Information protection
- Article 3 of 3
- Enterprise Security, May 2005
Ensuring the integrity of information is a primary goal of both security and storage, a fact that puts the sectors on a converging course.
Page 1 | Page 2 | Page 3 | All 3 Pages
Building scenarios of a security breach, IT executives often picture hackers as ‘script kiddies’ or con artists trying to crack through the defences they have put in place. But the reality is that around 70% of all security breaches come from within the organisation – either from an employee or from a business partner – where firewalls and perimeter security are almost irrelevant.
This worrying fact is now causing many IT decision-makers to reconsider their security strategies to see how they can keep their data secure from unauthorised insiders as well as outsiders. The conclusion that many are coming to is that the storage itself needs to be secure, not just enveloped in layers of security, and vendors from both the storage and security markets are starting to waken to this need. This new evaluation of storage and security is also illuminating areas where both storage and security solutions can work together.
Many CIOs would be surprised by the thought that their data is unsecured, even to insiders. After all, there are passwords to prevent systems from being accessed by anyone without authorisation.
Of course, there is always the possibility of passwords or systems being hacked, but proper password and patch management policies can reduce that to a minimum.
Physical access to data can completely override any existing security measures. While IDs and passwords on a file server can stop people accessing data over a network, slip a hard drive out of its rack and connect it to another machine and anyone can read it. Aware of this problem, many organisations wipe the hard drives of corporate PCs, laptops and servers before disposing of them. Yet the truly motivated (and well-equipped) data thief can read the data off hard drives that have been reformatted or even demagnetised: noth-ing short of melting the drive down will get rid of 100% the data.
But there are even more direct ways into stored data. Ed Jones, sales director of online backup company Thinking Safe, describes how he sees many instances when companies have tried to retrieve data from tapes handled by a service provider, only to find they have been supplied with another company’s data. With most backup data stored on tape without any kind of access controls, getting access to an organisation’s data through its tapes is a distinct possibility.
Network threat
The rise in networked storage has also increased the number of potential security risks. Storage area networks (SANs) are being used in approximately 57% of European companies today and yet their security is still inferior to that on most traditional direct attached storage solutions.
Tony Reid, director for solutions marketing EMEA for storage vendor Hitachi Data Systems, says the concepts of trusted access and authentication are only now starting to be implemented and introduced by fibre channel vendors. “There have been a number of technical issues to overcome simply to make SANs work. There have been interoperability issues, getting switches from vendor X to work with vendor Y’s. So these have been the natural focus – just getting the networks to work.”
One common security flaw introduced by many organisations is to have their SAN run on a fibre channel island away from the regular network, says Simon Gay, consultancy practice leader at infrastructure service provider Computacenter. They then rely on that inaccessibility for security – but connect their switches up to the Ethernet so they can manage the systems.
Paradoxically, HDS’s Reid adds that iSCSI, which uses regular Ethernet to create SANs, may actually be more secure. “People were more concerned about putting traffic over an IP network, so a raft of solutions to secure iSCSI were developed.”
Page 1 | Page 2 | Page 3 | All 3 Pages