To become a Member, Click here  
MEMBER LOG-IN

User Name
Password
Request Access    Send Password  
Bulletin board

Button Link
Button Link
Button Link

STORAGE MANAGEMENT INITIATIVE Storage Management Initiative
EXTENSIBLE ACCESS METHOD Data Management Initiative
CERTIFICATION TRAINING IP Storage Initiative

Storage Networking Times

Issue 6, October 2007
   

Best Practices For Deploying A Storage Security Solution
Blair Semple, Education & Alliances Officer, SNIA Storage Security Industry Forum, securityinfo@snia.org

In the last several years a number of trends have brought attention to security concerns involving data at rest in storage environments. Billions of dollars have been spent on firewalls, intrusion prevention, and anti-virus solutions, but these systems provide little or no protection against lost/stolen storage media such as disks and tapes and many types of internal threats. If you are among the many companies undertaking a project to secure your data, consider some fundamental best practices recommended by the SNIA Storage Security Industry Forum (SSIF). The SSIF is a consortium of storage professionals, security professionals, security practitioners, and academics dedicated to increasing the overall knowledge and availability of robust security solutions in today’s storage ecosystems. They apply their deep body of knowledge and practical experiences in security and storage to produce best practices on building secure storage networks, provide education on storage security topics, and participate in standards development.

Understand The Drivers

All organizations process data with varying degrees of sensitivity. However, the type and strength of the mechanisms required to protect the confidentiality of this data can vary greatly with the reasons for undertaking the project and an organisation’s own policies and procedures. It is important, therefore, to understand the reasons your organization is undertaking a storage security project.

Some examples of drivers are:

  • Regulatory – EU Data Privacy, the Personal Information Protection and Electronic Documents Act (PIPEDA), Sarbanes-Oxley, HIPAA, CA 1386 (and derivative privacy laws in more than 35 states in the U.S.), etc.
  • Industry – Payment Card Industry (PCI), etc.
  • Internal – Intellectual Property, contractual obligations, legal documents, etc.

Remember also to work with the leadership of your organization to ensure that their requirements are being met as they could have a different perspective on the requirements of your organization.

Classify And Inventory Your Data

While all the phases of this project are important, this step can be critical. Unless your organization is prepared to simply encrypt all stored data, it is important to look at your data and determine the degrees of sensitivity.

  • Identify the categories of sensitive data – Different types of data will require differing levels of security to protect the confidentiality, access control, integrity, and non-repudiation characteristics of this data.
  • Identify applications and systems – Determine the entities that generate, process, transport, and store sensitive data. It is also important to understand the nature of the data itself, such as whether it is structured or unstructured, as this information will influence the selection of any controls you deploy.
  • Include the data owners in the process - An IT or security group is unlikely to clearly understand the implications of data compromise without input and requirements from the data stakeholders.
  • Perform a risk assessment – Standard processes exist for assessments such as this. If you don’t have knowledge on these systems internally, there are outside consultants that can help fit the process to your organization.

Review/Create Policies And Procedures

Internal policies and procedures need to stay in synch with decisions being made in this project. For example, once the previous classification/inventory step has been undertaken, there should be a well-defined process for deploying new applications and systems to minimize the risk of data being processed outside the scope of a deployed system.

At this point, you will also determine requirements for certain parameters utilized in the system. Encryption key strength, key granularity and lifetime, authentication mechanisms, etc., are areas that will be evaluated and documented.

Non-technical issues should also be reviewed. Physical security, (for example the strength of locks on doors); employee background checks; administration roles; and separation of duties are just a few examples. Physical, administrative, and technological safeguards will work together to minimize the risks of data compromise.

Any new policies, or changes to existing policies, that result from this activity must receive signoff at a level that avoids any confusion as to what the scope of the policy actually is.

Consider The Following When Selecting A Technology Solution

There are a number of areas of consideration when selecting a data security solution including:

  • Vendor Qualifications:

Consider these factors when evaluating a vendor:

 √ Financial stability and long-term viability
 √ Leadership position in the market including industry awards and other recognition
 √ Commitment to standards bodies, specifically those relating to encryption
 √ Industry partnerships
 √ Customer references
 √ Commitment to independent testing and certification with standards such as the United States’ Federal Information Processing Standards (FIPS) and Common Criteria
 √ Appropriate level of support to meet your needs in the areas of:
 
  • Warranty and hardware replacement
  • 7/24 call center support
  • Training and installation support

  • Data Security:

Ensure that your chosen system meets the data security requirements of your organization:

  • Encryption

    • As processor power increases, today’s encryption algorithms will progressively become more vulnerable to breaking. Encryption algorithms such as DES, 3DES and hashing algorithms such as MD5 and SHA-1 are generally considered to no longer be secure. Depending on an organization’s unique requirements, it is likely that stored data will require protection for many years to come. Look for products that use the strongest commercially available algorithms such as AES-256.

  • Authentication

    • There are many degrees of authentication strength for systems as well as users and administrators. These can range from simple username/password combinations through sophisticated hardware or biometric mechanisms.

  • Key Management

    • The key management system may well be the single most important component of your storage security solution. It is very likely you will need to maintain keys for many years. You need assurance that the keys are protected from unauthorized access and yet are available whenever and wherever authorized access to data is required.

  • Operational Considerations;

Carefully evaluate options for security solutions and assess how they could affect this aspect of your operation including:

  • Performance
    Significant financial and manpower resources have been invested to meet the performance objectives of users and applications. Accordingly, there are significant ramifications if you add a security solution that has anything more than a minimal affect on network performance, for example, applications may not respond quickly enough to maintain customer satisfaction, or backup windows may expand beyond a viable point.

  • Availability
    A significant investment has been made to ensure that data will be accessible.

  • Single points of failure, either from the security solutions themselves, or from failures in your network causing the security processing to fail
  • The solution should support your disaster recovery and business continuity programs, to ensure data is recoverable wherever you need it.

    • Interoperability and Scalability
      Look for solutions that easily fit into your storage infrastructure, and support the pertinent technologies the organization utilizes. It is also important to factor in how your network may grow and evolve over time and look for solutions that will also evolve to meet these needs.

    • Manageability
      To reduce administrative overhead, solutions should provide robust and usable management functions that integrate with your existing management tools.

    • Auditability
      Logging tools will help to proactively monitor your network and identify suspicious behavior, or reactively investigate the events leading up to a breach.

    The value these logs provide is directly related to the integrity of the logs themselves. There should be extra protections on the logs. For example, cryptographically signing the audit log entries will provide an indication if a log is tampered with.

    • Cost
      As with any technology acquisition, you should consider the cost of hardware, software, services (installation, training, support, etc) that will require your investment at the time of deployment, but also over the lifetime of the solution.

    Continuously Re-evaluate Your Solution

    Once you have selected and successfully deployed a security solution, it is crucial that you have an ongoing review process to ensure that the solution continues to meet the needs of your organization. Furthermore, a regular review of the other processes in place involving your people and facilities that help ensure the security of your data should also take place.

    Back to front page..