The rise of storage security

Anyone who has had their hard drive die on them, only to discover their last back-up was made 18 months ago, has learned one important aspect of storage security. But back-ups are only part of an increasingly complex picture.

Our data now resides on a variety of media and devices - from the desktop PC, to the PDA, the email server, the USB drive and even a mobile phone. It also gets transferred across networks both inside and outside the organisation that owns it. The challenge is not only to ensure the data is not lost or destroyed, but that it does not fall into the wrong hands.

As a number of recent high-profile cases have shown - at Nationwide, and Marks & Spencer, to name but two - a lost laptop computer can cause major panic if important or confidential data is sitting on its hard disk. It not only exposes personal data to potential theft, but it also makes the company in question look slapdash and unreliable.

More to the point, an increasing amount of regulation and legislation is forcing companies to protect and preserve data more effectively. The rules cover everything from personal data protection, the archiving of emails and activity logs in case of litigation, and the encryption of credit card details.

Add to that the risk of a thief or disgruntled employee copying valuable or secret information on to a USB device or even a harmless-looking iPod, and the need for a more serious approach to storage security is clear.

The role of encryption

In the wake of various security breaches, many companies have seen encryption as a silver bullet for all their ills. They believe that by forcing users to encrypt the whole of their hard disk solves the problem, which it does, but only up to a point.

For a start, encryption does not come without its own problems. It may slow down the system, and if the key is lost, the data is lost too. Key management comes with an administrative overhead which some companies may struggle to master.

"All the database vendors are building in encryption features," says Alex van Someren, the former chief executive of security vendor nCipher. "Oracle is doing it, and Windows Vista has the BitLocker feature, which allows you to scramble everything on your hard disk and then use a combination of a TPM chip and/or a USB stick as a sort of ignition key, to let you unlock the files.

"But for a big company, turning on disk encryption on every PC is a helpdesk nightmare. If you do that, it means that anyone who loses their key has effectively shredded all their data. Powerful tools have powerful risks."

Encryption also does not solve the problem of the legitimate user with a grudge who wants to leak information to a rival company, for example.

So how should a company approach the problem?

A good place to start is by classifying data in much the same way the military does it. Decide which information is confidential or top secret and treat it with more care, restricting who can see it.

However, very few companies do this, according to Chris Gale, head of European business for storage security firm Decru. "We can sometimes spend months explaining the need for classification and definition of policies and procedures," he says. "But in nine times out of 10, it will only be after they have had a business risk or an exposure that they'll come back to us and want a rapid deployment. That's not good for us or them."

Trying to force security into an existing infrastructure, often under pressure from senior management to do it quickly, does not yield the best results. He says the best time to do it is when you are doing a storage refresh, or changing the system architecture. "If you are upgrading your Fibre Channel fabric, for instance, deploying encryption and data security at that point and doing it all in one go, sizing it, knowing the throughputs, is a good thing," he says. "Forcing a few boxes into an existing infrastructure has a ripple effect through the business and presents other challenges to the IT folks."

Understanding data

The basic groundwork of classifying data need not be too onerous or even too detailed. It can start with a broad-brush approach, but it requires the security people and the business to work together to grade different applications or files, and to decide what is critical and what should be freely available. Having done that, the process of protecting the most valuable or mission-critical information becomes a lot easier, and job roles can be mapped against data security levels. It also means that efforts can be focused where they are most needed.

By applying role-based access through Active Directory, for instance, it is then easy determine who can and cannot see 'company confidential' or 'top secret' data.

The other key part of the strategy, as with all aspects of security, is to sort out people and processes. Security awareness programmes are probably one of the most effective ways of improving security and also the cheapest. Making all users realise why security is important can be worth more than a lot of technological fixes.

Users also need to be guided by clear policies that they can understand and sign up to. If the policies are obscure, boring and have no relevance to the job of the person reading it, then enforcement of policy is always going to be a struggle.

In the case of the Nationwide employee whose laptop was stolen, for instance, it has never been made clear whether he should have had a copy of the whole customer file on his PC, and whether that was covered by any policy.

In most organisations, the policy will usually concentrate on what is acceptable usage - the websites users access, the amount of time they spend on recreational or personal usage, and the kind of language they use in emails - rather than on the way they manage files.

With the new focus on information leakage (especially in industries where regulatory compliance is enforced), policies will need to outline how files and individual records should be properly handled in much more detail. And they will need the technology in place to flag up any policy breach.

If proper data classification has taken place, then a customer file could be expected to be classed as 'company confidential' at least, and any large-scale copying should be either blocked, or should throw up an alert somewhere to ensure it is a permitted transaction.

The key point to make is that storage security is not something you buy off the shelf, any more than other aspect of security. The technology is, of course, there to encrypt files, to manage encryption keys, to enforce the rules of your security policy, and even to spot suspicious behaviour on the network.

Technology does not remove the need to think about what data to protect, and that means communicating with the business owners around the organisation, and coming to a joint decision about how to proceed. It also means communicating in clear terms with users to ensure they understand why any of this matters.