Every business owner knows that information is much more than one of an organization's strategic resources. In a very real sense, information is the organization. For IT professionals, there's no shortage of challenges when it comes to protecting and managing such a vital asset efficiently.
The year 2005 was proof that information loss can be detrimental to an organization. Almost every week another organization was involved in a security breach involving valuable corporate data or customer information, several of which involved stolen or lost backup tapes. As a result, high-profile organizations are scrambling to ensure more effective storage security and data protection, while concerns surrounding identity theft continue to mount among consumers.
Adding to storage professionals' anxiety is the amount of data that can be compromised on a single backup tape. Because of the concentrated pool of data it contains, a single tape can compromise more personal information than many of this year's online break-ins.
Any good strategy for data storage protection includes a strategic balance between information availability and information security. IT managers today are tasked with maintaining this balance at a reasonable cost. It's easy to make information completely secure - by locking it up in a safe, for example - but the trick is to ensure that it's available when needed. However, by providing information access, there are always risks, which generally fall into four main categories:
- Malicious attacks: Cybercrime has moved online and will continue to do so with a variety of tricks, including the latest flavors of worms, viruses, bot networks, and phishing attacks. During 2005, there was a noted shift from pesky virus writers looking for attention to more organized, malicious attackers seeking financial gain.
- Human error: To err is human, and unfortunately it happens all too often. Employees leave laptops in airplanes, trip over wires, or cause system crashes. Or, as in one high-profile case from 2005, storage tapes are simply lost in transport.
- Infrastructure failures: IT infrastructures aren't foolproof and all it takes is a power loss or server failure to lose business-critical information.
- Natural disasters: 2005 also reminded us how quickly natural disasters can strike and bring any business to its knees. According to Gartner, the market research house, 50% of enterprises that lack a recovery plan go out of business within one year of a significant disaster.
A good strategy for effective storage security would take all of these risks into consideration. Data and information on its own isn't valuable to any organization. Applications, servers, and operating systems must be up and running to make use of the information and to maintain the highest degree of information availability and integrity.
As IT managers and storage professionals plan for 2006, storage security should be top-of-mind. By implementing the following best practices, organizations can avoid many of the embarrassing and dangerous storage security incidents that made news last year.
Online Data Protection
Organizations should maintain multiple point-in-time copies of data for uninterrupted operation. And, for a higher level of online data protection, consider replicating to another location in either real-time (synchronous replication), or near real-time (asynchronous replication).
Encrypt Data
Unencrypted data is always going to be subject to some level of risk. A recent survey by the Enterprise Strategy Group found that 60% of storage professionals never encrypt backup tapes and only 7% do so routinely. Storage professionals should focus on encrypting any data going outside the company or facility. Also ensure that there's a plan for decryption and that the appropriate individuals have access to the encryption keys.
Physical Security Measures
Besides encryption, add another layer of security by using shipping boxes that can't be opened easily when transporting backup tapes. And determine if unused ports to the network are disabled and make sure lockable racks and cabinets are locked. Consider using a backup product that includes a vault option for keeping track of containers full of media. Be particularly careful about securing and encrypting data while it's in transport and keep track of all of the organization's backup tape with a detailed inventory. Create a plan for finding any backup tapes that go missing.
Lockdown Process, Manage Data Throughout the Lifecycle
Storage professionals should avoid retaining backup tapes longer than necessary. One organization kept data longer than required, leaving the information vulnerable; it ultimately resulted in a recent security breach. A plan for managing data and information from creation to deletion will ensure that only the information that's needed remains accessible. Information should be analyzed when it's created or received and then assigned an appropriate policy for management and deletion or retention.
Besides taking the obvious step of not using manufacturers' default passwords for data storage access, organizations should have a clear plan for changing passwords often and use separate IDs and passwords for each user. Storage professionals should also ensure that they are choosing the right storage option for their data. For example, data that doesn't need to be accessed very often can be saved on tape, rather than waste space on more expensive disk-based storage.
Access control is another basic security measure that should be in place within any organization. IT should implement granular control of who can access the data and the applications that manage the data, providing appropriate rights and permissions to various types of data.
Consider Disk-to-Disk-to-Tape
While backing up to and securing tape is important, "recoverability" is even more critical. Organizations should consider a combination of disk and tape-based solutions to ensure the integrity of information. Disk-based solutions provide ease-of-use and recoverability, ultimately ensuring a more effective recovery strategy. Storage professionals should deploy the combination of disk and tape solutions that works best for their organizations and provides the benefits of both technologies.
Compliance Drives Concerns
By implementing these best practices, organizations can gain the trust of consumers by avoiding embarrassing and potentially damaging data and information losses and comply with industry regulations. All public companies are feeling greater regulatory pressure to improve information security because of the Sarbanes-Oxley Act, which includes control over data security as an audit criterion for proper corporate governance.
Laws such as the California Security Breach Information Act (SB-1386) have also called more attention to the problem and increased consumer awareness surrounding identity theft and personal data protection. The California law requires organizations that maintain personal information about individuals to inform those people if the security of their information is compromised. It stipulates that if there's a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained information. The far-reaching law affects organizations outside California since it applies to anyone who might have a customer or conduct business with an entity in California. Twenty-six states have subsequently passed laws similar to SB-1386.
Conclusion
The demand for an always-on IT infrastructure will increase while threats constantly evolve because of the profit motive. Not only is it important for enterprises to protect their stored data by deploying the best practices, it's of paramount importance that they continue to re-examine their storage security strategy, consider any new information access requirements, ensure regulatory compliance, and keep a few steps ahead of potential data storage loss.
Subscribe to Virtualization Journal Email News Alerts
Subscribe via RSS
