Data storage security is a wide-ranging area that covers everything from legal compliance, through preparedness for e-discovery requests to user access control and the physical security of data storage. In this podcast interview, SearchStorage.co.UK Bureau Chief Antony Adshead speaks with Mathieu Gorge, CEO of VigiTrust, about the key components that make up a storage security strategy. You can listen to the interview as an MP3 or read the transcript below.
You must have Adobe Flash Player 7 or above to view this content.See http://www.adobe.com/products/flashplayer to download now.
Download for later:
Download the podcast with Mathieu Gorge
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As
SearchStorage.co.UK: What is data storage security?
Gorge: Storage security deals with any type of security around the storage architecture and the data stored on it.
First we need to look at why we need to be concerned with storage security, and there are two or three aspects to this.
The first one is around regulation and the legal frameworks that cover data retention and potentially e-discovery. In the UK we have to look at e-discovery mandates, the Data Protection Act, electronic health records etc. -- all of which might have mandates dictating data has to be retrieved at some stage and means the way it is stored has to be 100% managed by the organisation.
There are also standards such as PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001 which have requirements for data storage, and I'll look at that later on.
In terms of data we're talking about that which is stored on a SAN or NAS or any other product that can store data, so we need to understand that not all information is created equal. The security needs of a type of data must reflect the value of that data. It's up to the organisation to assign that value whether it be a business value, a security value.
We have to look at the notion of information lifecycle management (ILM) and ask how is the data created, how is it acquired, where has it been stored, has it been de-materialised and have you secured that whole process?
So really, data storage security is only one part of the whole security strategy, but it's a very important part and it's vital that storage security features highly in the organisation's overall security strategy.
SearchStorage.co.UK: What are the key elements in a data storage security strategy?
Gorge: The first thing is that you need to understand the security risks against the information assets and data that you store. There are different types of risk: physical access to the systems on which the information is stored; logical access, who has access to the operating systems, applications, files? It really depends on how granular you want to get in analysing the risk.
And those risks should be based on the security value of the data you're trying to protect, which goes back to the well-known "CIA" concept of confidentiality, integrity and availability. In other words, how confidential is the data, do you need to make sure no one can tamper with the data and who can avail themselves of the data? The availability of the data is very important with regard to storage security.
The best way to deal with that is to have a mix of policies and procedures, technical solutions and training. Examples of policies and procedures you might want to include in a storage security strategy would start with a data acquisition policy that would be in line with data retention and data protection regimes that apply to your organisation; a storage policy that is more of a technical policy; a user access policy; and a disposal policy such that when the data is end-of-life you know what to do with it. All this must meet the information lifecycle of the data you're trying to protect.
In terms of technical solutions there's a lot of talk about whether data needs to be encrypted or not. Typically, data should be encrypted at rest and in motion, which means that if you use a NAS or SAN you might want to look at how you manage the encryption keys, using access controls to guarantee you know who can access the data at any given stage. The other thing to look at is capacity planning. You'll end up saving and storing a lot of data so you need to ensure you're using data deduplication so that you're not saving the data several times. That's also part of the security strategy because you may be saving information that you're not supposed to save.
Finally, there is disaster recovery and business continuity, making sure that the availability of the stored data doesn't impinge on security if you need to access the data at short notice.
So really it's a case of integrating the data storage into the overall security policy, and in fact ISO 27001 covers all of that and as an example PCI DSS has published a frequently asked questions document on storage covering encryption of data covering which data is allowed to be stored under PCI and also covering physical data storage because that's one of the areas that's often forgotten in a data security strategy.
I would highly recommend that people consider looking at the documents published by the security technical working group of SNIA, which has published a very good white paper in 2009 titled "Introduction to Storage Security," and which will help your organisation get started with the right plan.