Managing risk in the storage environment: the realities of risk.
Risk management represents an often overlooked but essential subset of a storage management program. A convergence of three factors-technology, legislation, and high profile instances of customer data loss-has increased business risk and created significant awareness in the market of this exposure.
Several recent prominent news stories describe theft of personally identifiable data records, stolen backup tapes, litigation resulting from improper preservation and production of electronic records, and intellectual property breaches.
Consequently, companies must evaluate ways to significantly tighten the security of their storage environments. From encrypting information, to tightening access controls and deploying security technologies at both the host and network level, the storage architecture requires greater attention today as a critical component of any enterprise information security strategy.
Yet, unless all access to storage is completely severed, it remains at risk of becoming a target for attackers. Since the stored data is useless if no one can access it, protecting the confidentiality, availability, and integrity of information requires organizations not to eliminate risk but to manage it.
The Realities of IT Risk Management
Many companies have minimal awareness of their IT risk exposure, aren't fully exploiting the breadth of tools to manage these risks, and haven't begun to systematically build the knowledge and processes to manage IT risks.
Companies have struggled partly because IT risk management is a newly emerging field where the traditional models of risk management do not always cleanly apply. Typically, businesses have only a vague understanding of the impact of the loss of information assets or the loss of access to their applications.
Additionally, IT risks are more challenging to quantify. In IT, the kind of well developed statistical or actuarial models that assess financial risk and give it a reasonable level of precision do not yet exist. However, "roughly right" approaches based on heuristics and experience still yield accurate, valuable, and usable measures of IT risk.
Taking a Measured Approach to Risk
While no magic formula exists for corporations to assess and mitigate information risk on an enterprise-wide scale, effective risk management can mitigate or reduce risk to a level that is acceptable to an organization. To manage risk, an organization must be able to:
* Identify information assets. Assets are generally considered anything that must be protected, from a database to an entire computing infrastructure.
* Analyze threats to assets. Threats are events that would have a negative impact on the organization. Threats can be man-made or natural and their severity can be minimal to devastating.
* Analyze vulnerabilities of those assets. Vulnerabilities are weaknesses that could be exploited by a threat. Unpatched software and inappropriate safeguards are examples.
* Gauge the potential for losses. Measuring potential loss or exposure to loss requires organizations to place a dollar value on the anticipated financial repercussions should an asset be lost or its availability, integrity, or security be compromised temporarily or permanently. Loss can come in several forms, from delays in service caused by denial of service (DoS) attacks to damaged brand and reputation, and more.
* Pinpoint and put in place adequate safeguards. Safeguards are the controls or security practices that, when employed, reduce the risk associated with a certain threat and, in turn, minimize the impact of that threat.
Specific threats and vulnerabilities to storage assets are typically present in the following areas:
* Network traffic attacks such as denial of service, hijacking, man in the middle attacks, and spoofing
* Storage switch to storage switch
* End computing device to the network
* Server (Application or otherwise) to the storage array
* Management interface for the storage environment
Risk Management Guidelines
When developing and implementing risk management processes and programs, organizations can increase the likelihood of success by keeping in mind three simple guidelines.
* The risk associated with information assets changes as information is utilized throughout the organization.
* Because information is part of virtually every layer of the organization, keeping it secure involves each organizational layer.
* Cost-effective risk management requires prioritization.
#1. Risk changes
The information lifecycle begins with information creation, and then moves to information transfer, information storage, information viewing, and information destruction. Each phase has its own associated set of vulnerabilities and threats to be considered.
#2. Security layers
To protect non-public client data, an organization typically must not only evaluate the security of the applications which utilize the data, but also the security of the complete infrastructure, the security of operations, the security of the entire organization, and the security of third-party controls.
With any storage network, fundamental elements must be considered, such as storage devices, storage management, and storage applications. Additionally, as we move further into the network, considerations are made for the data itself (file/records and block data), and the medium in which it is transferred (transportation of the data). Layers include:
* Transport Layer: the medium by which the data is transferred. This area includes protocols, frames, packets, and other elements.
* Management Layer: includes the administration of every storage device, every bit and byte of data, and the storage network as a whole. It is one of the more important layers to consider.
* Application Layer: includes the storage applications that are used for management. It does not encompass the business applications that are supported by the storage network such as email, but focuses on the tools and utilities that are used to manage the objects in the storage network itself. Application layer security is very important since the security of the application, or lack thereof, can subvert or override other security controls.
* Block Layer: includes the block data contained on the storage nodes. Block data concerns only the data at rest in the storage network and does not address data in transit.
* Device Layer: includes the devices in the storage network, such as switches, HBAs, NICs, storage nodes, and appliances. The device layer addresses classes of devices and the types of security solutions that can be used within them and does not address differences among specific products or vendors.
* File/Record Layer: includes the file data contained within the storage nodes. The file layer concerns data at rest in the storage node/appliances and does not address data in transit.
#3. Prioritizing Risk
Identifying and addressing the most probable or potentially costly risks can result in an improved security posture as well as a healthier return on investment.
With implementation of a risk management strategy underway, organizations must also institute a process for the continual evaluation of risk management processes and measures. Organizations often fail to revisit their risk management programs to keep them up-to-date and viable. But such stagnation often leads to security challenges that can significantly impact long-term success. Moreover, expenditures for security controls that are no longer vital to the organization because of a change in the security posture will reduce the amount of funds available for other areas of focus.
Risk detection capabilities can be leveraged to monitor the organization's risk posture on an ongoing basis, and reporting requirements can be met through risk logging.
Because threats and vulnerabilities change over time, as business priorities evolve, it is also necessary to keep a close and steady eye on information security sources in order to stay apprised of new and future challenges. Intelligence systems provide a comprehensive and convenient vehicle for keeping up-to-date on security threats and vulnerabilities as they emerge around the globe.
At the same time, organizations can regularly test the incident readiness tools and processes they have designed and established to ensure their ongoing effectiveness against evolving risks and future threats.
To complement this testing, organizations can also conduct scheduled reviews of their operational risk posture to evaluate any internal or external changes that have been made in the organization and incorporate appropriate responses.
Reaping the Information Integrity Payoff
In today's information-based digital world, risk is unavoidable. Threats to information assets are appearing with greater frequency, sophistication, and speed, thereby increasing the probability of infection or attack as well as the severity of impact, and unless an organization is willing to cease operations, risk can never be completely eliminated.
Managing risk to create a more resilient infrastructure will likely always be a serious challenge for IT organizations. But the payoff-ensuring the integrity of corporate information and easing IT administration-justifies the effort and resources required.
Risk management enables organizations to find the level of risk they can tolerate safely while maintaining successful business operations. The successful management of risk on a continual basis can give organizations a competitive edge by ensuring more effective and efficient processes, by reducing operational costs, by improving customer service, and by keeping disruptions to a minimum.
Effective management of risk can result in improved service delivery, resource efficiencies, innovation, management improvements, and reductions in fraud and waste. Moreover, by effectively managing risk, organizations can protect business continuity, enhance corporate governance, and ensure the availability and security of critical business information.
Greg Hughes is senior vice president of worldwide services and support, managing Symantec's consulting, education, and technical support operations (Cupertino, CA).
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Storage Security|
|Publication:||Computer Technology Review|
|Date:||Mar 1, 2006|
|Previous Article:||Digital crime wave: the growing problem.|
|Next Article:||Best practices in assessments build IT storage value.|