YOUR FEEDBACK
Two great PDF creators
Michael Jahn wrote: related to the snapscan - are their an samples of the ...
May. 17, 2008 11:23 AM
SOA World Conference
Virtualization Conference
$50 Savings Expire May 23, 2008... – Register Today!
Did you read today's front page stories & breaking news?
SYS-CON.TV: Cynergy Announcing RIA Development for Silverlight

SYS-CON.TV
SYS-CON.TV WEBCASTS
JACKBE The Big A(architecture in AJAX)
INSTANTIATIONS Eclipse Rich Internet Platform with Taylor and Milinkovich
YAHOO! Applying AJAX to Speed User's Journey
ENERJY WEBCAST Java Code Quality Management
APP SERVER SHOOT-OUT with Microsoft, IBM, JBoss, Sun, BEA, and Oracle
TODAY'S TOP SOA & WEBSERVICES LINKS


Issue 1
Storage and Security Management for Logging and Archiving
Being a pack rat is no longer an option

By: Diana Kelley
Digg This!

There's no stemming the tide of information; with more users and more servers and more connectivity than ever before, the task of logging, storing, and archiving all of that activity is astounding. The temptation may be to simply, save it all.

Recent legislation has placed a demand on security professionals to log and archive massive amounts of data. The default plan for being prepared when audit and forensics investigators come knocking is to have everything logged and backed up - somewhere, somehow. But keeping a copy of every single event, every file, every document, may not be feasible. Storage has certainly become cheaper, but it's not free. And management of an overloaded SAN can introduce inefficiencies and potential security vulnerabilities into the process. In this article I'll take a look at the synergy between security and storage as they contribute to keeping an organizations logs and archives in hand and on-demand.

Introduction

Who among us doesn't have a bit of pack-rat mentality in them? But the reality is that the chaos and confusion resulting from so much storage doesn't decrease the risk, it simply makes for ineffective clutter. What should be kept? What is the value? What are the threats?

By answering these questions organizations can begin to understand how to balance security and storage requirements, especially as it relates to critical log data. Keep enough, and the company will have financials ready for audit and escape going to jail for violation of regulations such as SOX and CSB 1386. Keep too much, and the cost of storage and resources needed to archive and manage all of the old information could affect the corporation's profitability. Worse still, if the volumes of data aren't managed properly, when it does come time for an audit, finding the correct information could mean weeks of hunting through terabytes of information and, potentially, never finding it at all.

So what can we do? How does the data storage affect the overall enterprise's security posture? And what can we do to get the data at hand and on demand?

Determining How Much is Enough

One of the first steps is to identify the types of information that will be critical in the future. There are a few basic rules that a company can employ to decide which items need to be saved and which don't. Take, for example, old versions of a document such as a press release. The draft is sent around to a number of people, marked up and re-distributed, and then finalized and put out on the wire. Do all of the people who were associated with the release need to keep all of the versioned copies? Probably not. But if the users have saved these versions in their Inboxes, then it's a good bet the company is paying to back up and store all of them.

The cost of data storage varies based on the ways in which it will be accessed later. Offloading files to a series of DATs that sit in a box on a shelf somewhere is going to cost far less than keeping files in physically secure areas, in encrypted format on always available repositories on a SAN (storage area network). So, old copies of log files from testing and prototype machines may lend themselves well to less expensive storage methods than the log files from the corporation's production mail server.

While the final determination of data valuation depends on each company's own business requirements, the following considerations will help with the calculation:

  • How current is the data?
  • How frequently is it used?
  • How much did it cost to accumulate/generate?
  • What impact does it have on the business?
  • How much does the company profit from the data?
  • What would the company lose if the data wasn't available?
  • If lost, how much would the company have to spend to get it back?

Safety and Access Control

Once the data is valued, the threats and safety requirements for the data must be determined. To do this, first understand the types of threats that can put the data at risk, the ease with which they can be executed, and the cost of the damage. Then, use the data valuation metrics discussed above to form a basis for establishing a balanced approach to risk mitigation (see Table 1).

Another facet is the analysis that defines types of threats, and the impact, ease, frequency, and probability of exploitation. Current threat analysis models are far different from those generated years ago because today most corporate data is accessible to more users than ever before. This broader access has introduced layers of complexity in the user population. Years ago, a bank only had to worry about protecting their assets in relation to the few employees with hard-wired terminal connections back to the mainframe on their desks. Today, federal institutions, end users, and financial partners and networks all have some form of access or other. Suddenly the 200 ACF-2 accounts on the mainframe somehow need to extend role-based responsibility to millions of incoming users. With more users near the data, without the right access controls in place, exploiting a vulnerability can be very easy to accomplish and to repeat at a high rate of frequency.

When you look at threat attributes, don't just concentrate on the logical. Data storage is just that, storage, so many of the threats that need to be mitigated include physical safety (see Table 2).

With these metrics, companies can step through the risks, both physical and logical, to data that is stored on the network and begin to build procedures to protect that data at an acceptable business level. Some additional questions to ask are:

  • Can the data be corrupted either in transit or in storage?
  • Can it be stolen for personal gain?
  • Who can access the data?
  • Is the access logged and archived?
  • Is the stored data tamper proof or tamper evident?
  • Are there copies of the data?
    - And are they secured to the same level as the 'originals'?
  • How is the physical security: electricity backups, fire protection, air conditioning?
  • Will any of the data be stored off-site with a third party? (All of the above apply again)

On-Demand for Efficiency

Just knowing how and what data needs to be stored, and putting in the proper controls to protect it, won't guarantee that the data will be available when and where it's needed, nor that it will be stored in the most reliable manner. If the data can't be accessed when it's needed, it's not much use. Archived data that has been taken off-site and may take days or weeks to retrieve from storage could be in potential violation of audit policies.

To ensure that data is where it's needed, when it's needed, companies need to look at their own on-demand infrastructure. One of the top priorities is meeting existing and future SLAs (service level agreements) for availability. Another critical point is management of the SAN itself. If more storage space is needed can it be discovered, provisioned, and made available automatically? If not, are the consequences when data is lost or someone gets paged at 3:00 a.m. on a Sunday morning to go into the data center and provision additional storage? Finally, are there metrics in place to predict and plan for storage needs and alert if anomalous storage usage is occurring? Anomalous storage use can be a sign that an attacker is flooding a system and setting off high levels of logging which can quickly fill a server hard drive.

Some additional questions regarding on-demand are:

  • Is there sufficient capacity to accommodate growth?
  • Is the infrastructure reliable and resilient to attacks such as DoS?
  • Do the devices provide high availability and failover?
  • Do any mechanisms need to be synchronized for archival purposes?
  • Are the devices protected and maintained?
  • Are the connections fast enough?
  • Are there redundant paths?

Triggers, Reporting, and the Law

While the previous three points address the basics of security and storage management, there are a few additional issues to consider. To maximize storage capacity, some companies may choose to employ triggers that set off higher levels of logging detail when certain events occur. For example, let's say there's a company that doesn't, as a rule, log event information on an end user's machines. However, what if one employee sends an e-mail, flagged by the secure e-mail content monitor, that contains information regarding an upcoming acquisition? In this case, the company might start archiving a full log file trace of this end user's machine to gather data before an SEC investigation occurs. Trigger logging can be quite useful for companies that need to preserve their storage space while tracking legal or audit related data.

And what about reporting? Can the company generate usage and access reports from the stored logs and information on the SAN itself? If best practices are being followed, do the logs reflect this and can the reports prove it out? If someone is accessing backed up data, that shouldn't be; will there be a reported record of when and where and how this access occurred? And if the attempt is thwarted due to strong host-based access control or other measures, will that information show up in the reports?

Finally, a company must ask if any of the log data is impacted by legal requirements. Questions such as how long must the data be retained, and how many backups or copies are necessary, have to be answered. Most of the recent legislation revolves around proving that best practices and controls are in place. It is most often the log files and archived data which show the historical, forensic reality of whether the controls were there or not. In certain cases, critical deleted data on an end user's machine that has been stored, logged, and archived could mean the difference between the user going to jail or the board of directors.

Summary

Management of the business in a continuous and efficient way requires management of storage, securely. Storing data without taking into consideration the security requirements and potential threats is not sufficient in today's enterprise. Legal requirements, audit needs, and shareholder interest all demand that corporations not only protect live data, but log, archive, and store critical, historical data in a safe and retrievable manner. Storage and security are intimately linked, and nowhere is this more apparent than in the realm of archived logged data. No company can afford to be a pack rat with mountains of unsearchable information: keep log data safe and secure by assessing what needs to be stored, mitigating the threats, and keeping the appropriate information available as needed and on demand.
Published May. 6, 2004 — Reads 11,772
Copyright © 2008 SYS-CON Media. All Rights Reserved.
Related Links
▪ Table 1
▪ Table 2
About Diana Kelley
Diana Kelley is a security strategist for CA's eTrust brand of security management solutions. She is responsible for evangelizing the eTrust brand portfolio and helps guide CA's security business. Diana has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors. Prior to CA, Diana founded Security Curve, an independent provider of strategy, consulting, and education to the security industry. She also held senior positions with Symantec Corp., Baroudi Bloor, The Hurwitz Group, KPMG and other leading firms and consultancies.

TJ wrote: Great article. When will we start to see products that map our storage policies to regulations and security ?
read & respond »
SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS
SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
SYS-CON FEATURED WHITEPAPERS


MOST READ THIS WEEK
Virtualization Conference Keynote Webcast Live on SYS-CON.TV
By James Hamilton
Virtualization is the Future of Enterprise Computing
By Jeremy Geelan
Red Hat Named "Platinum Sponsor" of Virtualization Conference & Expo
By James Hamilton
Virtualization Journal Print Archives: Volume 2 - Issue 5, September 14, 2005
By Jack Norris
3rd International Virtualization Conference & Expo in NYC to Present a World Class Faculty
By Virtualization News Desk
Application Virtualization: Instant Migration to Vista, Fast Delivery, Secure Access, Side-by-Side Deployments
By Virtualization News Desk
Integration with Windows Vista, Microsoft Excel, and Microsoft Application Virtualization
By Virtualization News Desk
Are you Application vAvailable?
By Virtualization News Desk
Dell Steals Virtualization March on HP & IBM
By Maureen O'Gara
Virtualization for Deeply Embedded Applications
By Frank Altschuler
Microsoft To Keynote 4th International Virtualization Conference & Expo
By Virtualization News Desk
Intel Named "Platinum Sponsor" of Virtualization Conference & Expo
By Virtualization News Desk
ADS BY GOOGLE