The loss or theft of customer details can be a publicity disaster for a business. Antony Adshead looks at how to keep your vital data safe
There is a sure-fire way of getting your company into the news: lose some customer data. Bank of America did and so did Citibank.
This kind of publicity can cost a company a lot of money. It may have to inform hundreds of thousands of account holders of the breach, as when Bank of America lost 1.2 million charge card records in March 2005. It may also have to pay for resetting compromised account details and replacing cards.
But the biggest cost of all is the damage a company suffers to its reputation. Trust is critical for businesses that hold personal financial information – if they lose it, their customers will simply go elsewhere.
Storage media are where a business keeps its “crown jewels”, and specialised methods of storage often mean the bulk of such assets are held in one place. So what are the threats to your stored data? And how can you do as much as possible to keep it out of the news?
As well as straightforward theft, a business has to guard against all forms of alteration and disclosure of data – intentional or accidental – for reasons ranging from business best practice and disaster recovery to legal and regulatory obligations.
Paul Talbut, chairman of the Storage Networking Industry Association Europe (SNIA), says that data in all forms can come under attack but offsite storage is of particular concern.
“The extension of storage networks outside the datacentres and across IP networks makes data more vulnerable,” says Talbut. “For that reason companies are investing in security products such as encryption to protect ‘data in flight’ but also ‘data at rest’ on disc and tape. The proliferation of mobile data held on laptops and personal devices such as phones, PDAs and memory sticks makes the situation critical.”
The two key areas of vulnerability are when data is moving across the network and when it is held in a portable form such as on tape or disc, or on a laptop or handheld.
On a local area network, security is applied at a number of levels. To get to storage assets, such as storage area networks (Sans), intruders must first break through the network, server and application layers of your system. Only then they can be served data from storage networks that are not secured. However, many are getting through defences, and in different ways, and there is no alternative to ensuring that you are up to date with the latest methods of protection.
“Traditional Fibre Channel Sans have security mechanisms such as Lun [logical unit number] masking and zoning to ensure that logical storage units are presented only to appropriate hosts,” says Cap Gemini security architect Andy Thompson. “Devices should use mutual authentication based on the host’s unique WWN [World Wide Name – a 64-bit address used in Fibre Channel networks].”
Thompson advises organisations to keep on top of the progress of technologies such as Fibre Channel Secure Protocol and the separation of traffic using IP-based protocols such as iSCSI from other IP traffic using virtual Lans and virtual private networks. “Network-attached storage devices should follow a similar set of guidelines and be located on dedicated network segments where access is controlled,” he adds.
Removable or mobile devices present a different set of concerns and it is instructive to look at the Bank of America. What happened then was that back-up tapes were lost while being transported by air. The lost tapes contained information on about £11bn worth of transactions carried out by 1.2 million US citizens.
Moving back-up tapes to external vaults is a common enough occurrence, so what went wrong? The short answer is that the tapes went missing, never to be found again. The long answer illustrates how organisations should be approaching storage security.
“Risk assessment techniques should have been used to value the information contained on the back-up tapes,” says Thompson. “And given the value of this information, the organisation’s storage security policy should have provided clear guidelines on what security controls were required to protect this information. This includes ensuring that security is correctly managed where third-party relationships are involved.”
In other words, Bank of America needed to match the value of the data with the level of security required during transport. So what are the options for effective data security?
It is worth weighing up whether electronic means of transport are better, says Carl Douglas, technology consultant at systems integrator Morse. “Where valuable data needs to be moved offsite, businesses need to weigh up the risks of transporting it physically versus electronically,” he says. “Physical transportation can be expensive and prone to human error. Electronic transfer is quicker and can give immediate confirmation that the data has reached the intended site.”
Assuming that electronic transfer was out of the question – perhaps because of the sheer volume of data – the main thing Bank of America failed to do was ensure that even if the tapes fell into the wrong hands, they could not be read. In other words, the tapes should have been encrypted.
It is an all too familiar error, says Susan Clarke, senior research analyst at Butler Group. “There have been many instances of organisations losing back-up tapes, and in most of the cases it has been in transit,” she says. “In all the instances that have been publicised, the organisations involved failed to encrypt their tapes, and most involved sensitive data on individuals.
“This is a tremendous failing on the part of the organisations involved. Any data that is to be moved offsite – either electronically via a back-up service or physically for tape storage – must be encrypted. Even after the first cases had been publicised, organisations using offsite storage facilities failed to take heed and continued to send unencrypted tapes.”
One of the factors that puts organisations off encrypting back-up tapes is that it takes longer to restore data, but this has to be balanced against the damage caused by data theft.
Clarke suggests a workaround in which you create an archive to store non-live data that must be able to be restored quickly – a disaster recovery site for data that must be available immediately and for which downtime is not acceptable, reserving back-up tapes for non-critical data where speedy recovery is not vital.
If, following risk assessment, it is deemed appropriate to physically transport storage media in encrypted form, there are ways to boost that security further still. Guy Bunker, chief scientist at Symantec, says it can be protected – logically and physically.
“Consider separating pieces of data out,” says Bunker, “for example, putting names and addresses on a different piece of physical storage from credit card or social security numbers. Following that, perhaps encrypt both lots of data with different keys.”
With encryption, though, comes the need to manage it. Encrypted data needs keys to unlock it – if you cannot unlock it, all the trouble you have taken to keep it out of the hands of unauthorised parties is for naught.
Key management has to be thought through, says Graham Titterington, principal analyst at Ovum. “The problem becomes one of the management of keys, especially if the data is being held for a long time. Without the key, the data becomes worthless. Keys need to be managed carefully – with permission to access them granted to individuals, or by role perhaps. There also needs to be a succession plan in place.”
Whether you are dealing with data on networks or removable media, the nuts and bolts of what you do with it is a mere component of a storage security strategy. If you are not putting things in a strategic context, you’re either working the wrong way round or reacting to a security incident. Getting a strategy in place is not only safer, it could help give you competitive advantage over business rivals who need to adopt reactive procedures to security breaches.
The best place to start is to consider the whole picture, says Hamish Macarthur, of IT market analyst Macarthur Stroud International.
“Start from the viewpoint of data protection practices as a whole – have a holistic viewpoint,” he says. “Ask yourself, are your data protection practices sound? Ensure data protection, disaster recovery and business continuity issues are dealt with. You should not be leaking data, unaware perhaps of groups of users who should not be using data, or not actually knowing what data is on your systems.”
That is also the advice of SNIA. It recommends a risk assessment of all assets and matching identified risk with a 10-point approach (see box). This aims to establish a checklist of best practices which secure storage management against basic oversights such as leaving manufacturer defaults in place, identification of all storage interfaces and creating separate domains for different risk categories and logging all events on the storage network to identify traffic that may indicate a security incident.
The advice is thorough but Talbut says that even when you carry out such a comprehensive audit, you cannot stand still.
“To be proactive, companies should regularly review the assessment. Systems change constantly, and there should be periodic security tests and checks on the system,” he says.
It is sound advice, and should keep your business out of the news.
Read: Win the generation game
- After a comprehensive risk assessment of all your storage assets, you should:
- Secure storage management points, such as administrator accounts, interfaces, consoles and management applications.
- Identify and assess all storage interfaces. Know where they are and what they are.
- Create risk domains. Separate out different categories of traffic.
- Monitor and control physical access.
- Avoid failures due to common mistakes such as not resetting factory defaults, know your software assets, and maintain and upgrade them to an explicit schedule.
- Address data security compliance, including authentication, authorisation and access controls as well as logging management events.
- Protect externalised data. Use secure and bonded shippers and encrypt data.
- Understand the exposures. Make sure you know about all possible security vulnerabilities.
- Implement appropriate service continuity. Business continuity and disaster recovery plans should be in place.
- Use event logging. Collect data on events in the storage environment and be able to analyse them.
Source: Storage Networking Industry Association