Securing Storage, Part II: Encryption is Only a Start

Storage security needs a more systemic view to succeed.

In the Information Age, businesses seem to collect a lot of data. Not surprisingly, customer relationship management (CRM) software has ranked consistently high on surveys of Fortune 500 companies’ most pressing application initiatives.

CRM is a detailed database that captures as much information as possible about current and prospective consumers for a company’s goods or services. Gathering detailed customer data imposes an ethical obligation to be concerned about data privacy and security. Increasingly, ethical arguments are bolstered by legal or regulatory mandates.

This has led to a general agreement that some sort of security must be implemented in the world of storage. Beyond this airy goal, however, things tend to get fuzzy.

The exception might be data encryption. The generally held view in storage security is that any important data exiting the facility on removable media (read: hard disk, flash drives, optical or tape) should be encrypted. This position is underscored by the almost weekly litany of data disclosure events documented by groups such as PrivacyRights.org, which began keeping count in 2005. To date, according to that organization, the personal and financial records of over 155 million persons have been accidentally disclosed—mostly due to lost backup tapes, laptop drives, and other media in transit.

The primacy of the encryption discussion in any storage security strategy meeting is fostered in part by the fact that backup processes provide a simplistic target and avail themselves readily (in the mainframe world, at least) of straightforward and affordable encryption solutions. This was underscored at one large financial firm I visited recently, where tape encryption was bolted on to a project already underway to upgrade the company’s mainframe backup infrastructure.

The company in question had already planned to upgrade its mainframe tape infrastructure to capitalize on the newer, higher capacity tape cartridge technologies coming into the market from Sun Microsystems/STK, IBM and others. This “backup- technology refresh” initiative had a solid business case to support it, since it reduced backup media costs while it improved the backup’s operational efficiency. Adding an encryption component helped to bolster the risk-reduction argument, especially in terms of offsite storage.

For the record, the firm had already deployed CA-1 for tape management, as well as the BrightStor CA-Dynam/TLMS Tape Management Copycat Utility that enabled multiple 3490 tape images onto new 3592 J cartridges to fit on a new IBM 3584-D22 Tape Library (these combined tape images are built inside an IBM Virtual Tape System 3494-B20). The net result of this configuration was to reduce the number of physical cartridges that move offsite daily, dropping from a maximum of 15 cases (at 50 cartridges per case) to only eight 3592 J tapes.

Adding encryption was a snap using the BrightStor Tape Encryption Utility, which plugged right into the existing software stack from CA. BrightStor Tape Encryption leveraged ICSF (the Integrated Cryptographic Service Facility built into the IBM z/OS operating system), managed encryption keys, and enabled administrators to define policies to automate the encryption process—without writing any new JCL. Moreover, should the need arise to decrypt the tapes at an alternate location (in the aftermath of a disaster, for example), the company could obtain client software from CA to read the data sets back into a production environment without being required to build a redundant infrastructure remotely.

This seamless integration of CA’s software with preexisting mainframe security facilities and data-protection processes (not to mention a pre-funded infrastructure upgrade initiative) helped to make the overall tape encryption solution a huge success. That’s not always the case when considering tape encryption in a distributed systems environment.

The Need for a Systemic View

In the open systems world, according to Mike Alvarado, principal of the Product and Business Company in San Jose, CA and former chair of the Storage Networking Industry Association’s Storage Security Forum, vendors have tended to “suboptimize” storage security by offering only proprietary point solutions that work only with their own products.

Alvarado argues that a standards-based messaging platform is urgently required today to facilitate the construction of a true storage security architecture—one that integrates policy and practice with storage components. He notes, “There is no common definition for storage security, let alone agreement on what a solution should be. There is no common definition of risk and certainly no easy way to audit whatever protection is in place. Centralized reporting on information, data, and, storage assets from a security policy standpoint is just a hope at this point, but we cannot ignore the need to have practice, policy, and equipment all involved in any upgrade process. Practice and compliance monitoring are critical areas for attention. Effective access control is an example where all three of these dimensions have to be coordinated to create an effective solution.”

To accomplish the goals of storage security, he says, a more systemic view is needed, leading to the ability to integrate security provisions at the application, server, and network level with the needs of storage infrastructure. “Point solutions, such as individual appliances, or encryption services offered at the level of media, arrays, or appliances, just aren’t enough to permit the definition and fulfillment of service-level objectives or service-level agreements.”

Agreeing with Alvarado is Mike Linett, president of Zerowait, a high-availability engineering company in Newark, DE. To Linett, the narrow focus of storage security on data encryption for media leaving a facility is out of step with real security requirements. From his company’s many engagements—both in the design of infrastructure and with his new remote monitoring services—Linett believes that the chief threat to data comes from the network.

Citing his own experience, Linett argues that more disruption is being caused to companies by threats to data access than by data disclosure events. Companies should be looking to provide secure access to data at rest even as they work to prevent unauthorized access to data in flight.

Says Linett, “If you wanted to shut down US Steel, your competitor, all you would need to do is to mount a distributed denial-of-service (DDoS) attack from a set of ‘zombies’ (servers on the Internet that have been taken over surreptitiously by a hacker). You could flood all virtual private network ports and deny access to company applications and data to everyone from his customer to his supply-chain partner. Imagine if this happened to United Parcel Service or FedEx, and no customers could get any shipping data. It wouldn’t take very long before they would be shopping somewhere else. It’s all connected.”

He agrees with Alvarado that a more systemic approach is needed instead of a one-off strategy targeting individual threats with point solutions. When a customer is experiencing an anomalous data access pattern, this needs to be detected, analyzed, and reported so corrective actions can be taken. His monitoring service, called Zpiphany, provides both real-time and trend-based analysis of data collected from servers, network components, and storage devices to facilitate troubleshooting and security.

In our conversation, Linett confirmed my suspicions (based on my own consulting practice) that a false sense of security may have been introduced into many shops owing to a combination of vendor hype around point products/features and marketecture surrounding the security of Fibre Channel.

For example, many storage administrators believe their Fibre Channel fabrics to be “closed networks” that are inaccessible to outsiders. Truth be told, most oxymoronical “SANs” are not isolated or closed systems; rather, an out-of-band TCP/IP network is often fielded, paralleling the Fibre Channel fabric, to connect all storage equipment to a browser-based management console. The security domain surrounding these storage devices and systems is vulnerable for reasons that not familiar to most storage administrators.

In many cases, this IP network can be used to access switch or array configuration utilities, on which admins, believing their infrastructure to be safe, have never bothered to change default user IDs or passwords. In the words of Alvarado, “Moving to a shared-but-centralized storage model has placed data more at risk than ever before.”

As a practical matter, encrypting data isn’t a full security solution for storage. However, a program of routine data encryption on outbound media can help keep a company off the front page of the Wall Street Journal or Financial Times, if media itself is misplaced. For some companies, that fact alone is a good reason to begin a storage security program with encryption. A better reason is for good corporate stewardship of data.

The next column in this series will take a deeper look into encryption implementation options. Subsequent installments will look at how to protect data at rest. Your input is welcome: jtoigo@toigopartners.com.