In many cases, the focus of IT security has been on the network and the data traveling over it. The security of stored data, especially backup data, has received less attention. The SAN has been presumed to be secure because it uses Fibre Channel instead of TCP/IP. But is this complacency justified? What are the security threats associated with data that's stored off-site? In this article, we'll take a look at these questions and the reason organizations need to become more security-aware when it comes to storage strategies.
The vital importance of securing stored data
Organizations today store all sorts of critical business information in electronic format on their network. Much of this information is about the business itself, some is personal information about employees, clients and associates, and some is more general information obtained through research. Depending on several factors, some of this information may be subject government or industry regulations; some of it may even be classified information that impacts national security. While protecting the data's integrity and confidentiality is always desirable, in many cases today it is mandatory, and failure to comply may subject the company to fines, other sanctions or even criminal charges.
Why, then, do companies fail to properly secure data? Sometimes those in charge do not realize that the data is vulnerable. Other times, the cost of protecting the data encourages them to take chances. Not all data is equally sensitive. It is important to assess and classify data according to its sensitivity and protect it accordingly. Strong security is warranted for certain types of data. Examples include:
- Trade secrets that, if revealed, would put the organization at a disadvantage with competitors
- Business financial information details
- Personal information, such as employees' or customers' addresses, phone numbers, social security numbers, dates of birth, salaries, etc. (unless required to be public by law)
- Client/customer information that could be used by competitors to the detriment of the business
- Details pertaining to lawsuits, contracts, purchase negotiations and other legal matters
This is only a sampling; you may have other types of data that need to be protected, to prevent theft, tampering, unauthorized disclosure and other threats, and/or to comply with regulatory requirements.
Assessing risk and classifying data
Assessing risk requires that you identify what you need to protect the data from. What are the most likely threats to the data? How likely is each to occur? Examples of threats include:
- Deliberate unauthorized access from outside the network
- Deliberate unauthorized access from inside the network
- Accidental modification, destruction or disclosure of data by users with authorized access
- Malicious tampering or destruction of data (from internal or external sources)
- Theft or loss of the physical media (tapes, drives, servers, other storage devices)
- Loss of data due to hardware/software failure, physical destruction of the media (natural disaster, fire, etc.)
The matrix that is commonly used to classify data as to level of protection needed takes into account the probability that a data breach will occur and the impact on the business if it does, as shown in the figure below.
Figure 1: Risk Matrix
Impact refers to the cost to the company - not only direct monetary cost but lost employee productivity, administrative overhead, customer goodwill and business reputation, etc. - that would be likely to be incurred if the data's security were breached. Probability refers to the likelihood that a breach will occur.
As the figure illustrates, not all risks are created equal. It's not cost effective to spend a large amount of money, time and/or effort on protecting assets for which the impact is low and the probability of a breach is low. Sometimes, however, government or industry regulations mandate protection of certain data, even if it appears to fall into a low impact and/or low probability category. In that case, cost of non-compliance (even if a breach does not occur) has to be taken into account.
Data Storage Technologies
The data storage world has grown increasingly complex and diverse, varying from the small business that keeps data on a file server all the way up to the enterprise that operates a data warehouse. Common storage technologies include:
- Direct Attached Storage (DAS): the most traditional form of storage, with one or more disks directly attached to the server, including in an array (RAID)
- Network Attached Storage (NAS): a self-contained dedicated data storage system connected to the network, running a stripped down operating system to provide storage and file system and using file-based protocols such as NFS or SMB/CIFS
- Storage Area Network (SAN): Attaches remote storage devices to servers in a way that allows the devices to appear as local storage, using such protocols as SCSI/iSCSI, Fibre Channel Protocol (FCP), Fibre Channel over Ethernet, ATA over Ethernet
- Network Unified Storage (NUS): consolidates file based and block based access in one storage platform, combining the SAN and NAS models
Security issues and protection technologies are dependent, in part, on the type of storage technology used. Distributed data storage further complicates security. For example, EMC's FAST (Fully Automated Storage Tiering) automatically relocates data across storage tiers. This means you do not necessarily know where particular files are located; on the other hand, it can also make it more difficult for an intruder to target particular files. Read more about FAST here.
Virtualization has changed the world of computing in many ways. "Storage virtualization" is a new IT term that has many - both in and outside the industry - confused. The Storage Networking Industry Association (SNIA) defines it as "abstracting, hiding or isolating the internal functions of a storage subsystem or service from applications, host computers or general network resources."* Virtualization can be host-based or network-based. SAN virtualization solutions aggregate all or part of the physical disks into a pool and allocate the needed resources to application servers. The problem is that access control mechanisms are specific to particular transports (e.g., IP SAN or FC SAN). And standards such as FC-SP (Fibre Channel Security Protocol)** only protect data that's in transit over the network, not stored data.
To complicate things further, some companies are now turning to the Cloud (public or private) for storage of their data. This can save money, because you do not have to expend capital funds for equipment and can pay only for what you use. But entrusting your data to an external cloud provider, such as Amazon's Simple Storage Service (S3), raises security issues because the data is out of your control. It may reside on the same disk as another customer's data.
Data Protection Technologies
Government and industry rules generally do not mandate that a particular technology be used to protect data; this makes sense because technology is always changing and bureaucracies often operate slowly and would not be able to keep up with those changes. Instead, laws and regulations tend to mandate desired outcomes: e.g. protection of customers' personal information from disclosure to third parties. The technology that you use to accomplish this is up to you.
Stored data requires different protection technologies from data that is in transit across a network. Technologies used to protect stored data can be divided into several categories:
- Access control technologies
- Data encryption technologies
- Auditing/monitoring technologies
- Secure data destruction technologies
- Backup and disaster recovery technologies
Protection technologies can be physical (e.g., locks on the server room doors to prevent physical removal or destruction of data), hardware based, or software based. Software based protection technologies can be built into the operating system (e.g., Windows Server ACLs, EFS encryption, BitLocker, etc.) or provided through third party solutions.
To be effective, protection must be multi-layered. You need to prevent outside intruders from penetrating the network. But if those protections fail, or if the breach comes from insiders, you need measures in place to prevent them from accessing the data.
General network security best practices should be followed. In addition, some best practices specific to stored data include:
- Isolate different types of traffic and systems: use VLANs or Fiber Channel zoning to create a separation between storage traffic and other network traffic
- Physically separate storage devices from the other server hardware (i.e., place the storage devices in a separate room, with physical access limited to trusted personnel
- Physically restrict access to the fiber patch panels and switches
- Physically secure in place hot-swappable drives~
- Use intrusion detection systems and/or file access auditing/monitoring to alert you to unauthorized or unusual attempts to access data
- Back up data on a regular schedule, store backups off site and ensure that backup media is physically secured
- Encrypt data (including backups) and store encryption keys separately from the data
Here is the SNIA document detailing current best practices
Hewlett Packard provides a Storage Security Self Assessment Tool with which you can select any or all of six key storage and backup security elements and answer a set of questions to determine what areas of your storage security strategy need shoring up.