A good storage solution, backed up with the right policies, can help keep you out of the headlines and achieve compliance. By Mark Mayne
Mounting concern about the security of personal data – rarely a week goes by without a government department, hospital or company having to admit to losing confidential information about hundreds of private citizens are pushing storage to the top of the CISO's agenda.
This intensified pressure has also triggered a slew of regulations outlining businesses' obligations to secure data – and prove they have done so. The ability to generate reports to prove compliance is also becoming essential. Consequently, organisations can no longer afford to be complacent about the ways in which data is stored. We take a look at the major trends affecting this market.
Follow the law
The first major driver of storage technology in the past couple of years has been the rise of compliance as a wider issue. While the US went mad over Sarbanes Oxley, data breach disclosure and PCI DSS, the European Union brought in the Markets in Financial Instruments Directive (MiFid) and the UK tightened its data protection laws. Other recent EU efforts include the 2002 EC Directive on Privacy and Electronic Communications, which sets out retention, access and “anonymisation” data requirements for telcos and ISPs. Also the 2006 EC Data Retention Directive requires data to be retained for between six months and two years to provide for law enforcement agency access. Finally, both the EU and UK are considering data-breach disclosure legislation. The Information Commissioner's Office (ICO) recently received increased powers to monitor public bodies' data-storage habits, and many experts believe that specific legislation is not far off.
This increased scrutiny has made many businesses take a look at their database security in earnest. “Compliance has certainly had the biggest single impact on enterprise attitudes to storage,” says Eric Burgener, a senior analyst at the Taneja Group. “A few years ago there was very little interest in storage security, but now demand has soared.”
Eric Biaze, senior director of product security at EMC, believes the sector is truly coming of age: “Storage is a hot topic in security right now. It used to be managed in isolation from the rest of IT, so it was thought of as a big black box that wasn't connected with the rest of the IT environment. Now however, storage is generally IP-ready, so this attitude has started to change. Plus, having to prove that you are compliant is a big shift.”
It's a bad, bad, bad, bad world
Another contributing factor to the growing need for security in this area has been the rise of specific, database-targeted attacks. SQL injection attacks, just one variety of these, are succeeding every day. Mainstream media coverage has served to accentuate the dangers to brand equity. Back in April, a wave of SQL injection attacks hit half a million Microsoft IIS-powered sites; a month later, thousands of Chinese websites were attacked via malware implanted via the same technique.
Additionally, attacks on web applications that link back to central databases have risen massively over the past two years. As the value of customer data has risen, so too has it's desirability to criminals. Apart from hackers trying to break in, there is also the ever-present internal threat. Burgener believes this is often the most important, yet it is easily forgotten. “In the US, internal threats are often the most severe in terms of the fallout. Physical security is key to data security, and must not be overlooked,” he warns. “The disgruntled employee whose access card still works is one of the biggest potential problems…”
Encryption is a massive undertaking when it comes to data storage. It is available in many flavours, from appliances sitting between the storage systems and front-end clients to total “at rest” data encryption architectures, which are much harder to implement. As processing power has increased, so has the recommended minimum secure encryption key length. But longer keys use more processing power, thus slowing down both storage and retrieval of data.
The trouble with encryption
“Encryption is a big problem with storage solutions,” says Mark Chaplin, a senior research consultant at the Information Security Forum. “To begin with, you have to classify your information into high and low risk, depending on your business. Businesses are usually behind on this. Having identified the information you would like to encrypt, you then have to decide where to encrypt it – on the PC hard disc, in flight, at rest or all three? Then the real issue begins, and that is key management. If you encrypt at each level, you'll need a key for each level, which will need to be stored and managed for many years.
“The question is: ‘Who actually owns that data?' It's not as simple as encrypting email. A lot of companies have significant issues in this area, and it's not a problem I see being solved soon,” Chaplin adds.
As you'd expect, encryption vendors disagree. “These problems have been solved long ago, and there is increasing interest in secure storage products,” claims EMC's Biaze. “Previously there was a lot of confusion about storage encryption. Some companies used to market storage security tools that were essentially appliances that encrypted the stream of data en route to the storage device. This is not the same as the data encryption we know today. The older approach only addressed a small part of the problem.”
But even vendors are keen to point out that encryption is not a panacea. “It's worth remembering that even encrypting the entire database doesn't necessarily keep out the hackers,” Biaze points out. “Application attacks will still work. If the application has legitimate access to the data, the information can be siphoned off through it. Storage has to be considered alongside the deployment of technologies such as strong authentication, network access control and application security,” Biaze continued.
Burgener blames access speed and key management for a perceived lack of encryption uptake in the storage sector. “The technology is being implemented, but only by around 20 per cent of businesses, due to these two factors. More are beginning to adopt encryption technologies, but this will take some time,” he says.
There have been a number of recent developments in technology terms. Data deduplication is now seeing widespread adoption, having been popular in backup media for a while. However, not all technologies work with encryption. Burgener explains: “Deduplication technology has accelerated in the past 12 to 18 months. It works by breaking data down into chunks, then removing all those that look similar. This can produce reduction ratios of up to 20-1, so it is obviously very popular. However, encryption rarely works well in tandem with deduplication, so it's essential to check that your have compatibility.”
Another technology that is making waves is flash storage. As it begins to make its way on to laptops, replacing the classic hard disc, the storage market has begun to take note. It offers exceptional performance, but is still relatively expansive. “Flash storage is beginning to become useable,” says Biaze. “It offers an incredible boost in performance, but presents some new issues, such as how to erase the data completely after use. Another recent trend has been the increasing inclusion of security features as part of network storage devices. Before it was possible to add on functionality such as encryption, but now it's often a feature of Cisco switches, for example.”
Biaze continued: “The future of storage will see a similar progression to that shown by encryption. We'll see a growing number of services currently seen as add-ons included as features in products. For example, I think we will soon see data classification become native, so that credit card numbers are recognised as such, for example. This will then be linked to data-loss policies to stop this kind of high-risk personal data being emailed or copied. Policies will become increasingly centralised to keep up with demand, and compliance reports will be automated, just as security policies are beginning to be.”
However, it's not all about the technology, as Chaplin is keen to point out. “Enterprises need to get the basics right before buying storage solutions,” he cautions. “It's all about having a solid base. Risk management strategies must be in place, and event logging and monitoring must be running smoothly. It's all about a holistic approach. Also remember after buying your storage solution that you'll need to harden it. Turn off services you don't need and disable unwanted functions. And have robust access control measures in place.”
Storage has clearly moved into the mainstream of IT and, as data increases in importance, it's set to stay there. “Data storage is still uncharted territory for many IT security professionals,” says Chaplin. “However, as the perimeter dissolves, it will inevitably have to be given more consideration. The secure area retreated to the server, then the application server, and now finally the database is the last bastion of defence. IT professionals are waking up to its importance.”
The IT industry is taking a long, hard look at storage as part of a layered security approach. Technology is gradually changing the way data can be kept and retrieved, and future innovations promise great things. It's fair to say that storage security will become increasingly critical and ensuring that both physical and online threats to centrally-held data are countered is essential. However, assessing and then managing the risk relating to your enterprise data is the starting point here, rather than new technology investment.
CASE STUDY: SYMPOSIUM EVENTS
Last August, London-based Symposium Events received a phone call from the police over the weekend, informing the company that there was an intruder in its offices who police believed had stolen the main servers. The conference, event management and communication services firm realised the backup drive was connected to that server, which meant that its most critical asset – the delegate and potential delegate database plus all financial records – could have been stolen.
“Fortunately, it turned out that some PCs had been taken from an adjacent business, and the thieves had used our office as an escape route,” said Steven Stanbury, Symposium's managing director. “Nothing was missing or damaged. However, this was a huge wake-up call.”
Although the company had a backup system in place, this consisted of a tape drive on top of the server, which was updated two or three times a week. Following the incident, Stanbury decided to test the backup tape. “We found that only three quarters of the data was recoverable. We clearly needed something more robust.”
He called in Connect, an outsourced storage provider whose Total Recall product enables SMEs to outsource all their data storage and recovery. Essentially, a mirror of the client's server is built in Connect's data centre. Files that have been changed are then backed up automatically.
Stanbury continued: “The fact that Total Recall is entirely online allows us to continue accessing our database in the event of a total failure at our end, which is a great bit of redundancy. Data is updated four times a day, and the whole system took about two weeks to set up, it was very quick.”
SAFE KEEPING: OPTIONS ON THE MARKET
Direct attached storage (DAS)
A storage device that is directly attached to the network, for example the internal hard drive of a server. This is the most common type of storage in SMEs, but not the most secure or scaleable.
Network attached storage (NAS)
This concept uses IP-enabled devices connected to the network to store data. The benefit is that in larger networks, data storage is centralised, so can be controlled more tightly. NAS allows storage to be expanded simply by adding another NAS box and increases the robustness of the network by removing the point of failure that a DAS represents.
Storage area network (SAN)
A network of storage devices that are connected to each other and to a server, or cluster of servers, which act as an access point to the SAN. This is the most popular secure choice for larger enterprises, as the separate storage network allows information to be backed up without using the standard network infrastructure.
Redundant array of independent disks (RAID)
A series of standards that provide improved performance and error tolerance. Disks can account for 50 per cent of all hardware device failures on server systems, so this has been important over the years.
Small computer system interface (SCSI/iSCSI)
A long-established set of standards designed to enable the connection and transfer of data between computers and peripheral devices. ISCSI is a newer technology that serialises the data from a SCSI connection, allowing it to be transported to and from storage devices via an IP network.
Fibre Channel speed advancement
A gigabit interconnect technology that allows communication between workstations, servers, storage systems using SCSI and IP protocols.