are beginning to implement the new position of Corporate Security Officer. It is important for a business to understand and assess the status of security for the current IT environment. From the initial baseline assessment, a storage security strategy can be developed to address existing risks and to meet the goals of each business or for each department within a business. To provide security protection ahead of the networked storage infrastructure, firewalls, virtual private networks, authentication-based access control, filtering and active monitoring of attackers can provide significant help in securing all gateways and connections. Securing network access at the gateway is not enough. Passwords were once an acceptable way to provide access controls but are no longer effective. Biometric technologies using human and genetic characteristics are expected to provide significant security benefits, but the costs of retinal scan A retinal scan is a biometric technique that uses the unique patterns on a person's retina to identify them. It is not to be confused with another ocular-based technology, iris recognition. , finger-print and other identifier technologies presently remain out of reach for most businesses. For primary and secondary storage, legal data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign , LUN masking mask·ing n. 1. The concealment or the screening of one sensory process or sensation by another. 2. An opaque covering used to camouflage the metal parts of a prosthesis. , zone settings, remote vaults, mirroring, snap-shot and replication technologies all will improve data-protection capability. Each of these measures also has its own set of challenges to consider, making intrusion-identity management very complex. In the future, platform-independent data security appliances Security appliances protect computer networks from unwanted data traffic, intruders, email spam, enforce policies, and may also be used to create and manage VPNs. There are a number of types of security appliances. may evolve to provide fast and transparent access to encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. , compression, authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. and biometric services. The metadata that is created from security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the and appliances will, in itself, become mission-critical data and require mirroring, encryption or advanced replication capability. Storage security is becoming essential for the survival of most businesses and the following related statistics might be surprising: * It is estimated that 70% of all companies go out of business after a major data loss * About 20% of all businesses experience a major disaster every five years * Approximately 35% of disaster recovery plans work when tested * The security market is expected to grow from $17 billion in 2001 to nearly $45 billion in 2006 The high-availability data replication technologies such as mirroring, point-in-time copy, snapshot copy, journaling and their derivatives are readily available from most storage vendors. Encryption, for example, has traditionally been focused on data in transmission. Is data in transmission more vulnerable than stored data? Evidence suggests that that stored data may now be more vulnerable as a result of the "intrusion factor". Encryption is moving from a network discipline into storage. Mission-critical data, estimated to be no more than 15% of stored digital data, may now warrant encryption. If data is encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science and stored, data can't be read if the encryption key or access passwords are lost. It is important for businesses to classify their data and establish the appropriate storage security disciplines to meet the availability and security requirements for businesses. Data Classification Guidelines Though determining the monetary value of data is difficult and varies significantly based upon the business, knowing the relative value of data for a given business is a common practice. Four distinct levels of classifying data exist. These levels indicate which backup and recovery technology may be suited and most cost-effective for each level. Typical percentages of data in each category are listed. Data Classification Level Description Critical / Mission Critical May be as much as 15% of online data, needed for minimal work levels in the event of a disaster and requires immediate recovery. Normally replicated and backed up to tape. May require encryption. Vital About 20% of online data. Data used in normal business processes but may not be needed for a disaster recovery. Normally uses point-in-time copies and is backed up to tape. Sensitive About 25% of online data. Data used in normal business processes that has an alternative source or can be reconstructed. Normally backed to tape. Non-critical Approximately 40% of online data. Data that is not readily needed for disaster recovery. Easily reconstructed from local and/or remote backup copies A disk, tape or other machine readable copy of a data or program file. Making backup copies is a discipline most computer users learn the hard way-- after months of work is lost. See backup and LAN free backup. . Critical or mission-critical data is used in the key business processes and can account for up to 15% of stored online data. Losing access to this data means loss of revenues, and the survival of the business is at risk. This data is best suited for disk mirroring or replication as instantaneous recovery is mandatory and is also backed up on tape to provide a copy of data prior to disruption. The replicated disk copy and tape copies are often located at geographically distant locations from the primary copy. Critical data is normally classified as company secret. Vital data is used in normal business processes but doesn't mandate instantaneous recovery in order for the business to recover from a disaster or to remain in operation. Vital data is sometimes replicated and normally backed up using automated tape libraries and is often classified as company secret. Sensitive data is used in normal business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets and alternative sources for accessing or easily reconstructing the data in case of data loss. Sensitive data is not needed to provide minimal work levels in case of a disaster, as immediate recovery is not required. Non-critical data represents the largest category of data and has relatively low security requirements. Duplicate and aged copies often exist, adding the amount of data stored and retained. Immediate recovery is not required. Lost, corrupted or damaged data can be reconstructed with minimal effort and cost. E-mail archives often fit this profile. Conclusion Storage security is quickly becoming an important aspect of storage management and is no longer confined con·fine v. con·fined, con·fin·ing, con·fines v.tr. 1. To keep within bounds; restrict: Please confine your remarks to the issues at hand. See Synonyms at limit. to networks. As data becomes more valuable and the intrusion factor mounts, the need to assess and implement a storage security strategy has arrived. Therefore, it is imperative that businesses begin to take steps to take action; to move in a matter. See also: Step to avoid disasters by establishing storage security plans that address the criticality of data to the survival of the business. Remember, hope is not a strategy.
Data Classification Level Description
Critical/Mission Critical May be as much as 15% of online data, needed
for minimal work levels in the event of the
disaster and requires immediate recovery.
Normally replicated and backed up to tape.
May require encryption
Vital About 20% of online data. Data used in
normal business processes but may not be
needed for a disaster recovery. Normally
uses point-in-time copies and is backed to
tape.
Sensitive About 25% of online data. Data used in
normal business processes that has an
alternative source or can be reconstructed.
Normally backed to tape.
Non-Critical Approximately 40% of online data. Data that
is not readily needed for disaster recovery.
Easily reconstructed from local and/or
remote back up copies.
TYPE OF THREAT ESTIMATED ECONOMIC DAMAGE
Category Percent of survey Attack Damage
Worms or Viruses 80% Klez $9.89B
Denial-of-service attacks 40% Love Bug $9.63B
Unauthorized data access 34% Code Red $2.88B
Incorrect configuration 32% Yaha $2.51B
Website penetration 29% SirCam $1.57B
Theft of customer data 13% Melissa $1.22B
Disclosure of customer 8% Slammer $1.16B
Sources: 2003 survey by the Yankee Group of 404 security decision
makers. M12G's Intelligence Unit.
|
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion