The rise of storage security

gallery

Trying to force security into an existing infrastructure, often under pressure from senior management to do it quickly, does not yield the best results. He says the best time to do it is when you are doing a storage refresh, or changing the system architecture. "If you are upgrading your Fibre Channel fabric, for instance, deploying encryption and data security at that point and doing it all in one go, sizing it, knowing the throughputs, is a good thing," he says. "Forcing a few boxes into an existing infrastructure has a ripple effect through the business and presents other challenges to the IT folks."

Understanding data

The basic groundwork of classifying data need not be too onerous or even too detailed. It can start with a broad-brush approach, but it requires the security people and the business to work together to grade different applications or files, and to decide what is critical and what should be freely available. Having done that, the process of protecting the most valuable or mission-critical information becomes a lot easier, and job roles can be mapped against data security levels. It also means that efforts can be focused where they are most needed.

By applying role-based access through Active Directory, for instance, it is then easy determine who can and cannot see 'company confidential' or 'top secret' data.

The other key part of the strategy, as with all aspects of security, is to sort out people and processes. Security awareness programmes are probably one of the most effective ways of improving security and also the cheapest. Making all users realise why security is important can be worth more than a lot of technological fixes.

Users also need to be guided by clear policies that they can understand and sign up to. If the policies are obscure, boring and have no relevance to the job of the person reading it, then enforcement of policy is always going to be a struggle.

In the case of the Nationwide employee whose laptop was stolen, for instance, it has never been made clear whether he should have had a copy of the whole customer file on his PC, and whether that was covered by any policy.

In most organisations, the policy will usually concentrate on what is acceptable usage - the websites users access, the amount of time they spend on recreational or personal usage, and the kind of language they use in emails - rather than on the way they manage files.

With the new focus on information leakage (especially in industries where regulatory compliance is enforced), policies will need to outline how files and individual records should be properly handled in much more detail. And they will need the technology in place to flag up any policy breach.

If proper data classification has taken place, then a customer file could be expected to be classed as 'company confidential' at least, and any large-scale copying should be either blocked, or should throw up an alert somewhere to ensure it is a permitted transaction.

The key point to make is that storage security is not something you buy off the shelf, any more than other aspect of security. The technology is, of course, there to encrypt files, to manage encryption keys, to enforce the rules of your security policy, and even to spot suspicious behaviour on the network.

Technology does not remove the need to think about what data to protect, and that means communicating with the business owners around the organisation, and coming to a joint decision about how to proceed. It also means communicating in clear terms with users to ensure they understand why any of this matters.

Email to a friend

Print this page