This article can also be found in the Premium Editorial Download "Information Security magazine: Best-of-breed: Security Products of the Year: 2006."
Download it now to read this article plus other related content.
Train storage personnel
Your first step to storage security may be convincing storage administrators that security is part of their responsibility. Network administrators understand that they can't build a network without putting in a firewall, and UNIX system administrators know to disable Telnet and FTP access to every server. However, your storage personnel may not be aware that security is as essential to their job as backups. They know to make frequent backups, and they know how to setup a RAID array, but they might not know how to protect that backup or their disk array from hackers--or that it's their job to do so.
This isn't a criticism of storage administrators. It's simply the nature of an industry that is still cutting its teeth. The concept of a dedicated storage or backup system administrator is less than 10 years old, and even some of the largest companies still don't have dedicated storage personnel. In addition, the connectivity, reliability and performance problems of many storage and backup systems put storage personnel in firefighting mode. They don't have time to learn about security; they're doing everything they can to keep the ship afloat.
Identify regulations that could affect you
Laws like SB 1386--and the breaches they make public--are forcing organizations to address these storage security loopholes. SB 1386 requires companies that do business with customers in California
In addition to laws governing personal identity information, there are a number of regulations requiring proper maintenance of other types of information, such as medical records and financial transactions. While the details vary, all of these regulations have common traits. Generally, you must be able to do the following:
- Access the information for a certain period of time, even in case of disaster or other loss.
- Verify that the information was not modified.
- Ensure that only authorized personnel had access to the information.
This was first published in February 2006