Storage security a soft spot for organizations

Apr 25, 2006 12:32 PM

Storage is the new security soft spot for organizations, according to a recent article by Don MacVittie in Network Computing magazine.
"If we're seeing a major loss of data at rest every few months, you can be sure smaller thefts are happening, undetected or unreported," he writes. "While most now recognize storage as a vital link in the security chain, we still lack consensus on how to proceed."
The cost of lost data and damage to systems -- and the PR nightmare when leaks occur -- are too much for most companies to bear without a risk-avoidance plan. A significant loss of even marginally critical information could land a small firm in such a legal mess that it may as well shut its doors.
Fortunately, it seems the message is getting through. In a recent poll of more than 600 of the magazine's readers, 70 percent say their organizations recognize the need for storage-specific security. Fewer than 10 percent, however, are "very satisfied" with current security systems and processes. A lack of communication and understanding between security and IT staffs was cited as the chief barrier to effective enterprise storage security.
"The simple fact is, we don't build business apps for security; we build them to facilitate business by offering data to users, customers and business partners, and for retrieving data from this same group," MacVittie writes. "Security is added often as an afterthought because first the app must do what it was conceived for -- otherwise security won't be necessary."
Enterprise data is primarily stored on six media. DAS (direct attached storage) is the hard disks in the computers at a business, and directly connected to them externally. In NAS (network attached storage) systems, data resides on file servers and NAS servers that emulate file servers, and use CIFS or NFS to communicate with client machines. Fibre Channel SAN data resides on dedicated networks that do not use IP to communicate. iSCSI SAN data resides on the network in a form similar to DAS, but it is stored remotely. Finally, tapes and optical media facilitate both network- and direct-attached long-term archival storage.
The problem begins with how security is approached on these disparate platforms. For block level storage devices -- iSCSI, SAN and tape -- there is a tendency to control access at the host level. That means the device housing the storage knows what remote hosts can access the storage, and that's the only true validation that occurs. The weak point here is that host-based access control is less secure than user-based access control.
The problem is that the storage medium is closer to the data being protected, and if access control is configured at the storage level, it does not have to be reconfigured over and over. If it is configured at the server level, however, that configuration must be merged with and replicated to all other servers with access to that array. This is inefficient and needlessly difficult to maintain, particularly in a high-turnover, heterogeneous environment.
To read the entire article, visit www.networkcomputing.com

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue