You are here :
  • HomeOpinionsGlassHouse Technologies Outlines Gameplan for Storage Security

Opinion

image

GlassHouse Technologies Outlines Gameplan for Storage Security

By James Damoulakis Wed, Jul 15, 2009

James Damoulakis is Chief Technology Officer at GlassHouse Technologies, an IT infrastructure consulting and services firm.

How much progress is really being made in securing storage? For several years now, pundits have sounded the alarm about a range of security risks associated with storage. That includes everything from a lack of fundamental network security practices for SANs to the ever-familiar problems associated with handling off-site media. Regarding the latter, hardly a week goes by that some organization isn’t reporting the loss or theft of laptops or tapes containing confidential data. Yet, besides those corporate victims in the spotlight that have been forced to make improvements, it seems that the state of storage security has been advancing very slowly.

Furthermore, many so-called storage security initiatives should be more accurately labeled as off-site tape security initiatives. In other words, the focus isn’t on a strategic approach to securing the overall storage infrastructure, but on the pain point du jour — in this case, the desire to avoid being the next organization to make headlines in for the wrong reason. Certainly, the desire to close this particular security hole is understandable, but without an overall game plan, there is a strong likelihood that efforts will be duplicated and other risks overlooked.

A study from the Identity Theft Resource Center found a 47 percent increase in data breaches in 2008 compared with 2007. Of these breaches, 20.7 percent involved ‘data on the move’— on laptops or tapes, for example. However, twice as many incidents (41 percent) occurred through a combination of hacking, insider theft and subcontractor breaches.

Yet even the goal of securing off-site media hasn’t been successfully addressed. Consider, for example, the lack of wide-scale adoption of encryption. Only 2.4 percent of the lost media in the above study was encrypted. Why is that? In the case of tape, it’s not because of a lack of awareness or misunderstanding the problem — that’s painfully obvious. Nor is it because of a lack of technology available to address the problem. Encryption products for every level can be obtained from mainstream vendors: tape drive, tape library, SAN switch, SAN or LAN appliance and host software.

It’s easy to point to the challenges of key management as the primary roadblock to more widespread adoption of media encryption, and this is certainly a contributing cause. However, the problems of key management point to a larger issue: the lack of a comprehensive security strategy that truly encompasses storage. As long as storage sits at the periphery of organizations’ security focus, there will continue to be risks, and obstacles to addressing those risks.

What’s required is understanding that different entities within an enterprise access, manage, control and own responsibility for data. An effective strategy considers the security needs of all constituents.
A strategic approach to storage security not only would weigh additional risks beyond things like off-site media encryption, but would also consider identifying which data needs to be encrypted and at what level. Perhaps if data is encrypted at the application level to protect against unauthorized access, it might not need to be re-encrypted at the tape level. If a centralized key-management function, with associated policies and processes, were instituted to manage all data security access, the prospect of off-site tape encryption wouldn’t be as daunting.

Given the current economic reality, it’s improbable that many organizations will undertake this type of program in the near future. However, it’s important to begin to bridge the gap between storage and security and build a rational framework on which to incrementally improve. Otherwise, the breach tally is certain to climb even higher in 2009.

Channelworld.in Opinion

Related Contents in ChannelWorld.in