Printer Friendly

10 things to know when selecting a storage security solution.

With data threats and security breaches at an all time high, protecting data both at rest and in flight is a major concern for organisations around the world. Today, terabytes of business-critical data sits in storage networks around the world. For the most part this data is housed in cleartext format and remains unprotected from unauthorised or inappropriate access by insiders--such as company employees or contractors--and outsiders, including hackers. As a result, protecting data from misuse is a critical requirement for all organisations.

Securing data is also a key concern as organisations seek to grow their businesses and increase efficiency. By locking down sensitive data, organisations can consolidate storage, protect business critical information such as source code and even outsource securely if needed. However, not all security solutions are created equal. Before selecting a storage security solution, organisations must evaluate their options based on the following criteria.

1.0 Iron-clad security--An organisations security is only as strong as its weakest link.

* Hardware-based encryption and key management is critical. Encryption hardware must be physically tamper-resistant. In addition, key management is often the weakest component of encryption systems. Encryption keys, tickets, and credentials must not be exposed in cleartext in an open operating system--otherwise, the system is only as strong as the OS itself. Keys must be wrapped in encryption whenever they are exposed outside of secure hardware. Key management systems must automate key backups to ensure that hardware failures are easily recoverable.

* Storage security solutions must employ industry -standard, strong encryption algorithms such as AES, SHA, and ECC. Because stored data must be kept confidential for decades, sufficiently AS 256 should be used. Further, encryption algorithms must be exportable to all major industrialised nations.

* Storage security solutions must provide tamper-evident logs of sensitive administrative and user actions, including file accesses.

Administrators must not have the ability to erase or modify logs without detection.

2.0 Fast and invisible

Deployment of a security solution must be transparent to existing infrastructure, applications and workflow. It must not require custom integration with applications, servers, or desktops, and must be easily deployed without taking key applications offline. Further, storage security platforms must provide multi-gigabit throughput and sub-millisecond latency performance to support mission-critical applications.

3.0 Works everywhere

Organisations manage enormous amounts of sensitive data across heterogeneous environments. A storage security platform must provide a single, integrated platform for securing data, regardless of where it resides (NAS, DAS, SAN, tape).

4.0 Low maintenance

Storage security solutions must be easily and securely managed via Web and CLI interfaces. Clusters of devices should be manageable as a group, and common tasks should be scriptable. Compatibility with SNMP monitoring is required. Administrator access should be secured by two-factor authentication (e.g. password and smart card or other token).

5.0 Agent software is optional

The cost and complexity of deploying agent software across thousands of desktops and servers is substantial. Moreover, the wide variety of operating systems and versions, as well as ongoing updates and patches, makes this approach unreliable for stand-alone enterprise-wide deployment. The solution must be deployed with an appliance, the hardware should perform all primary functions transparently with optional features delivered in software agent format.

6.0 Compartmentalise

Increasingly in today's environment, cost and manageability concerns are driving consolidation of applications onto shared storage systems. Storage security solutions must provide the ability to cryptographically compartmentalise data on shared devices or networks, and customise access controls and security requirements for each 'vault.' This is particularly important in protecting data from the risk of insider theft.

7.0 Granular access controls

The storage security platform must combine back-end encryption with authentication and granular access controls for users and applications. Per-user and per-file ACL support are required for NAS environments. The platform should integrate with existing authentication and directory services including Active Directory, LDAP, and NIS.

8.0 Plays well with others

The storage security platform must interoperate seamlessly with all major operating systems, network vendors, and storage vendors. Interoperability testing and certification with major vendors, such as IBM, UP, EMC, NetApp, Hitachi, McDATA, Brocade, Veritas, Legato and Cisco is highly desirable.

9.0 Tried, tested and true

Encryption algorithms and implementations must have been validated and certified by third-party evaluation labs. Official certifications such as FIPS 140-2 Level 3, NIST encryption certification, and Common Criteria are highly desired.

10. When All Else Fails -- In case the worst happens, sensitive recovery operations must be protected by security measures such as two-factor authentication and quorum requirements (the 'two-man rule').

Steve Willson, EMEA Decru
COPYRIGHT 2005 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Security Supplement
Author:Willson, Steve
Publication:Software World
Date:Mar 1, 2005
Previous Article:Software engineering easy for Mac OS X.
Next Article:Fighting the future of spam.

Related Articles
Answering The Co-Location Storage Question.
An Empirical Study on Internet-based Business-to-Business E-commerce in Singapore.
Assessing the impact of continuous change on the storage industry.
Storage security: issues and answers.
Sys-Con Media to launch "Information Storage & Security" & quarterly in May.
WORM-enabled tape storage: early birds get compliant.
Sarbanes-Oxley: compliance meets technology.
TechTarget (Needham, MA) has formed a partnership with Australian b2b publisher Westwick-Farrow Publishing (Sydney) to produce web sites for the...

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters