Published: 07 Jul 2005
When I was 25, I stopped going to the dentist. There was no rational thought to this decision; I was just young and stupid. At some point during this self-imposed dental hiatus, a tooth began to hurt, so I did what any idiotic twenty-something would do--I ignored it. I've regretted my decision ever since, suffering through root canals, gum surgery, multiple crowns and thousands of dollars in dental bills.
You may (rightfully) ask what my misspent youth and dental hygiene have to do with storage. I look at the storage community and see users and vendors mimicking my (dental) apathy as they continue to pay little attention to security. It's not as if they've done a storage assessment and decided that it makes business sense to live with a certain amount of low-probability risk. Like my dental boycott, many storage professionals and vendors simply can't be bothered.
Approximately two years ago, I realized just how insecure storage architecture and processes were, so I decided to become a storage security evangelist. I wrote articles, gave presentations and practically jumped up and down. I was willing to be the analysts' version of "Chicken Little" and do just about anything to bring attention to what I perceived as a risky situation. Much to my surprise, I was greeted with many blank stares from users and vendors. Typical reactions to my rantings were: "We don't understand security," "We're too busy focusing on performance and availability" and "Security is someone else's problem."
Was I just speaking to the wrong people? I decided to try a more scientific approach and gather some data. In early 2004, the Enterprise Strategy Group (ESG) surveyed storage and security professionals from large- and small-sized organizations from many industries to see what was going on with storage security. The results of the research revealed the following:
- Eight percent of storage professionals and 18% of security professionals believe their storage infrastructure is insecure or very insecure.
- Thirty percent of storage professionals claim that enterprise-wide security policies and procedures don't include storage technologies like Fibre Channel (FC) switches, storage subsystems and tape drives.
- Only 37% of storage professionals said their organization had done a storage security assessment.
- A whopping 60% of organizations never encrypt backups.
As bad as we thought? No, worse.
This data paints a pretty bleak picture, but you're probably thinking, "C'mon, early 2004 is a lifetime ago in technology time." Since then, we've seen compliance deadlines and visible security breaches along with a heightened public awareness toward the perils of information security. Surely storage professionals must be changing their tune, right?
Sort of. New ESG data indicates that a growing percentage of the storage gang is paying attention, but a significant number remain in the dark. In our latest survey, we asked, "How has the recent wave of incidents involving organizations having their backup tapes lost or stolen changed your organization's approach to security as it pertains to the data protection process?" The results indicate some activity: Twenty-eight percent of users said they're reviewing their offsite tape storage provider's policies and procedures; 23% are accelerating the deployment or evaluation of tape encryption; and 19% have conducted or plan to conduct a security-focused audit of their data protection process. While this is encouraging data, the largest survey group (42%) said recent events have had no impact on their security processes.
In addition to this lukewarm response, most storage professionals want their storage security "on the house" before they'll take action. When asked, "Do you believe that data protection solutions should increasingly incorporate information security features such as data encryption and access management?" more than half of the respondents said "Yes, but only if these features were free" vs. 36% who said "Yes, and we would pay an additional price for these features."
The facts about storage security
As an analyst, I try to act as an objective and unemotional industry observer, but not this time. Stop the insanity! The storage community needs to understand a few facts:
- The number of security breaches is far worse than you think. For every attack and breach reported, there are another four or five that you never hear about.
- The storage infrastructure isn't Fort Knox, a DMZ or Switzerland. Rather, it's insecure and ripe for exploitation. In another ESG survey, 24% of companies experienced insider attacks in 2004. How damaging would it be if a distraught storage administrator corrupted all the bits on the data center SAN? The backup process is inherently insecure. Enough said.
- It costs far less to protect the storage infrastructure than to deal with a major data security breach.
If recent breaches haven't sounded your storage security alarms, I doubt my diatribe will, but I intend to keep talking. In the meantime, users who see the storage security light and want to take action should do the following:
- Start with a storage risk assessment. This means examining all of your processes and technologies for unlocked doors and open windows. It's also important to understand and prioritize any threats before taking action. For example, an unpatched departmental NAS device may be vulnerable, but this type of risk may not require immediate attention. On the other hand, if you discover that a core FC director is configured using a default password, the business risk of downtime or data theft demands urgent remediation. Companies with limited storage security assessment skills or resources should seek help from outside organizations.
- Establish stronger controls. This goes hand-in-hand with the multitude of regulatory compliance mandates. Processes for configuration management, security remediation and offsite rotation must be documented, measured and audited, with control gaps receiving immediate attention. Consider industry standards like ISO17799 to use as security models.
- Implement the appropriate security safeguards. Attention storage professionals: Storage security will never be free. Just look at the network side of the shop to see an example. Switches and routers have security features like access control lists and packet filtering, but network security still requires add-on devices like firewalls and gateways. Storage security will rely on the same types of additions.
- Push back on vendors. Don't give your vendors a free ride on storage security. Explain your requirements and hold vendors to communicating their roadmaps and enhancing products.
It's also time for vendors to get their collective heads out of the sand before they find themselves dragged into security due to product liabilities or shrewd competitors who beat them to market. Every vendor should:
- include security in the storage architecture. Understand where protection is needed and its impact on throughput and processes. For example, backup encryption has some ramifications for recovery. Make sure to address all of the issues, tradeoffs and risks.
- integrate security into products and services. Storage vendors have been down similar roads before. To compete in the database space for instance, EMC added features and tuning for I/O and database defragmentation, while Veritas bolstered its products for "hot" database backups. Storage vendors need the same type of active focus with security. Savvy companies with first-to-market products and services are likely to see a boost in their revenues and market shares.
- make security part of sales and marketing. This means training staff, revising marketing messages and highlighting security at the point of sale.
I have one fake tooth in my mouth that will forever remind me of the dumb decision I made about dentistry a few decades ago. In a similar vein, users and vendors who continue to ignore storage security are "Whistling past the graveyard."
Will my ranting and raving help? Nah. These organizations won't learn until they suffer a damaging storage security breach or lose deals due to a lack of security functionality. Today's message is "An ounce of prevention is worth a pound of cure." Tomorrow's message will simply be "I told you so."