|
Feature
Securing Storage
As enterprises consolidate their storage resources, they
are facing the fact that tapes carrying data backups can be lost in transit,
a trend that has forced businesses to look at storage security. By Akhtar
Pasha.
 In
recent years ‘storage’ and ‘security’ were rarely placed
in the same sentence. Earlier storage was considered a system peripheral, controlled
by a mainframe, midrange or server computer. As such, security for storage was
a part of the host’s security set-up. As long as the host was protected
against a malicious code attack or hacker, storage devices and stored information
remained secure.
While the advantages of networked data storage technologies such as Network
Attached Storage (NAS) and Storage Area Networks (SAN), iSCSI are well established
in large enterprises, storing an organisation’s data on a network creates
significant security risks. Data replication, backup, off-site mirroring, and
other disaster recovery techniques increase the risk of unauthorised access
from people both inside and outside the enterprise. Srikiran Raghavan, regional
head, India, RSA (The Security Division of EMC) says, “As companies consolidate
and centralise their data storage in data centres vulnerabilities are emerging.
At the same time companies have to comply with regulations. Both these factors
have given a fillip to the market for data storage security products.”
Perimeter-centric approaches to security ignore the fact that information lives
and moves throughout its lifecycle. When data moves outside the protected perimeters
that have been built, it is largely unprotected leading to breaches and losses.
According to the Storage Networking Industry Association (SNIA) Europe, data
in all its forms can come under attack but offsite storage is of particular
concern. The extension of storage networks outside data centres and across IP
networks makes data more vulnerable than ever. Manoj Suvarna, country manager,
HP StorageWorks Division - TSG, HP India says, “While perimeter security
is important in its own right, it does not adequately secure storage—especially
when organisations begin to consolidate their storage infrastructure.”
For that reason companies are investing in security products such as encryption
to protect not only ‘data in flight’ but also ‘data at rest’
on disc and tape. The proliferation of mobile data held on laptops and personal
devices such as phones, PDAs and memory sticks makes the situation critical.
Shailesh Agarwal, country manager-Storage, IBM India says, “Tape encryption
is one way to secure storage.” He however feels that the problem is not
as grave as it appears to be. He says, “More than securing networked storage,
business should look at securing the data that is lying on the client device.”
He explains that data residing in notebook PCs is in greater danger, if a notebook
is stolen as it would have the company’s entire business report in concise
form in the form of reports and balance sheets, profit/loss statements and the
like. He vouches for storage policies rather than technology as a cure all.
Business should disable all USB-ports so that employees cannot take out the
data through USB keys.
The need for secure storage
"As companies consolidate and centralise their data storage, vulnerabilities
are emerging. At the same time companies have to comply with regulations.
Both these factors have given a fillip to the market for data storage
security products"
- Srikiran Raghavan
Regional Head, India
RSA |
Recent highly-visible security breaches are causing companies
to rethink security practices for data at rest in databases, storage networks,
and during backup and disaster recovery. Research organisations such as Gartner,
Enterprise Strategy Group (ESG) and the Computer Security Institute/FBI are
closely following incidents related to data security. They have published troubling
statistics about the cost and impact of security breaches, as organisations
grow increasingly dependent on digital storage of their corporate data assets.
Gartner predicts that by end 2006, failure to encrypt credit card numbers stored
in a database will be considered legal negligence in civil cases of unauthorised
disclosures. And by end 2007, 80 percent of Fortune 1000 enterprises will encrypt
most critical ‘data at rest’.
Suvarna says, “Storage security is top of the mind when it comes to IT
heads or CIOs but in my opinion only 15 percent of them are actively thinking
about storage security and the balance are focusing on effective utilisation
of networked storage.”
Protecting confidential data: According to a recent ESG Research report, 47
percent of security professionals believe that at least half of their enterprise
data could be classified as confidential. Again, since confidential and private
information most often exists as data-at-rest (i.e. on storage), storage networks
and devices must be protected from accidental or malicious breaches (i.e. Application
or hardware corruption of data, malicious code attacks, unauthorised data access,
physical theft, etc). Raghavan says, “Another major driver for interest
and investment in this area is the fear of public disclosure or customer scrutiny
in sourcing. The series of media exposures around lost or stolen customer personal
information or credit card data resulting in identity theft are a major concern
for organisations wanting to increase customer confidence in their business
processes.”
Soumitra Agarwal, marketing director, India, Network Appliance
says, “BFSI and ITeS hold confidential customer information pertaining
to their ATM pin number, account bank balance, credit card information etc,
all of which are vulnerable whenever businesses are taking backups on disk,
tapes and sending to their remote recovery centre either on-or off-site.”
"IT heads agree that they need to regulate their
storage security and that they want to protect
customer data. The CIO’s concerns are how does it
[storage security] affect
us and what will the eventual quantum of loss be"
- Sivasankaran L
Director-Storage Practice
Sun Microsystems |
Sivasankaran L, director-Storage Practice, Sun Microsystems
says, “IT heads of BFSI and telecom companies agree that they need to regulate
their storage security and they want to ensure that their customer data is protected
and not lost. The CIO’s concern is how does it [storage security] affect
us and what will be the quantum of loss eventually. The sooner they realise
this, the faster is the adoption of storage security at various levels in data
storage. Since most large businesses have understood the value of backing up
their data at various stages and the cost of not doing it, the realisation is
storage security is slowly seeping in.”
Adhering to regulations: ESG Research demonstrates
that regulatory compliance is the primary driver of security policy and technology
defences focused on protecting confidential data. With regard to storage, regulatory
compliance demands protection of private data such as patient records (HIPAA)
and financial customer information (GLBA), ITIL, ISO27001 and Payment Card Industry
Data Security Standard–this standard is focused on the hospitality, travel
and retail markets where credit card and customer personal information is exchanged.
Security Breach Disclosure Laws require organisations that maintain personal
information about individuals to inform those individuals if the security of
their information is compromised. Raghavan adds, “Given the financial and
legal implications of a breach or non-compliance, preventing unauthorised access
to data and preserving its confidentiality and integrity are major security
priorities for most organisations.”
Protecting tape-based data from loss or theft: Agarwal
of NetApp says, “The phenomenon of storage security primarily stems from
the fact there are increasing instances wherein backup tapes are being lost
in transit or data on tape getting lost—this trend is pushing businesses
to protect customer data. In addition to tapes being lost, various surveys points
out the threat is from inside, which is why businesses are starting to encrypt
data. As large business consolidates their storage, the threat perception rises.”
While there were many publicly-disclosed data breaches in 2006 some of the biggest
incidents at firms like Bank of America, Citibank, ABN Amro, and Marriott were
the result of lost backup tapes. These events resulted in embarrassing headlines,
millions of dollars in unexpected costs and a new wave of paranoia around off-site
storage rotation vulnerabilities.
Recent disclosures about the loss of backup tapes containing regulated customer
data have led organisations to rethink their data protection strategies. Though
the phenomenon of tape vaulting to third party service providers (such as Iron
Mountain) is not evident in India, large enterprises are doing this themselves
by sending their tapes to off-site locations.
Security holes
As attention is paid to compliance, confidential data protection, and information
security, business and IT executives recognise the need for storage security.
The question remains however, where is storage most vulnerable? In other words,
which areas of storage security need immediate attention.
Encryption can be deployed at three points in your backup environment: at the
host within the OS or application software, at the tape drive, or in the network
with a dedicated appliance. “Where you choose to deploy encryption will
depend on customer requirements for performance, security, scalability, and
overall ease of use and maintenance,” says Sivasankaran.
- Secure storage consolidation
- Insider threat mitigation
- Regulatory compliance
- Database security
- Secure tape backup and disaster recovery
|
Encryption at the Host level
Many applications, including backup applications, support encryption on the
host server at a granular level based on the type of data. Application and server
encryption solutions are often the least expensive, but they continue to pose
challenges that have historically slowed the adoption of encryption. They affect
application performance because they are usually software-based and entail CPU
overhead. Because this type of security is tied to individual applications or
servers, it can be complex to manage and maintain. For example, every patch
or upgrade for either the operating system or the application software may affect
the functioning of the built-in security. Server and application-specific encryption
may have poor compatibility with other systems in a heterogeneous environment.
The major drawback of the currently available encryption solutions at the server/host/
backup application level is weak key management. Typically, encryption keys
for this type of encryption are stored in clear text and are insecure. If application
performance, long-term manageability, and encryption key security are priorities
for you, these solutions will not be your best option.
Agarwal of NetApp says, “Most business fear that the servers that are running
their application and databases may not be able to do the additional job of
encrypting data. This additional burden on servers will slow down the applications.”
Sivasankaran adds, “Doing storage encryption at the host level can be taxing
as we all know that 40 percent of the CPU time cycle would go into encrypting
the data, which may bring down application performance.” He adds that NetApp
(Decru) has taken a leap into this market with its separate storage security
encryption appliances.
Agarwal of NetApp says, “One of the many advantages of using dedicated
hardware for encryption is exceptional performance. Strong encryption is computationally
expensive, and traditional, software-based encryption methods are notoriously
slow and cumbersome to implement. In contrast, appliances can be deployed into
an existing infrastructure in a matter of hours, without ever taking the data
offline.”
NetApp has an early mover advantage with the acquisition of Decru, a storage
security appliances company. The Decru solution represents the first and only
unified platform for securing stored data across the enterprise, with support
for NAS, DAS, SAN, Tape and iSCSI environments.
Currently CitiGroup is using Decru in India as a part of the global deal.
| NetApp |
Decru DataFort storage security appliances
offer wire-speed 256-bit encryption and granular access controls, strong
authentication, and cryptographically-signed auditing to protect stored
data. |
| HP |
StorageWorks LUN Security XP Extension
provides tools for advanced data protection for HP StorageWorks XP Disk
Arrays. Storage administrators can protect datasets from being updated,
copied, accessed, or queried after they have been initially created or written.
LUN Security XP Extension has been designed to be part of a complete server,
storage, and application solution by providing the key features necessary
to assist in deploying a solution to address SEC regulatory compliance requirements
for data retention. It employs 128-bit encryption. |
| HP |
Refer Infomation Storage Systems (RISS)
is an appliance with smart cell technology wherein data is stored securely
with date and time stamping of all objects to mitigate risk and prevent
tampering or changing of the retained records. |
| HP |
Data Protector Software 6.0 provides
256-bit Advanced Encryption Standard (AES) encryption. AES helps to protect
data from unauthorised access and allows backups to meet all compliance
and regulatory requirements for government agencies and financial institutions.
|
| IBM * |
The TS1120 tape drive offers the ability
to encrypt data at the tape-drive level. avoiding use of host resources.
Since tape drives are already part of existing storage and backup infrastructure,
using the drive itself to perform encryption has a cost advantage over buying
and installing a dedicated piece of hardware just to encrypt data. |
| Sun Microsystems * |
StorageTek Crypto-Ready T10000 tape drive
uses the AES-256 encryption algorithm as it is written to the drive, regardless
of the application, operating platform or primary storage device, and without
impacting backup or restore times. Its StorageTek Crypto KMS (Key Management
Station) manages keys used to encrypt and decrypt data on the StorageTek
T10000 tape drive. It comprises a Sun Ultra 20 Workstation-based appliance
running the Solaris 10 OS and Key Management Software. It utilises AES-256
encryption and is designed for compliance with the Federal Information Processing
Standard 140-2 certification. |
| * Both methodologies (IBM and Sun)
enable users to encrypt data from the storage servers directly onto the
tapes, whether they are using mainframes or Unix, Windows, AIX or Linux
tape storage systems. IBM uses public-key while Sun uses symmetric key encryption
(AES-256), which uses the same key to both write and read data. Public Key
encryption is more computationally intensive and requires a much longer
key than a symmetric key algorithm to achieve the same level of security. |
Encrypting Tape Storage
Many manufacturers of tape drive backup systems have included
encryption capabilities in their products and others are expected to follow
suit. Being bundled with hardware, they are potentially cost-effective. They
are also easy to implement because they do not require changes to servers or
applications. Their most significant drawback is that they require a major upgrade
effort to convert old tape drives and libraries to encryption-enabled systems.
Further, encryption that is bundled with tape drives or libraries will not integrate
well in environments with tape drives and libraries from multiple vendors. If
you have a homogeneous tape backup infrastructure and are able to manage keys
locally, you might want to consider this approach. Most storage vendors are
focusing here.
- Start evaluating storage security solutions
immediately. It will take six months to evaluate products while analysing
an enterprise’s requirements.
- Choose security storage vendors whose
products integrate with a directory strategy.
- Require storage security vendors to provide
integration services as part of the purchase. Vendors may not know your
environment and unique requirements, and you have limited or no experience
with their platforms.
- Start with tape encryption to provide
for the most data at the greatest risk. Remote backup to disk is the
second priority.
- To thoroughly protect mission-critical
data in the data centre, data should be encrypted on primary systems
before sending that data to backup.
- When considering an encryption solution,
keep in
mind that key management is crucial. Encryption keys must themselves
be encrypted when stored, and your encryption key management system
will need to make the keys available whenever they are needed.
|
Encryption in the Network
The big advancement in securing data through encryption is the development of
solutions that plug right into the network itself. In such security appliances,
just about every impediment to securing backups by encryption has been solved.
These solutions can be deployed with virtually zero downtime because they require
no modification to applications, hosts, or servers. You no longer have to choose
between compression and encryption—today’s encryption appliances are
capable of compressing and then encrypting data at wire speeds, making them
well suited for a wide variety of backup and recovery environments. Designed
to provide the most robust security available, encryption appliances today come
with strong logging capabilities, access controls, and secure key management
systems. If application performance, long-term manageability, scalability, and
encryption key security are priorities for you, these solutions will be your
best option. In fact, whether or not you have other encryption solutions at
the host or tape drive levels, it may still make good sense to have appliance-based
solutions to complement your security.
RSA has a comprehensive approach to enterprise data protection, wherever that
data resides. The EDP framework also addresses the management of associated
encryption keys, access control and authentication.
Though the storage security is very new to India, the driving factors for seriously
considering it same as that of global trends as discussed above and some IT
heads of large businesses (BFSI and telecom) are seriously reviewing it. However
the IT departments that have not implemented encryption based on old biases
need to know that encryption technology has advanced to the point where the
advantages of encryption are available without disruption to normal backup processes
and tools.
|
