Regulatory compliance requirements and the threat of having to publicly disclose security breaches have a growing number of IT executives taking a serious look at their storage security strategies. After all, data loss is big news and it can quickly undermine customer confidence, jeopardize company brand and reputation, and result in significant financial losses.
And, it's become far too prevalent. According to Privacy Rights Clearinghouse, more than 450 separate incidents of data loss involving sensitive personally identifiable information have been reported, exposing more than 100 million data records of U.S. residents. That equates to one out of every three U.S. residents having such personal information as Social Security Number, bank account details, and driver's license data in danger of compromise by hackers or identity thieves.
In fact, data privacy has become such a critical issue that the U.S. Congress continues to act feverishly to push through new legislation aimed at helping ensure the confidentiality of sensitive information.
Yet, businesses are still struggling. Just ask the 70 percent of IT executives at companies who recently rated their organization's storage security readiness as merely fair or even poor.
For these and similar organizations, architecting an effective storage security strategy is now a business priority. By having such a strategy in place, organizations can not only address regulatory compliance requirements but also reduce risk and help ensure business continuity.
Information Classification
One of the most common mistakes organizations make when architecting a storage security strategy is to treat all information the same. In reality, however, not all information is created equal. As a result, security and storage needs must also reflect the value of this different information.
The accurate classification of information begins by identifying what type of data the organization considers important. To that end, IT must collaborate with business owners and risk management personnel to determine what drives risk management processes for the particular business need they want to address. The relevance of regulations, industry or vertical standards, as well as international standards or guidelines must be taken into account as well.
In addition, organizations often have intellectual property protection requirements for patents, trade secrets, copyrights, and the like. As part of their storage security strategy, enterprises must understand the value of such intellectual property in combination with the risk tolerance of the organization before they can address how to appropriately secure it and store it.
Of course, legal discovery and governance requirements must also be considered so organizations can determine whether to keep all of a certain category of information, keep only some of it, or get rid of all of it. Finally, business operations requirements for disaster recovery and business continuity must also be examined and addressed to ensure that the most critical information remains available and recoverable in the event of a disruption or disaster.
Moreover, because the value of information changes over its lifetime, so should its storage. Provisioning storage according to the value of data at any point of its lifecycle, from its creation to its destruction, is crucial. Consequently, a storage and security strategy must align with the lifecycle of information and be cognizant of where it resides and moves and how it is destroyed.
Storage Security Vulnerabilities
Vulnerabilities can exist on many points of contact throughout the networking - some very obvious and some not-so-obvious. IT must consider all possible vulnerability points when implementing a storage security strategy. Some can be taken advantage of by malicious intruders, while others could simply result in the misfortune of losing a backup tape.
For example, IT often overlooks information handling as part of their storage security strategy. IT nearly always secures data as it travels over a traditional network, yet they often overlook the transfer of data over a storage network. IT must also consider how data is being stored on a disk. For example, is it accessible via a thumb drive that someone could easily access? Finally, high-profile data losses have reminded IT of the need for more secure transfer of backup tapes. Not only should it be encrypted, but additional measures should be taken, such as simply housing tapes in a locked box and transferring them in a locked vehicle.
Vulnerabilities can exist in quite a few places, including:
Application processing, data flow, and caches
File systems
Block or in-line data
Physical disk spindles
Memory devices
Tape
Best Practices
In today's enterprises, information is either at rest or in-flight. Wherever it is in the information lifecycle, this data must be protected.
To protect data at rest, organizations can apply encryption and sanitization policies. For example, column encryption can be applied to databases while data and field encryption can be applied to applications. File-based encryption and selective file encryption can protect file systems, while encryption appliances, backup software encryption, and encryption built into disk or tape libraries can be leveraged for block and inline elements.
To protect data at rest, organizations can ensure that storage-specific sanitization polices are in place for disk, memory devices, tape, and application caches. Sanitization is typically divided into three classes-clear, purge, and destroy-and enterprises determine the most appropriate sanitization activity based on the value of information and their specific compliance requirements.
Data must also be protected in-flight. Whether in-bound, outbound, or internal, data must be protected against interception, modification, and exposure or leakage. Encryption and filtering are two of the most effective mechanisms for securing data as it moves into, out of, and throughout the organization.
Architectural Digest
In a storage area networking (SAN) environment, storage system security must address a variety of architecture issues related to least privilege, defense in-depth, and more. For example, soft zoning and node worldwide name (WWN) services permit connected entities to access data with out explicit access and host security is often the only line of defense in a SAN environment.
In an iSCSI environment, similar architecture issues must be addressed when devising a storage security strategy. For example, securing the weakest link may not be possible since iSCSI is typically clear text, which exposes the Challenge Handshake Authentication Protocol CHAP) authentication messages. These and other limitations must be considered before the most appropriate security mechanisms can be put in place.
Evaluating storage security from a storage resource management (SRM) perspective also requires careful examination, particularly of software and protocols. For example, insecure protocols such as SNMPv1 are often used to manage critical SAN components, making it challenging to secure the weakest link in the storage infrastructure. Security through diversity is also difficult since physical security controls in a SAN environment do not isolate storage and removable media.
Once organizations have examined the challenges and opportunities associated with their specific storage environment, the application of commonsense media management practices can help enhance their storage security strategy. Such practices include maintaining daily tape logs; completing monthly inventory and accounting reports; doing background checks for staff that handle media; separating the role of backup management and media management; and following guidelines for secure off-site tape handling.
Clearly, architecting a storage security strategy is not an event but a process. It begins by classifying the value of information as it moves throughout the information lifecycle as well as by understanding how storage security represents an essential element of risk management. A successful storage security initiative not only requires attention to products but also to process.
What's more, the most effective storage security strategies integrate with existing infrastructure and applications, accommodating architecture-specific elements while addressing compliance requirements for all data, whether at rest or in flight.

Tags: Kaspersky Internet Security 2009, Free Kaspersky Internet Security 2009 Download, internet security, antivirus software, antispyware software, personal firewall, antispam