Written by Greg Schulz
Founder StorageIO, author “Cloud and Virtual Data Storage Networking” and “The Green and Virtual Data Center”
Securing stored data involves preventing unauthorized people from accessing it as well as preventing accidental or intentional destruction, infection or corruption of information. While data encryption is a popular topic, it is just one of many techniques and technologies that can be used to implement a tiered data-security strategy. Steps to secure data involve understanding applicable threats, aligning appropriate layers of defense and continual monitoring of activity logs taking action as needed.
The image below shows common areas of focus pertaining to securing stored data while at rest (being stored) and while in flight (being moved or accessed). Data movement is required for authorized general access, business continuance (BC) and disaster recovery (DR), general data protection as well as archiving for data preservation and compliance. In no particular order, here are 10 items to consider as part of securing your stored data in addition to those in the image below.
- Implement a tiered data protection and security model including multiple perimeter rings of defense to counter applicable threats. Multiple layers of defense can isolate and protect data should one of the defense perimeters be compromised from internal or external threats.
- Include both logical (authorization, authentication, encryption and passwords) and physical (restricted access and locks on server, storage and networking cabinets) security. Hopefully, the closets in your facility for cleaning personal and their tools are separate from where you keep your storage and networking cabling and tools. Physical security includes maintaining a low profile. For example, if yours is the only building with lights on during a heat-wave-induced electrical power blackout, at least turn your outside lights off as well as other lights that can be seen from the outside so as to not draw unwanted attention.
- Logical security includes securing your networks with firewalls, running antispyware and virus-detection programs on servers and network-addressed storage systems. No storage security strategy would be complete without making sure that applications, databases, file systems and server operating systems are secure to prevent unauthorized or disruptive access to your stored data. Implement storage system based volume or logical unit number mapping and masking as a last line of defense for your stored data.
- Speaking of physical security and access controls, change your key-code or door-lock combinations regularly, informing only those who need access. You might be surprised who stops by to ask for the access for the combination or password for something that you did know that they had access to in the first place.
- Some storage and networking tools will encourage you to change management passwords at initial installation. I hope that this sounds like common sense, however, due diligence is to say the obvious — change default passwords at installation and on an ongoing basis. Likewise, restrict access to management tools to those who need it.
- Know who has physical access to fixed and removable data-storage media and devices. Leverage access logs as well as perform background checks of contractor and third-party personnel who will be handling your data and media. Identify where weak links are in your data-movement processes and correct those deficiencies. Data-discovery tools can be used to identify sensitive data that may not be adequately protected.
- If you are currently moving data electronically to avoid losing tapes or are planning to, then make sure data being transmitted over a public or private network is safe and secure. Some techniqes to protect data while in-flight include encryption, virtual private networks and the IPSec protocol.
- Data encryption is a topic people in the industry like to talk about, however, like other technologies, wide-scale mass adoption has been elusive. However, as a trend, encryption — in some shape or form — is here to stay and most likely is in your future. There is plenty of debate as to when (at rest, in flight), where (storage, network, appliance, servers) and how (hardware, software) to implement encryption. For now, consider what the level or depth of encryption you need to counter your applicable threats. Also, consider how key management will be performed for your environment. In addition, consider the potential effect on performance and interoperability for your environment when looking at data-encryption technologies.
- Avoid letting data security become a bottleneck to productivity, because that is a sure way to compromise a security initiative. The more transparent the security is to those who are authorized to use the data, the less likely those users will try to circumvent your efforts.
- Do you know if your data is safe, and do you know where your data is? See that backups and archives are secure, including the process of performing backups and recovery, along with where and how the data is stored. Consider how you will handle key management in a DR situation as well as for long-term retention. Have an understanding of how you will be able to unlock your data for regulatory compliance and archived data.
Greg Schulz is founder and senior analyst of The StorageIO Group and author of the book Resilient Storage Networks (Digital Press, 2004). This blog was originally posted on ComputerWorld.
