Building scenarios of a security breach, IT executives often picture hackers as ‘script kiddies' or con artists trying to crack through the defences they have put in place. But the reality is that around 70% of all security breaches come from within the organisation – either from an employee or from a business partner – where firewalls and perimeter security are almost irrelevant.
This worrying fact is now causing many IT decision-makers to reconsider their security strategies to see how they can keep their data secure from unauthorised insiders as well as outsiders. The conclusion that many are coming to is that the storage itself needs to be secure, not just enveloped in layers of security, and vendors from both the storage and security markets are starting to waken to this need. This new evaluation of storage and security is also illuminating areas where both storage and security solutions can work together.
Many CIOs would be surprised by the thought that their data is unsecured, even to insiders. After all, there are passwords to prevent systems from being accessed by anyone without authorisation. Of course, there is always the possibility of passwords or systems being hacked, but proper password and patch management policies can reduce that to a minimum.
Physical access to data can completely override any existing security measures. While IDs and passwords on a file server can stop people accessing data over a network, slip a hard drive out of its rack and connect it to another machine and anyone can read it. Aware of this problem, many organisations wipe the hard drives of corporate PCs, laptops and servers before disposing of them. Yet the truly motivated (and well-equipped) data thief can read the data off hard drives that have been reformatted or even demagnetised: nothing short of melting the drive down will get rid of 100% the data.
But there are even more direct ways into stored data. Ed Jones, sales director of online backup company Thinking Safe, describes how he sees many instances when companies have tried to retrieve data from tapes handled by a service provider, only to find they have been supplied with another company's data. With most backup data stored on tape without any kind of access controls, getting access to an organisation's data through its tapes is a distinct possibility.
The rise in networked storage has also increased the number of potential security risks. Storage area networks (SANs) are being used in approximately 57% of European companies today and yet their security is still inferior to that on most traditional direct attached storage solutions. Tony Reid, director for solutions marketing EMEA for storage vendor Hitachi Data Systems, says the concepts of trusted access and authentication are only now starting to be implemented and introduced by fibre channel vendors. "There have been a number of technical issues to overcome simply to make SANs work. There have been interoperability issues, getting switches from vendor X to work with vendor Y's. So these have been the natural focus – just getting the networks to work."
One common security flaw introduced by many organisations is to have their SAN run on a fibre channel island away from the regular network, says Simon Gay, consultancy practice leader at infrastructure service provider Computacenter. They then rely on that inaccessibility for security – but connect their switches up to the Ethernet so they can manage the systems.
Paradoxically, HDS's Reid adds that iSCSI, which uses regular Ethernet to create SANs, may actually be more secure. "People were more concerned about putting traffic over an IP network, so a raft of solutions to secure iSCSI were developed."
The other main problem the SAN has introduced is making storage a shared resource. Yet, without a unified security framework, potentially dozens of different hosts, each with their own security policies, users and passwords, could be accessing the shared storage and granting access to data that other hosts would not.
For all these reasons, various organisations (and now storage vendors) have begun to look at encrypting data when it is at rest, whether that is on disk or tape.
"I've often asked why more organisations don't use encryption," says storage practice manager Darren Thorne of consultancy Logicalis. "It seems so obvious. No one seems to know why it hasn't been considered more seriously in the commercial space before now. The NHS is very aware of the sensitivity of its data. Central government and the MoD already regularly encrypt data."
Specialist vendors in this area, such as Decru and NeoScale, have been carving niches for themselves with hardware appliances that encrypt and decrypt data to and from disk and tape at "wire speed" – that is, without introducing the latency and speed constraints that have traditionally accompanied encryption.
"The perimeter is porous now," argues Joanna Shields, VP EMEA at Decru. "Large businesses need to collaborate with their suppliers, their consultants, contractors and business partners. If you want to do that, putting up a firewall just isn't going to do the job since you need to give these people access to your information."
The appliances sit between the storage system and the servers so that the data is encrypted as it is generated and stored. When host users try to access it, provided they have the appropriate permissions, the data will be decrypted transparently.
Since the data is encrypted it is possible to pass the storage unit or indeed the data to third-parties without concern that it will be misappropriated, something that companies that outsource their data storage are starting to appreciate, Shields says.
By encrypting data, says Shields, an organisation is able to separate two job functions that are normally combined: the ability to manage data and the ability to read data. Once data is encrypted, any appropriate systems administrator can handle it, without there being concerns of whether he or she should be allowed to have access to it.
Encryption is also being posited as a necessary response to certain laws and compliancy regulations. Bob Zimmerman, an analyst with Forrester Research, points out that Californian law requires any company whose IT systems are known to have been compromised to inform everyone whose personal data has potentially been exposed unless the data fields were encrypted.
Decru is not the only company that has woken up to encryption. IBM has added encryption facilities to its DS6000 product and EMC plans to build encryption and data compression into its Centera system – it already secures information using computer-generated software key codes.
StorageTek has also been looking at making storage more secure. An ATA blade server with built-in hardware encryption is in the works for this year, with support for fibre channel and serial SCSI blades due early 2006. Before then it is also promising a ‘content engine'. Like the hardware appliances of Decru and NeoScale, the content engine sits between the host and the storage, encrypting and decrypting, while presenting itself as a simple CIFS/NFS disk image. Designed primarily to work with nearline storage, rather than higher performance systems, the system can not only encrypt data, but move SAN management away from the host and down to the storage system itself.
Laurence James, ILM solutions business manager at StorageTek, says the content engine should solve the problem posed by centralised storage. "If you've thousands of different hosts, access control is unmanageable. So you have to move security down into the box." Rather than using the standard ‘users' and ‘groups' approach to granting access rights, the content engine will be more business focused, managing pieces of content according to policy.
The content engine will also tackle another aspect of storage security: showing that data has not been changed or viewed by anyone other than authorised users. Like EMC's Centera, the content engine will use content addressing, generating filenames and digital signatures based on content metadata, such as modification data.
Logicalis security consultant Emlyn Everitt also highlights the management issues associated with integrated storage and security solutions. "What you really need, for instance, is not just a mechanism of encryption but an entire encryption management framework."
Windows has the ability to encrypt its hard drive data, yet few organisations use it, Everitt says, because of the problems of key management. "You have different keys from different systems stored all over the place. Someone encrypts the information using something based on his own password and user name, but if he's sick or leaves the company, what happens then." Only by ensuring that both security and storage teams work together to develop common policies and frameworks for handling enhanced storage solutions will the benefits be realised.