Storage vulnerability: security for storage is sparking action. (Security).Regular readers of CTR See click-through rate. are aware that the pacing items that have slowed the acceptance of SAN in the enterprise have been interoperability, management, and security. Interoperability is a multi-headed creature that the industry continues to battle both on the device and fabric level. Management tools from both start-up firms and storage software veterans will eventually provide a sophisticated management capability. But security--now there's an issue Security is among the hottest of all IT concerns, but in the enterprise-storage industry security is remarkably unpopular. Very often, the well-researched network-security industry is trusted to handle all of the security needs on the network, but it is arguable that it is insufficient. Today's DAS implementations, NAS (1) See network access server. (2) (Network Attached Storage) A specialized file server that connects to the network. A NAS device contains a slimmed-down operating system and a file system and processes only I/O requests by supporting the popular , and SANs have far more security weaknesses than many storage vendors admit. And the situation will get worse as the newest storage technologies, including FCIP (Fibre Channel over IP) A protocol for tunneling Fibre Channel data across an IP network. Fibre Channel was designed for local storage area networks (SANs), but FCIP extends the distance to remote locations via any IP network. See Fibre Channel, iFCP and IP storage. and storage virtualization Treating storage as a single logical entity without regard to the hierarchy of physical media that may be involved or that may change. It enables the applications to read from and write to a single pool of storage rather then individual disks, tapes and optical devices. , become the rule rather than the exception. Why security on the storage level? According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Mike Alvarado at Neoscale, who chairs SNIA's storage security forum: "Storage has started to distribute all over the landscape. Technology people have started to recognize that they can do more than perimeter security... they can have more levels of security. This means if you're going to put data out in insecure locations (which is most of the world), the extra levels are going to help that process. So, by making storage more secure, you can enable data to be stored in remote locations, or any location you want, including over insecure links. And if data is able to be more widely distributed Adj. 1. widely distributed - growing or occurring in many parts of the world; "a cosmopolitan herb"; "cosmopolitan in distribution" cosmopolitan bionomics, environmental science, ecology - the branch of biology concerned with the relations between organisms , then access availability, all of the attributes people want to associate with their data, will be better. So, security is fundamentally, I think, tied into questions that people have asked around: "How do I improve availability, how do I improve scalability of my data?" Because currently operating SANs run on a Fibre Channel infrastructure separate from a host network's main IP connectivity, physical access is required to make changes. A virtual break-in is nearly impossible in theory, but it is never wise to count out that one clever hacker. When Fibre Channel was originally conceived, a security plan wasn't needed: one way in, one way out is easy to guard. Then came the development of the Fibre Channel switch In a computer storage field, a Fibre Channel switch is a network switch compatible with Fibre Channel (FC) protocol. It allows the creation of a Fibre Channel fabric, that is currently the core component of most storage area networks. , and with it came the need for a security safeguard. Many established vendors do offer safeguards: EMC (1) (EMC Corporation, Hopkinton, MA, www.emc.com) The leading supplier of storage products for midrange computers and mainframes. Founded in 1979 by Richard J. Egan and Roger Marino, EMC has developed advanced storage and retrieval technologies for the world's largest companies. offers LUN masking and zoning software; Network Appliance (1) A specialized device for use on a network. For example, Web servers, cache servers and file servers can be implemented as general-purpose computers with the appropriate software or as network appliances, which are computers dedicated to a single function and cannot do anything , the market leader in NAS filers, offers SSH (Secure SHell) A security protocol for logging into a remote server. SSH provides an encrypted session for transferring files and executing server programs. Also serving as a secure client/server connection for applications such as database access and e-mail, SSH supports a (Secure Shell), SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. (Secure Sockets Layer (networking, security) Secure Sockets Layer - (SSL) A protocol designed by Netscape Communications Corporation to provide secure communications over the Internet using asymmetric key encryption. ), and Kerberos support. SAN viruses could also become a concern. A virus backed up through a disk-mirror or point-in-time copy could be written to notice if it's backed up to a SAN, and it could then propagate itself. Some safeguards are on the way. For example, the Fibre Channel Security protocol currently in development by T-11.3, the software division of ANSI's Fibre Channel working group, can likely be used to secure Fibre Channel over IP. Important hut Don't Despair No one would argue that the security issues are not serious. Here are some steps to take that help to ensure security without throwing hands up in despair: BACK UP! Backup often. Backup to remote sites. Backup in multiple formats. Even the worse infosecurity conflagration can be contained if you have a complete, up-to-date backup. Routine is critical here. A backup schedule can be as simple as copying a day's work (Naut.) the account or reckoning of a ship's course for twenty-four hours, from noon to noon. See also: Day to a Zip disk A 3.5" removable disk drive from Iomega. Zip disks come in 100MB, 250MB and 750MB varieties, with the latter introduced in 2002 using USB and FireWire interfaces. The 250MB drives, introduced in 1998, also read and write 100MB disks. or as complex as on-the-fly backups of critical online data. Be sure not to rely on any one backup medium or format. if you use Zip disks, make a few backups to floppy in case your Zip drive See Zip disk. (hardware, storage) Zip Drive - A disk drive from Iomega Corporation which takes removable 100 megabyte hard disks. Both internal and external drives are manufactured, making the drive suitable for backup, mass storage or for moving files between computers. is suffering from an insidious undetected read/write glitch A temporary or random hardware malfunction. It is possible that a bug in a program may cause the hardware to appear as if it had a glitch in it and vice versa. At times it can be extremely difficult to determine whether a problem lies within the hardware or the software. See glitch attack. . if you backup using tape, use CD-RWs sometimes, and vice versa VICE VERSA. On the contrary; on opposite sides. . LOCK DOWN! Modern science can count the number of atoms in the universe (10 (77) excluding dark matter) but no one knows how many computers are stolen every year. Public-access computers and laptops are particularly prone to the "walking computer" syndrome. if you have machines exposed out in the open, lock 'em down with cables attached to nearby pieces of big furniture. ENCRYPT! Do this where necessary. If you have confidential data on a machine that 1) more than one person uses or 2) is connected to the Internet, encrypt that data now. Crypto software can provide defense-in-depth: Even if your computer is stolen, the data will be safe if it's been properly encrypted. Take care in selecting an encryption program. Crypto software is notoriously difficult to produce: Be wary of "snake-oil" crypto vendors that make claims about "military-grade" security or "secret algorithms." There are several existing and upcoming tools for encryption. PC Guardian offers a complete line of encryption products--based on the public Blowfish A secret key cryptography method that uses a variable length key from 32 to 448 bits long. It uses the block cipher method, which breaks the text into 64-bit blocks before encrypting them. algorithm--for protecting files, folders, and even entire hard drives. The company, in press statements, points out that there are numerous benefits to the full-disk approach, as opposed to mere file encryption. Manual file-by-file encryption is laborious and error prone. It's all too easy for a user to leave sensitive information unprotected. Even if the user is exceptionally careful, Windows application A program that is written to run under Microsoft's Windows operating system. Such applications typically run under all 32-bit versions of Windows, but earlier applications might also run under the 16-bit versions (Windows 3.x) as well. See Windows. data gets stored in numerous locations, including temporary directories and swap files. Full-disk encryption addresses the sloppiness of both users and applications: all data is encrypted, regardless of user work habits and application file storage routines. Startup Vormetric (currently run by Bill Schroeder For the baseball player, see . William Fredrich Schroeder (born January 9, 1971, in Eau Claire, Wisconsin) is a former American football wide receiver in the NFL. He attended Sheboygan South High School and then went on to the University of Wisconsin-La Crosse, where he starred formerly of Conner Peripherals Conner Peripherals was a company that manufactured hard drives for personal computers. Conner Peripherals was founded in 1986 by Seagate Technology co-founder Finis Conner, as a merger between a company of his and another started by MiniScribe founders John Squires and Terry ) offers a 'data at rest' encryption and policy-based 'storage firewall' appliance that secures information resident on network-accessible storage and enables companies to better securely serve customers, link with suppliers and enhance employee productivity. Another startup, mentioned earlier, is Neoscale. NeoScale CryptoStor FC, currently in beta testing (programming) beta testing - Testing a pre-release (potentially unreliable) version of a piece of software by making it available to selected users. This term derives from early 1960s terminology for product cycle checkpoints, first used at IBM but later standard throughout the , is said to be the industry's first enterprise-class storage security appliance Security appliances protect computer networks from unwanted data traffic, intruders, email spam, enforce policies, and may also be used to create and manage VPNs. There are a number of types of security appliances. providing wire-speed encryption, centralized policy management, and transparent operation for strong storage transport and media privacy. EDUCATE! Educate yourself about computer security. Educate others. If you're an expert, share your knowledge. If you're a security novice, learn whatever you can. If you're responsible for the security of an organization, be sure to develop and promulgate To officially announce, to publish, to make known to the public; to formally announce a statute or a decision by a court. a clear and clearly-defined security policy ENJOY! Most people don't intuitively associate securing computer systems with anything remotely enjoyable. Clearly, activities like hassling with a backup program Software that copies data from a single machine or from selected computers in a network to a secondary storage medium. Backups can be scheduled at periodic intervals, or individual files can be automatically backed up right after they have been updated. are not like visiting an amusement park amusement park, a commercially operated park offering various forms of entertainment, such as arcade games, carousels, roller coasters, and performers, as well as food, drink, and souvenirs. or getting a back massage. On the other hand, many have compared computer security to a game--a game played against unknown opponents at unknown times and places--but a game nonetheless. Cat and mouse, perhaps. Others look at security as a kind of puzzle, like the cryptograms on the comics page The comics page of a daily newspaper is a page largely or entirely devoted to comic strips. Other features that frequently appear on the comics page are crossword puzzles and horoscopes. Other special pages in newspapers include the sports page and the society page. of the newspaper, only with more at stake. But think of it this way: Security may be hard work, but there's a big payoff when you can relax knowing that data--personal records, business plans, etc.--is safe. Corporations are leveraging private and public networks outside the organization to better conduct business with customers and partners. VPNs and SSL technology have addressed the risks associated with transporting sensitive information over the Internet. But opening enterprise networks and file-based data to customers and partners substantially increases exposure. Organizations need to make confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead easily accessible via corporate portals and emerging Web services (1) Loosely, any online service delivered over the Web. Such usage appears in articles from non-technical sources, but not in IT-oriented publications, because definition #2 below describes the correct use of the term. without increasing corporate security risks or introducing a performance deficit. Follow the Money The problems of storage security will ultimately fall on the heads of IT managers. And this awesome responsibility will go to a department where budgets have been eroding 2-5% per year in recent years. The result is an IT department struggling with the risk versus cost tradeoff, and the hard decisions about which technologies, old and new, are necessary to the survival of the business. Sungard Planning Solutions reports that cyber attacks on data increase during times of public attacks such as 9/11 and the anthrax anthrax (ăn`thrăks), acute infectious disease of animals that can be secondarily transmitted to humans. It is caused by a bacterium (Bacillus anthracis scares. Our new understanding of our vulnerabilities require a realistic risk versus cost analysis. Modernly, it may not be possible to be "too careful." The integrator needs to help guide the user with technology options. Not spending enough could well be fatal. RELATED ARTICLE: Incident Management Checklist Disaster recovery may very well be the next step should security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security fall short and action must be taken to get the company's systems back on their feet. This checklist is not designed as a substitute for a comprehensive disaster-recovery plan; nor does it contain specific recovery procedures See: explosive ordnance disposal procedures. designed for your company. This material suggests high-level issues that you should consider if you are in response mode. SunGard Planning is providing this as a public service. Incident Detection and Preliminary Assessment An incident is detected and Company Emergency Response Procedures are followed: * Sound fire alarm, evacuate building. * Preliminary assessment personnel will be immediately alerted and dispatched to the affected site. * An initial incident assessment will be performed. * Security will alert Facilities and Safety personnel and conduct a preliminary assessment of the incident Activate Initial Response Personnel If the incident warrants, the personnel conducting the preliminary assessment, will notify the Initial Response members of the Incident Management Team (IMT IMT, n.pr See inspiratory muscle training. ), including the Incident Manager. The preliminary assessment personnel will provide as much detail as possible about the incident to the Incident Manager. Once notified, the Incident Manager, with assistance from the Recovery Coordinator, will take control of the situation and oversee all remaining IMT tasks. If necessary, the Incident Manager will direct Initial Response personnel to begin implementation of support procedures, which include critical vendor and external notifications. Conduct Damage Assessment Inspection The IMT Initial Response members led by the Incident Manager, with assistance from critical vendors, will conduct a damage assessment inspection and determine initial response activities. Establish Incident Command Center Based on the extent of the incident and the results of the damage assessment inspection, the Incident Manager will determine the most feasible Incident Command Center location. With assistance from the Recovery Coordinator, the Incident Manager will establish the Incident Command Center. Once the Incident Command Center is established, the Recovery Coordinator will oversee its continued operation. Notify Remaining IMT Members The Incident Manager and Recovery Coordinator will notify the remaining IMT members and request assembly at the Incident Command Center. Once all members of the IMT have assembled at the Incident Command Center, the Incident Manager will conduct a team briefing and provide all known facts regarding the incident. Develop Recovery Recommendations Based on the incident circumstances, the IMT led by the Incident Manager, will develop Recovery Recommendations for review and approval by Executive Management. The Recovery Recommendations should include: * IMT Organization Assignment List. * Incident Objectives and Strategies Statement. * Incident Status Summary. Activate Recovery Plan Upon approval of the Recovery Recommendations by Executive Management, the IMT will perform the following Recovery Plan activation activities: * Contact Recovery Sites and perform all necessary formal "Disaster Declaration" activities. * Activate Business Unit Management Team personnel. Perform IMT Support Responsibilities As directed by the Incident Manager, and identified in the IMT Organization Assignment List, designated IMT support personnel will implement their support procedures and provide recovery support to all affected Business Units. The following IMT Support will be provided: Recovery Manager * Assess incident situation. * Authorize activation of incident response activities: * Damage assessment * Communications * Personnel issues * Develop business recovery recommendations. * Direct IMT activity. * Manage incident operations. Recovery Coordinator * Gather and organize information about the incident and corresponding recovery requirements (MARC reports). * Maintain and disseminate incident status summary reports. * Assist the IMT in developing and revising incident objectives and strategies. * Maintain incident status logs and reporting. * Manage all incoming and outgoing communications between the IMT and affected business units. Security * Investigate event occurrence. * Perform initial notification and escalation procedures. * Provide security for the affected facility and all alternate operating locations. Facilities * Perform facility damage assessment. * Acquire replacement office space in the event of a long-term disaster. * Document proof of losses. * Manage salvage and restoration activities. * Notify tenants of the incident and provide periodic updates regarding the condition of their affected office space. Environmental and Safety * Ensure the health and safety of the public and employees. * Ensure that response activities to address fire, spills and/or medical emergencies are performed in accordance with regulatory guidelines. * Perform an initial assessment of the affected area with the Incident Manager and facilities personnel. * Develop a course of action to address incident circumstances. * Notify regulatory agencies within four hours of the incident as applicable. * Enlist the assistance of vendors and agencies to assist in support activities as appropriate. Corporate Communications Corporate communications is the process of facilitating information and knowledge exchanges with internal and key external groups and individuals that have a direct relationship with an enterprise. * Coordinate all media communications. * Review and approve all statements regarding the incident. * Develop both internal and external communications. * Coordinate recovery related advertising with external vendors. Information Technology (IT) * Perform computer system and telecommunications damage assessment. * Activate alternate operating locations (system recovery). * Recover computer systems and network environment(s). * Acquire and install replacement personal computer equipment. * Re-establish data network connections to external resources (branch locations, vendors). * Implement all telephone response actions (re-routing critical telephone numbers). * Arrange for all alternate site telephone installations. Human Resources/Medical * Monitor the condition and location of the injured in coordination with Medical. * Manage all next-of-kin notification. * Coordinate employee communications with Corporate Communications. * Coordinate additional or temporary staffing for recovery effort. * Provide access to counseling services based on the needs of personnel and their families. * Administer company personnel policies as they apply to response and recovery. * Provide triage triage Division of patients for priority of care, usually into three categories: those who will not survive even with treatment; those who will survive without treatment; and those whose survival depends on treatment. for injured personnel. * Monitor the condition and location of the injured in coordination with Human Resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. . Finance * Ensure fund availability for recovery and business expenses. * Ensure that any recovery expenditures are properly documented with the expense-account number. Legal * Manage all required regulatory notifications. * Provide legal counsel for response and recovery operations Operations conducted to search for, locate, identify, rescue, and return personnel, sensitive equipment, or items critical to national security. . * Review and approve new contracts acquired as a result of the event occurrence, before implementation. Audit * Consult/Provide central advice on changes to standard operating procedures standard operating procedure Medtalk A technique, method or therapy performed 'by the book,' using a standard protocol meeting internally or externally defined criteria; a formal, written procedure that describes how specific lab operations are to be performed. . * Ensure that the following standards and policies are maintained during the recovery effort: * Financial data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a security and control policy * Anti-fraud policy * Information-handling standards * Provide reports and recommendations to the IMT as required. * Provide additional resources to other business units during the recovery effort as needed as needed prn. See prn order. . Offices Services (Mailroom, Shipping/Receiving) * Re-establish mail and shipping services. * Re-direct all mail and parcel receipts to the alternate operating location. Purchasing * Manage all incident related purchasing. * Acquire office supplies Office supplies is the generic term that refers to all supplies regularly used in offices by businesses and other organizations, from private citizens to governments, who works with the collection, refinement, and output of information (colloquially referred to as "paper work"). , forms, and equipment for affected business units. * Implement any necessary short-term financial tracking controls, utilizing the designated expense-account number. Insurance * Coordinate with insurance broker on all insurance matters. * Coordinate with insurance broker on the preparation and filing of all insurance claims. * Document proof of losses. * Submit claims. Records Management * Coordinate with IT to ensure the recovery of the Records Management System. * Coordinate with Business Units in retrieving all off site backup records. * Lead records reclamation effort. Distribution * Coordinate notification of the incident to Distribution Centers and Direct Operations. * Provide support in the event of a Distribution Center incident. Transportation * Implement any required local shuttle services as required. * Provide transportation during response and recovery activities as required. Food Services food services Hospital services A 24/7 department in a hospital that provides for the nutritional needs of inpatients–eg, those needing special diets, preparing meals and transporting them to the floor and, through the cafeteria, the hospital staff and * Provide foods services to recovery personnel at the alternate operating locations. Track Incident Status and Recovery Progress Throughout the duration of the recovery effort, the status of the incident and recovery progress will be tracked by the Recovery Coordinator. Periodic status updates will be provided to the Incident Manager who will then disseminate information to all internal and external parties involved in the recovery effort. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion