Storage security: issues and answers.In an age when virtually all corporate data spends 99% of its lifetime in storage, the risks of illicit and malevolent ma·lev·o·lent adj. 1. Having or exhibiting ill will; wishing harm to others; malicious. 2. Having an evil or harmful influence: malevolent stars. access to storage facilities can affect a company's survival--and the rights of its customers. This issue has become so critical that several legislative actions have already been taken. In 1999, for example, the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition addressed the need for privacy in the financial industry; and in 2003, the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) did the same for the healthcare industry. More recently, California law California Law consists of 29 codes, covering various subject areas, the State Constitution and Statutes. See also
European Community has also been active in this arena, issuing several data privacy directives. Determining Risks The message is clear: unless stored data is securely protected against Internet hackers, disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees, common thieves, and damage from simple human errors, consequences can be significant--and take a toll counted in dollars that far exceed the cost of an effective security solution. Threats may be geographic, political, internal or competitive in nature, and may be active, passive, malicious or accidental. However, unless a company knows what these risks actually involve, they cannot be minimized. Once known, risks must be categorized cat·e·go·rize tr.v. cat·e·go·rized, cat·e·go·riz·ing, cat·e·go·riz·es To put into a category or categories; classify. cat by their potential for business loss and their legal impact. Alternately, companies may decide that some risks are acceptable, and decide that the costs of addressing them outweigh potential losses. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , how storage is secured is a business decision and must be addressed from a cost/benefit perspective. To determine business risk, threats (such as identity spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing. (2) Creating fake responses or signals in order to keep a session active and prevent timeouts. or data disclosure) and vulnerabilities (disgruntled employees, availability of a disaster recovery plan, environmental and political conditions, etc.) must be identified. Then the likelihood of a loss due to these threats and vulnerabilities actually occurring must be calculated. A fairly good idea of real business impact can be derived by multiplying these probabilities by the estimated dollar losses associated with such events. Companies can determine risk by answering these six questions: * How secure is my data? * Can I prevent data from being taken? * Can I protect data from being made incorrect? * What is the probability of those losses actually occurring? * How much would it cost to protect data resources from theft and corruption? * What could the losses be if risk mitigation steps are not taken? New Storage Technology When evaluating storage security, enterprises also need to consider higher-level technology trends within their networking environment. For example, while automated networked storage certainly carries a wide range of benefits, it also exposes enterprises to new threats and vulnerabilities. And, with storage facilities linked on an IP network, risk exposure can be far greater than with the defined access links of a Fibre Channel network. Risks are compounded with remote services that extend storage access across the entire fabric of the Internet. In short, IP storage opens new communications paths to storage that demand new levels of protection a technology trend whose benefits must be carefully balanced against its risks and the costs of mitigating those risks. True, security is addressed by IP storage standards--both iSCSI and network attached storage protocols rely on IPsec for network encryption, and iSCSI mandates the use of the Challenge Handshake handshake - handshaking Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. Protocol (CHAP) for host identification. But these protocols are only the beginning, laying the foundation for additional levels of protection through storage compartmentalization technologies such as zoning, LUN masking or network encryption. Additional security can be obtained by using digital fingerprint systems that render specific content as addressable Reachable. When something is addressable, it can be identified and manipulated independently of its surroundings. For example, screen pixels and RAM memory are addressable. Each of the screen's picture elements can be individually turned on and off, and each of the memory's bytes can be storage. Storage protected this way is only accessible to those having the right digital signature--a paradigm similar to claim checks being required to retrieve a suit from a dry cleaning dry cleaning, process of cleaning fabrics without water. Special solvents and soaps are used so as not to harm fabrics and dyes that will not withstand the effects of ordinary soap and water. Dry cleaning began in France about the middle of the 19th cent. store. Not to be overlooked in securing storage management access is role-based access authorization. By linking access privileges to job function, administrative controls Direction or exercise of authority over subordinate or other organizations in respect to administration and support, including organization of Service forces, control of resources and equipment, personnel management, unit logistics, individual and unit training, readiness, mobilization, can be increased dramatically, enabling, for example, night backup operators with access to different capabilities than day operators. An Enterprise Solution, Not a Single Application Corporate security is highly individualized in·di·vid·u·al·ize tr.v. in·di·vid·u·al·ized, in·di·vid·u·al·iz·ing, in·di·vid·u·al·iz·es 1. To give individuality to. 2. To consider or treat individually; particularize. 3. and dependent on specific corporate locations, operations and workflows. If employees are not given access to the Internet, then outside hackers may have little opportunity to penetrate corporate storage facilities. As threats, vulnerabilities and the probabilities of real business losses increase, so too must defensive actions. Whatever storage security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security are taken, must be taken in the context of the enterprise's operational requirements (programming) operational requirements - Qualitative and quantitative parameters that specify the desired capabilities of a system and serve as a basis for determining the operational effectiveness and suitability of a system prior to deployment. , its existing infrastructure, and its business practices. Unfortunately, there are no magical cures when it comes to storage security--no single application can address the full range of risks, threats, and vulnerabilities for any single enterprise. Similarly, no single storage solution can be applied across all enterprises and management structures. Instead, each company must carefully consider its environment and establish a comprehensive storage security vision that reflects the following realities of a networked storage environment: * Host and network access must be protected from both physical and virtual threats. * IP storage simplifies access and therefore increases risk exposure to illicit host and network access; standard protocols and open interfaces that make storage management infrastructures desirable also make them vulnerable; remote services for managing storage networks amplifies vulnerabilities; data replication services that ensure data availability Refers to the degree to which data can be instantly accessed. The term is mostly associated with service levels that are set up either by the internal IT organization or that may be guaranteed by a third party datacenter or storage provider. must protect data during the replication process. * Controlling access can often best be accomplished with independent security management teams who manage and configure storage security for hosts and applications. Equipped with the right management solutions, these teams can empower the enterprise into centrally defining, managing, and monitoring storage security policies, practices, and solutions, and enforcing them consistently throughout the organization. * When implementing security for a storage management solution, it is also important to ensure that the applications that comprise that solution can be seamlessly integrated with existing and future identity management technologies such as user directories and user authentication See authentication. systems. This integration will simplify administrative and maintenance tasks and can enable user authentication to become application independent. The importance of simplifying management of storage security cannot be overstated o·ver·state tr.v. o·ver·stat·ed, o·ver·stat·ing, o·ver·states To state in exaggerated terms. See Synonyms at exaggerate. o because security will never be enabled if it is not easy to manage. Recognizing this fact, some storage vendors build security as part of their storage solution and offer a consistent management interface across the entire range of networked storage elements. Just like performance, security must be one attribute of the storage solution it must not be treated independently. Whatever storage security products are ultimately selected, they should, collectively: * Physically protect the environment * Compartmentalize com·part·men·tal·ize tr.v. com·part·men·tal·ized, com·part·men·tal·iz·ing, com·part·men·tal·iz·es To separate into distinct parts, categories, or compartments: "You learn . . . hosts, volumes and arrays * Control administrative actions * Restrict network access * Optimize security on hosts and on administration servers With data being the repository of so much corporate knowledge, adequately protecting these resources against threats, vulnerabilities and risks is vital. Beyond ensuring bottom-line success, storage security has become a legal requirement in today's world. Only by recognizing that storage security requires an enterprise-wide solution--and not a single application--can organizations meet these challenges. Seven Steps to Successful Storage Security 1. Evaluate business impacts associated with any loss of stored information. 2. Identify regulatory or privacy requirements that apply to your business. 3. Determine threats and vulnerabilities to storage access points, including hosts, storage management applications, and IP networks. 4. Compute your actual storage security try evaluating the likelihood of a vulnerability being exploited by an attacker. 5. Based on the risk evaluation process, secure host access to storage with storage compartmentalization technology and storage management access. 6. Secure storage management access with role-based access authorization technologies. 7. Repeat these steps regularly as the storage system evolves. power and storage www.emc.com Peter C. Conway is vice president of Open Software Product Management at EMC Corp. (Hopkinton, MA) |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion