A Security Capability for Storage


While the popular discussion of security requirements for storage is a relatively new phenomenon , [1] driven in part by concerns over the increased accessibility of storage arrays across a shared interconnect, fabric, or network, and the vulnerability this introduces to data from internal and external sources, information security itself is not new. Information security technology has undergone significant development over the past 20 years , especially in the areas of application hosting and networking, as a response to the growing realization of the increased dependency of business processes upon increasingly internetworked systems and applications.

Study after study has revealed that the same technologies that are making business processes more efficient are also increasing their vulnerability. Widespread deployment of standardized applications and operating systems, for example, and the omnipresence of the Internet, have not only increased the accessibility and ease of use of information systems, they have also facilitated the efforts of those who seek to access IT resources for the purposes of misuse, vandalism, or sabotage .

According to the most recent study released by the Computer Security Institute and Federal Bureau of Investigation, computer crime continues to be a significant fact of life in corporate America, with incidents costing the 250 or so companies who reported them a total of $201 million in 2003. [2] The study also yielded the following data points: [3]

  • As in prior years, theft of proprietary information caused the greatest financial loss ($70,195,900 was lost, with the average reported loss being approximately $2.7 million).

  • In a shift from previous years, the second most expensive computer crime among survey respondents was denial of service, with a cost of $65,643,300.

  • Losses reported for financial fraud were drastically lower, at $10,186,400. This compares to nearly $116 million reported last year.

  • As in previous years, virus incidents (82 percent) and insider abuse of network access (80 percent) were the most cited forms of attack or abuse.

Of course, almost weekly reports of new virus programs and intense media coverage of financial accounting scandals involving the manipulation and misreporting of corporate data have contributed to a more widespread perception of risks to electronic information access and integrity. This perception, in turn , is driving an increasing number of companies to take an active interest in protecting their infrastructure by developing a homegrown security capability.

For those who are new to information security, it is best described as a broad and multifaceted discipline with nearly as many methodologies as there are security consultants ”rather like networked storage, one could argue. Surveying the literature of the field, it is easy to conclude that security is some sort of mystical or Byzantine practice best left to a small and secretive cadre of skilled practitioners .

The truth is that, while efforts to form a security capability for your organization might benefit from the guidance of a professional security consultant, security planning itself is a relatively straightforward application of common sense. Building an effective security capability involves an ongoing and iterative process of vulnerability assessment and solution implementation.

Organizations that have already experienced the devastation of an email virus, or realized a financial loss from a denial-of-service attack or deliberate data corruption by a disgruntled employee may already perceive the points of vulnerability in their systems or networks. However, it is a generally preferred practice to conduct a vulnerability assessment before a security incident occurs. That way, you can identify gaps in existing information technology infrastructure that might be exploited to disrupt operations, to gain access to confidential information, or to compromise the integrity of data, and take proactive steps to close them.

With the results of a vulnerability assessment, you will inevitably find that gaps exist and you have some work to do in order to build a security capability. A security capability is nothing more than a combination of policies, procedures, and security technologies that, together, mitigate certain risks and provide mechanisms for coping with the unavoidable.

Policies and procedures define security objectives and goals. They are intended to describe and control certain behaviors (primarily of organization staff) in a manner that advances or supports those goals.

Security technologies are best selected and implemented only after policies and procedures have been defined, to support them by "hardening" the behavioral limits established by policy. There is no single technology to solve all security problems. Rather, a combination of technologies is generally needed to meet the special requirements of applications and business processes within any given organization.

There are, however, three generic goals or objectives that should guide any effort to build a security capability, regardless of the type of organization involved. These are:

  1. Protect information and infrastructure.

  2. Provide authentication-based access with cost-effective administration.

  3. Enable information nonrepudiation.

As you develop a security capability to meet these three generic goals of security planning ”as well as any particularized objectives appropriate to your business setting ”the key requirement to keep in mind is "balance." In most organizations, a balance must be struck between the steps that are taken to secure applications and data, and the impact of those steps on application performance and ease of use from the user perspective.

It is possible with current security products to lock down data, systems, and even networks in an extremely secure way ”to impose a veritable "cone of silence" over your environment. However, a side effect of all this security may be reduced application performance or a significant increase in user inconvenience.

Planners need to find the appropriate balance between the level of security required to protect the organization and the level of performance reduction or user inconvenience that the organization can tolerate . To some extent the toleration for inconvenience is linked to corporate culture. For example, in organizations such as government intelligence or defense agencies, airtight security is an absolute requirement and user convenience is not an issue.

However, in most organizations, including most civilian government agencies and departments, businesses, and educational institutions, the culture of the organization is quite different. In these settings, the success of a security strategy is directly related to its "transparency" to the end-user.

If a security provision slows the performance of an application perceptively or creates other inconveniences for end-users, such as the need to remember several passwords, it will more than likely be rejected by end-users. Rejection may take the form of an ongoing stream of complaints about the security system or the use of "workarounds" (for example, attaching notes containing passwords directly to workstation monitors ) that defeat the purpose of the security measure itself, or other, more direct action.

Balance also refers to cost of ownership. In addition to its acquisition price, security technology (like all information technology) has an extended cost of ownership that accrues over its entire useful life. As with storage technology, the bulk of security technology's cost of ownership is a function of labor expense. Reducing this expense requires better automation. The more automated the administration and management of the technology, the fewer monks you need to hire to operate it.

A balanced security strategy considers the cost to protect information and the cost to own the capability you create. Fear, uncertainty, and doubt is not the best premise for selling security to management: As with all technology acquisitions, you need balanced and compelling business cases that include not only risk reduction, but also cost-savings and business enablement value.

The bottom line is that balance must be considered at each step of security planning. Doing so will help you select security approaches that fit with the culture of the organization whose storage assets you are working to protect.



The Holy Grail of Network Storage Management
The Holy Grail of Network Storage Management
ISBN: 0130284165
EAN: 2147483647
Year: 2003
Pages: 96

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net