How much progress is really being made in securing storage? For several years now, pundits have sounded the alarm about a range of security risks associated with storage. That includes everything from a lack of fundamental network security practices for SANs to the ever-familiar problems associated with handling off-site media. Regarding the latter, hardly a week goes by that some organization isn't reporting the loss or theft of laptops or tapes containing confidential information.
Yet, aside from those corporate victims in the spotlight that have been forced to make improvements, it seems that the state of storage security has been advancing very slowly.
Furthermore, many so-called storage security initiatives should be more accurately labeled as off-site tape security initiatives. In other words, the focus isn't on a strategic approach to securing the overall storage infrastructure, but on the pain point du jour — in this case, the desire to avoid being the next organization to make headlines in Computerworld for the wrong reason. Certainly, the desire to close this particular security hole is understandable, but without an overall game plan, there is a strong likelihood that efforts will be duplicated and other risks overlooked.
A widely reported study from the Identity Theft Resource Center found a 47% increase in data breaches in 2008 compared with 2007. Of these breaches, 20.7% involved “data on the move” — on laptops or tapes, for example. However, twice as many incidents (41%) occurred through a combination of hacking, insider theft and subcontractor breaches.
Yet even the goal of securing off-site media hasn't been successfully addressed. Consider, for example, the lack of wide-scale adoption of encryption. Only 2.4% of the lost media in the above study was encrypted. Why is that? In the case of tape, it's not because of a lack of awareness or misunderstanding the problem — that's painfully obvious. Nor is it because of a lack of technology available to address the problem. Encryption products for every level can be obtained from mainstream vendors: tape drive (LTO-4, IBM TS1130 or STK T10000), tape library (Spectra Logic), SAN switch (Cisco or Brocade), SAN or LAN appliance (NetApp) and host software (most backup applications).
It's easy to point to the challenges of key management as the primary roadblock to more widespread adoption of media encryption, and this is certainly a contributing cause. However, the problems of key management point to a larger issue: the lack of a comprehensive security strategy that truly encompasses storage. As long as storage sits at the periphery of organizations' security focus, there will continue to be risks, and obstacles to addressing those risks.
What's required is understanding that different entities within an enterprise access, manage, control and own responsibility for data. An effective strategy considers the security needs of all constituents.
A strategic approach to storage security not only would weigh additional risks beyond things like off-site media encryption, but would also consider identifying which data needs to be encrypted and at what level. Perhaps if data is encrypted at the application level to protect against unauthorized access, it might not need to be re-encrypted at the tape level. If a centralized key-management function, with associated policies and processes, were instituted to manage all data security access, the prospect of off-site tape encryption wouldn't be as daunting.
Given the current economic reality, it's improbable that many organizations will undertake this type of program in the near future. However, it's important to begin to bridge the gap between storage and security and build a rational framework on which to incrementally improve. Otherwise, the breach tally is certain to climb even higher in 2009.