10 things to know when selecting a storage security solution.
Securing data is also a key concern as organisations seek to grow their businesses and increase efficiency. By locking down sensitive data, organisations can consolidate storage, protect business critical information such as source code and even outsource securely if needed. However, not all security solutions are created equal. Before selecting a storage security solution, organisations must evaluate their options based on the following criteria.
1.0 Iron-clad security--An organisations security is only as strong as its weakest link.
* Hardware-based encryption and key management is critical. Encryption hardware must be physically tamper-resistant. In addition, key management is often the weakest component of encryption systems. Encryption keys, tickets, and credentials must not be exposed in cleartext in an open operating system--otherwise, the system is only as strong as the OS itself. Keys must be wrapped in encryption whenever they are exposed outside of secure hardware. Key management systems must automate key backups to ensure that hardware failures are easily recoverable.
* Storage security solutions must employ industry -standard, strong encryption algorithms such as AES, SHA, and ECC. Because stored data must be kept confidential for decades, sufficiently AS 256 should be used. Further, encryption algorithms must be exportable to all major industrialised nations.
* Storage security solutions must provide tamper-evident logs of sensitive administrative and user actions, including file accesses.
Administrators must not have the ability to erase or modify logs without detection.
2.0 Fast and invisible
Deployment of a security solution must be transparent to existing infrastructure, applications and workflow. It must not require custom integration with applications, servers, or desktops, and must be easily deployed without taking key applications offline. Further, storage security platforms must provide multi-gigabit throughput and sub-millisecond latency performance to support mission-critical applications.
3.0 Works everywhere
Organisations manage enormous amounts of sensitive data across heterogeneous environments. A storage security platform must provide a single, integrated platform for securing data, regardless of where it resides (NAS, DAS, SAN, tape).
4.0 Low maintenance
Storage security solutions must be easily and securely managed via Web and CLI interfaces. Clusters of devices should be manageable as a group, and common tasks should be scriptable. Compatibility with SNMP monitoring is required. Administrator access should be secured by two-factor authentication (e.g. password and smart card or other token).
5.0 Agent software is optional
The cost and complexity of deploying agent software across thousands of desktops and servers is substantial. Moreover, the wide variety of operating systems and versions, as well as ongoing updates and patches, makes this approach unreliable for stand-alone enterprise-wide deployment. The solution must be deployed with an appliance, the hardware should perform all primary functions transparently with optional features delivered in software agent format.
Increasingly in today's environment, cost and manageability concerns are driving consolidation of applications onto shared storage systems. Storage security solutions must provide the ability to cryptographically compartmentalise data on shared devices or networks, and customise access controls and security requirements for each 'vault.' This is particularly important in protecting data from the risk of insider theft.
7.0 Granular access controls
The storage security platform must combine back-end encryption with authentication and granular access controls for users and applications. Per-user and per-file ACL support are required for NAS environments. The platform should integrate with existing authentication and directory services including Active Directory, LDAP, and NIS.
8.0 Plays well with others
The storage security platform must interoperate seamlessly with all major operating systems, network vendors, and storage vendors. Interoperability testing and certification with major vendors, such as IBM, UP, EMC, NetApp, Hitachi, McDATA, Brocade, Veritas, Legato and Cisco is highly desirable.
9.0 Tried, tested and true
Encryption algorithms and implementations must have been validated and certified by third-party evaluation labs. Official certifications such as FIPS 140-2 Level 3, NIST encryption certification, and Common Criteria are highly desired.
10. When All Else Fails -- In case the worst happens, sensitive recovery operations must be protected by security measures such as two-factor authentication and quorum requirements (the 'two-man rule').
Steve Willson, EMEA Decru
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Security Supplement|
|Date:||Mar 1, 2005|
|Previous Article:||Software engineering easy for Mac OS X.|
|Next Article:||Fighting the future of spam.|