Rumors of War Underscore Data Security Issues

Our storage analyst, Jon Toigo, begins a series on data security issues and solutions.

In case you missed the Wall Street Journal article, buried as it was on page A6 of the Friday, 18 May edition, the Baltic state of Estonia is inching closer to declaring war on Russia. The country’s Internet sites for government and financial institutions have been subjected to massive waves of Denial of Service (DoS) attacks since late April (coinciding with the removal of a statue in the center of Tallinn, capitol city of the former Soviet republic, dedicated to Red Army soldiers killed in WW II).

The Estonians are blaming the Russians for the flood of traffic that has stymied the operation of critical net-accessible servers. They say that the offending traffic has been traced back to Russian computers in what appears to be a concerted effort to take down key services. Moreover, they are equating the cyber attacks to missile attacks on government buildings, banks, and even airports. Russian officials deny the allegations.

Of course, if actual missiles were being lobbed, a declaration of war would almost certainly be the response. The question Estonian officials are putting to NATO and to the European Union (of which Estonia is a member) is whether a cyber attack justifies such a declaration. If the answer is yes, 2007 may mark the first time that war was precipitated by a misuse of the Internet: World Wide Web War I.

While the editors of the Journal may have seen this as an obscure story from an out-of-the-way corner of the world (hence, its placement as a short piece inside Section A), the Estonian situation may well be a harbinger of something much larger. When data accessibility and integrity become issues of national security, all of the instruments of foreign policy, including war, may come into play to redress hostile activities in cyberspace.

It is a given that, in our "post-industrial" "information age" economies, data itself has become an official currency. For proof, you need only look at corporate boardrooms, where the security of data "at rest" (on storage spindles) and "in flight" (traversing physical or electronic highways) has become a pressing issue.

Recently, considerable attention has been focused on storage security, typically in response to compliance requirements affecting publicly traded companies or heavily regulated vertical industries such as healthcare and finance. Some firms have also begun contemplating storage security after press accounts of hacker activities and corporate espionage. The discussion has mostly centered on the need for greater security (read encryption) for any data that leaves the comfortable confines of the corporate glass house.

Privacyrights.org keeps a tally of security failures involving lost laptops and magnetic backup tapes in the form of calculations of the number of persons whose personal or financial information has been inadvertently disclosed—by companies charged to keep it secure. As expected, the storage-vendor community, smelling blood in the water, has pushed numerous security-oriented products into the market.

Last month, Seagate announced a disk drive that encrypts whatever data you write to it. Tape vendors have been adding security features to cartridges and library hardware. Other vendors have introduced appliances to encrypt data on its way to disk arrays or tape devices, while still others have created software deployed on application servers to encrypt their output.

Defining a Security Strategy

The increasing diversity of products and approaches has made the IT manager’s job of defining a storage security strategy a difficult one. There is little reliable guidance and few standards to insulate consumers against the inevitable consolidation that will occur within the storage security microcosm. Most IT mavens don’t even know what storage security means, or whether additional security is required if the network and application admins are doing their job to lock out bad guys well ahead of the storage infrastructure.

One initiative that showed promise to bringing order to the storage security realm was the Storage Networking Industry Association’s (SNIA) Storage Security Forum under the guidance of LeRoy Budnik. Budnik had successfully driven all of the hypersecretive/hypersensitive storage security vendors to the conference table late last year, and was preparing to wring out a set of best practices for securing data assets in the storage infrastructure when he was unceremoniously replaced. The change of management at SSF has had the predictable outcome: little progress has been made.

It is, therefore, up to consumers to figure out the intricacies of storage security and to determine what extraordinary measures must be taken in their part of IT infrastructure, how these actions will interact with other safeguards that have been deployed in networks and application hosts, and, ultimately, how so-called solutions are to be evaluated. As I did in the just-completed series on archiving, the next several columns will explore security issues and solutions. You are invited to chime in, if you are a consumer, with an outline of the solutions you have deployed and how they are performing. Names will be withheld on request.

If you are a vendor of storage security wares, we want to talk to you also. I will be sending out a questionnaire to some vendors in my mailbox, but feel free to contact me directly if you do not receive a note.

I am somewhat circumspect about vendors on this one. To my knowledge, there have been no bake-offs between different approaches, and there seems to be considerable infighting and marketecture in many of the storage security white papers and product slicks that I've seen.

In addition, many vendors simply don’t practice what they preach. Just last week, IBM suffered the latest in what seems to be a daily litany of embarrassing data disclosures, having lost tapes—some encrypted, others not—following a car accident involving a contractor transporting backup tapes to offsite storage. The missing tapes were reported to contain the names, addresses, birth dates, Social Security numbers, and employment dates with IBM of many IBM retirees, plus some customer data. The predictable response was an offer by Big Blue of free credit monitoring services for those affected.

IBM, a self-styled leader in tape security, looked pretty foolish following the mishap—to the delight of competing vendors. They delayed notifying employees and customers about the event until they (1)could figure out which tapes were lost and (2) had arranged terms with a credit monitoring company for services to those who had been harmed. Were any lessons learned? We’ll ask.

If the tape-loss incident was a media disaster for IBM, one could posit that the public disclosure of HP’s use of hacker tactics last year to plug media leaks from within its own board of directors should have been even more damning. The company denies knowing about the tactics used by an investigator hired by senior management (the investigator engaged in "pretexting" to obtain telephone records of journalists to see who on the board was talking to whom in the media), but high-level resignations have already happened and legal actions in the case are ongoing.

A legitimate question can be raised regarding credibility of a vendor that portends to be advancing the cause of information security while flouting the principles of privacy and data protection when it suits them. We will explore this question and many others as this series rolls out.

As of this writing, Estonia has not declared war on neighboring Russia, but it has succeeded in underscoring the importance of security and the urgency of finding effective measures to contravene attacks whether from inside the company itself or through the ether of cyberspace. Your input is welcome: jtoigo@toigopartners.com.