Danger, danger

How safe is your data? Most of us tend to think of data security in terms of either external attacks (hence, the growth of the firewall business) or unauthorized access by users from within the corporate LAN structure. A result of this has been two decades of separate, disconnected and often ineffective approaches to protecting corporate data.

How safe is your data? Most of us tend to think of data security in terms of either external attacks (hence, the growth of the firewall business) or unauthorized access by users from within the corporate LAN structure. A result of this has been two decades of separate, disconnected and often ineffective approaches to protecting corporate data.

I have spent a bit of time looking at data security issues of late, and I often find that many companies – irrespective of size, experience or industry – take what is essentially a piecemeal approach rather than adopting a strategic methodology. (Of course this problem probably doesn’t apply to any of my readers, clear-thinking data managers who always take a strategic approach to strategically important issues.)

Data is in danger at four points during its life: when it is accessed, when it is in transit, when it is stored, and when it is managed.  If the data in your data center is valuable, it probably makes sense to try understanding what threatens it, and then to ask how you can go about preempting those threats. 

Consider the following two questions:

First, have you undertaken a risk analysis within the last year to determine the vulnerability of your systems and the financial impact to your company that would occur if your data were compromised?  Of course you have!  But is senior management aware of the results of that analysis? Did you make the CEO’s office aware, for example, of the potential exposure to class action suits resulting from identity theft or poor management of sensitive stored data?  Is data security designated as one of the company’s critical concerns? 

Next, have you constructed a threat model to indicate where the attacks are likely to come from? Such a model that looks at stored data throughout its lifecycle might show you a number of interesting things.  For example, even though the data is maintained in an encrypted storage environment, is it safe as it travels across the storage-area network to, through, and out of the switch?  How susceptible to unauthorized access is the data once it leaves your network-attached storage device?

Threats come from both people and devices.  As you administer your storage assets it will make particularly good sense to pay attention to managing access and authentication to both sorts of users.  Have you implemented policies that manage your storage, and are those policies suitably granular so that they successfully enable access to those processes that warrant it, and deny right of entry to those that do not?

Simply because you have a firewall doesn’t mean you have protected your company’s data.  Unless of course, you have only happy employees, and never give outsiders access to the corporate infrastructure… or even a data port. 

When you start to put together a storage strategy, make sure that end-to-end security features are a part of it. For those of you who may have a concern, Brocade (http://www.brocade.com) has begun to pay particular attention to storage-area network security these days, and Kasten Chase (http://www.kastenchase.com) continues to look at security requirements for storage across the enterprise.  And there are other vendors as well.  Suffice it to say there is probably no good excuse left for not addressing any of your insecurities… at least as far as storage is concerned.