In-Depth

Storage Security is Nothing New

Only by looking at data targets, then building security in pragmatic layers around the targets, can you realize strategic data security

• By Jon William Toigo
• 02/14/2006

Late last year, on a trip to Kuala Lumpur, Malaysia as a guest of IT training company CoreVentus, I gave a two-day program on data security. There were approximately 35 eager students, mostly management-level representatives of their organizations, both governmental and commercial. As usual, I learned as much or more from them than they learned from all of my PowerPoint slides and story telling.

Most were concerned about the adequacy of their defenses in the face of a vast and growing number of cyber threats. Many were troubled and confused by the dizzying proliferation of international (especially U.S.) regulations and laws and wanted to know they meant for companies that were offshore subsidiaries, affiliates, or supply chain partners of American firms. They were likewise concerned about the “new” requirements being touted by the storage vendors for something “new” called “storage security.”

Against this backdrop, the one major theme was cost: how much was an effective program of security—one that afforded compliance and storage protection—going to cost?

As with most technology, security technology is a big ticket expense. In the case of security spending, we are wasting a lot of money by spending tactically rather than strategically. Despite the arguments about return on storage investment (ROSI) emanating from the storage industry and academia, there is still no definitive proof that spending a large amount of money makes companies any more secure than investing the bare minimum on perimeter hardening through proper network design, firewalls, intrusion detection and prevention, and authentication/access control.

That bit of wisdom has not discouraged tactical spending on incremental protection controls that are the cyber equivalent of “Maginot Lines”: defenses and fortifications designed to fight the previous war. From an acquisition perspective, security provisions tend to cost a lot of money, are generally poorly integrated with one another, and, in reality, afford little or no protection at all against dedicated attackers.

Tactical security means building controls over time in response to threats. As a new threat arrives on the scene (a new virus appears or a new attack strategy gets publicity), vendors tell you to add more security wares. Lack of integration between products, however, drives up administrative costs and makes the entire security capability unwieldy and difficult to manage. More importantly, such a strategy lets the enemy pick and choose the time and location of the attack, a passive containment strategy that has historically been proven both dangerous and costly.

A more strategic approach makes “security targets,” rather than “security threats,” the centerpiece of security planning. One good outcome about the current chatter surrounding storage security is that it finally has everyone talking about data as the “target” that must be protected.

The appropriate targets for strategic security planning are data assets, and the processes that make them purposeful. Inventorying these targets, then building appropriate security controls, is the proper way to build a strategic security capability.

Unfortunately, the targets of security—the assets that need to be protected—are often very poorly defined. Why? One reason is that target identification is a laborious effort involving the analysis of business processes, their subordinate tasks and workflows, and their supporting applications and data outputs. Data itself is the target that bad guys seek to steal, corrupt, deny, or destroy. Real security has always been about protecting data assets and facilitating authorized access to data. Strictly speaking, it isn’t about anti-virus, anti-malware, firewalls, or encryption. Those are merely tools for achieving goals, which are defined by a careful analysis of data targets.

Once you discover your targets, you analyze what value they have to the organization. Some data is more valuable than other data—a function of the criticality of the business process that it serves. For example, losing your collection of Britney Spears video clips is, in most organizations, a far less important matter than losing the accounts receivable database.

Milieu concerns such as regulatory requirements that companies must meet if they are to conduct business in a legal way also help to define the importance of data. A host of data retention and non-repudiation requirements flow from Washington or London or Brussels these days, and security planners need to understand their meaning to correctly assess the importance of data targets before deploying security controls.

Some data targets are important, not as a result of any intrinsic value, but as a consequence of interdependency. Seemingly inconsequential data may be important because it indirectly contributes to the creation or use of a primary data asset. As a result of interdependency, this data inherits the mantle of criticality assigned to intrinsically important data and must share in the protection services and controls that are devoted to the intuitively important stuff.

The idea here is that security must proceed from a business process analysis and data classification effort. Without one, you will be wasting money using a shotgun approach to securing the entire organization, then wasting more money trying to shore up defenses in a ceaseless effort to keep up with new threats.

While the current attention to storage security has helped assert the primacy of data targets in strategic planning, it has also introduced confusion as a function of fear, uncertainty, and doubt in campaigns being waged by storage vendors. In storage industry speak, “storage security” is usually a code phrase for data encryption. The message that a lot of consumers are taking away from presentations by the Storage Networking Industry Association, Decru/Network Appliance, NeoScale, and others is simple: “Encrypt your data and have done with it.” Where this message is expanded to include controls aimed at protecting storage infrastructure, it tends to get fuzzy.

Securing infrastructure isn’t clearly a “storage security vendor’s” business. Switch guys need to protect their switches, HBA vendors need to protect their HBAs, array vendors must provide controls to protect their arrays, and everyone depends on the protection provided at the LAN, server OS, and application level “ahead” of the storage infrastructure itself. Ultimately, the discussion creeps back into what firewalls and other components we are deploying, re-focusing attention once again, to no one's surprise, on threats rather than targets.

Only by looking at data targets, then building security in pragmatic layers around the targets can a strategic security capability be realized. In effect, storage security, like disaster recovery planning and regulatory compliance, is all about the data and it is a function of effective data management.

Two folks I have met recently seem to get this message clearly. One is Paul Carpentier, CTO of newly-formed Caringo in Austin, TX. Carpentier is bent on building a data management solution that will solve the problems and limitations of contemporary content addressable storage products and, at the same time, lay the groundwork for provisioning data with the services it needs, including security.

The other person is Patrick McGregor, CEO and President of BitArmor in Pittsburgh, PA. While his company’s stealth mode status limits what can be said about his data security start-up’s wares, he clearly seems to understand that encryption is a data-centric service that needs to be provisioned on a more efficient, content/context-specific basis and with careful attention paid to the requirements for data usage.

I expect big things over the coming year from both of these start-ups. Watch this space. Comments are welcomed at jtoigo@toigopartners.com.