Step 1:
Train storage personnel
Your first step to storage security may be convincing storage administrators that security is part of their responsibility. Network administrators understand that they can't build a network without putting in a firewall, and UNIX system administrators know to disable Telnet and FTP access to every server. However, your storage personnel may not be aware that security is as essential to their job as backups. They know to make frequent backups, and they know how to setup a RAID array, but they might not know how to protect that backup or their disk array from hackers--or that it's their job to do so.
This isn't a criticism of storage administrators. It's simply the nature of an industry that is still cutting its teeth. The concept of a dedicated storage or backup system administrator is less than 10 years old, and even some of the largest companies still don't have dedicated storage personnel. In addition, the connectivity, reliability and performance problems of many storage and backup systems put storage personnel in firefighting mode. They don't have time to learn about security; they're doing everything they can to keep the ship afloat.
Step 2:
Identify regulations that could affect you
Laws like SB 1386--and the breaches they make public--are forcing organizations to address these storage security loopholes. SB 1386 requires companies that do business with customers in California to notify those customers if the company has lost control of their personal identity information, such as a Social Security or credit card number. If you've got evidence of someone hacking into your network and accessing personal information, or you've lost control of a plaintext backup tape with personal information on it, you're required by that law to notify California customers. If you're not able to notify them "within a reasonable time," you have to notify the media and post a notice on your company's Web site. At least 17 other states have established similar laws, and there are some federal laws in the works.
In addition to laws governing personal identity information, there are a number of regulations requiring proper maintenance of other types of information, such as medical records and financial transactions. While the details vary, all of these regulations have common traits. Generally, you must be able to do the following:
- Access the information for a certain period of time, even in case of disaster or other loss.
- Verify that the information was not modified.
- Ensure that only authorized personnel had access to the information.
Thus, companies subject to regulations such as HIPAA and SOX must ensure that their data is maintained in a compliant manner. In short, that means your backups must work, and your external and internal security protections must not be compromised. Noncompliance can result in huge penalties and public exposure. Depending on the size of the company and the type of incident, the fines can be in the millions of dollars.
|
 |
|
