Enterprise Strategy Group
Published: 10 Feb 2006
Are your data archives secure?
Archiving data helps your company meet regulatory requirements and save primary disk space, but it can also put data at risk.
DATA ARCHIVAL IS certainly nothing new. Ten to 20 years ago, when disk drives were extremely expensive, large organizations archived data to tape to save precious hard disk real estate. When IBM introduced its Adstar Distributed Storage Manager (ADSM) in the early 1990s, one of its killer features was the ability to archive and retrieve data directly from desktop PCs.
These archiving anecdotes may seem quaint now, but automated desktop archival at that time was pure magic. It was also expensive, as archiving required a significant investment in tape drives and automated software. As a result, archiving was the exclusive domain of the IT elite.
Archiving for the masses
Things have certainly changed in the past couple of decades. Storage prices are now measured in the pennies per-megabyte range and archiving data is an everyday activity synonymous with tiered storage and information lifecycle management (ILM). What's more, government regulations like HIPAA, SEC 17a-4 and the EU Anti-Terrorist Declaration have transformed archiving from something that was nice to have to a global requirement. After all, some regulations mandate records retention for periods of more than 20 years!
This archiving transition gained the attention of more than a few storage vendors who were willing to place a bet on this burgeoning technology space. Before being gobbled up by EMC, Legato grabbed e-mail archival specialist OTG Software. Veritas (now part of Symantec) reacted by acquiring KVS and, most recently, Computer Associates snapped up iLumin Software Services. Independent archiving vendors like Ixos and Zantaz are also quite visible these days.
This, of course, begs the obvious question: Are these vendors panning for "fool's gold" or were their instincts about archival accurate? Enterprise Strategy Group (ESG) recently conducted a research project to discover the real deal about data archiving. The survey results are based on responses from more than 500 North American storage professionals.
Our data archiving research indicates that storage vendors that bet on archival growth were prescient indeed. More than 30% of respondents have deployed some type of archival solution for databases and/or e-mail. Most of the remaining storage professionals are planning to deploy archival solutions over the next year or are interested in deploying archival solutions but have no solid timeline yet. What's driving these decisions? It's a combination of new and old requirements. Respondents tended to implement or consider data archival solutions to meet compliance/legal requirements or to realize greater storage/IT efficiencies. Needless to say, archival capacity is growing rapidly as more data-retention requirements arise.
Archiving is booming as a result of increased demand, cheap storage and automated ILM software, but that's not the end of the story. Archiving and ILM mean that confidential data is constantly replicated, moved and stored in multiple places. As a security professional, I immediately recognize the risks this creates. Remember, I'm the guy who says, "Without security, ILM is DOA." Am I alone in my paranoia?
Nearline data is vulnerable
According to the ESG research, I'm not "el lobo solo." Almost a quarter of the survey respondents said online or nearline disk-based archives pose a "significantly increased vulnerability," while another 48% claim archival presents a "moderately increased vulnerability." Interestingly, those users with archival solutions in place were more likely to believe that archiving introduced a significant vulnerability. It's also important to note that large enterprises in the survey had the highest number of archival solutions installed.
Allow me to analyze this data a bit. Large organizations with data archival solutions deployed were most likely to claim that this introduced a significant vulnerability. On the security front, these folks are also the most likely to have skilled security professionals, sophisticated security technologies in place, rigid controls and active security monitoring. My point is that this relationship is no coincidence. If organizations with highly developed security people, processes and technologies are concerned about the security impact of data archiving, shouldn't this sound a universal alarm?
Smart storage managers will take this information to heart and include security defenses as part of their data archiving planning and implementation. This is a broad statement, but from a storage perspective, it's important to do the following:
- EXAMINE PHYSICAL SECURITY. Most respondents indicated that their data would be archived to disk rather than to tape. This isn't a surprise because it echoes other storage trends like the growth in disk-to-disk backup. With regard to security, it's important to assess where this disk storage is located and who has physical access to systems. Is it located in a data center with strong access control? Can the organization monitor who enters and exits? Are racks locked? Are visitors escorted into data center facilities? Do these policies include vendors? Are vendor technicians allowed to work in these facilities alone? These may seem like basic questions, but almost 25% of organizations consistently fail to enforce them. Rather than assume that these controls are in place, it's worth a look.
- ASSESS THE DATA ARCHIVAL INFRASTRUCTURE. Smart storage networks can automate the process of tagging, archiving and logging the movement of confidential data from primary storage to a separate archive. This provides a paper trail for archiving, but it's important to look at the entire infrastructure to flesh out any other vulnerabilities. Is there an authentication mechanism between primary and archival storage? If not, the archival solution could be vulnerable to a spoofing attack. Is the archival data transmitted in clear text? If so, it's susceptible to snooping or tampering. Is the data archival server on a hardened platform and patched on a regular basis? It's important to look at every piece of the infrastructure--if you don't, the bad guys will.
- LOCK DOWN ACCESS CONTROLS. This is an area where storage people are constantly behind the times. Passwords like "password" or "admin" are far too common in the storage domain and even in high-security shops; it's not uncommon for storage administrators to have access to everything--systems, Fibre Channel switches, backup software, etc. Most chief risk officers will reach for the aspirin when they think about the combination of these sloppy authentication and access controls with an archival solution full of confidential data. ESG research data shows some promise here as 72% of respondents said they'll deploy software access controls to protect their data archives.
- LOOK AT ENCRYPTION SOLUTIONS FOR DATA AT REST. As a final layer in data archival security, encryption will help you sleep better at night. Decru, NeoScale Systems and Kasten Chase are veteran players, while tape encryption is now supported by IBM, Quantum and Spectra Logic directly on the drives. As you evaluate solutions, make sure to ask vendors about their support for the IEEE 1619 standard for encryption of data at rest and examine your vendor's encryption-key management tools. These are the areas that will quickly separate the experts from the posers.
Data archiving has moved from an upper-crust luxury to a mainstream requirement, and storage people are definitely implementing solutions. Savvy companies will protect these critical solutions with the right level of security protection. Foolish companies will find that while their heads were in the sand, their confidential archived data was hacked.