A GlassHouse survey revealed slightly more than half the enterprises surveyed had no formal - documented - procedures for protecting enterprise data. Should there be such procedures? What are the disadvantages of doing without? This GlassHouse white paper explains the findings and discusses the topic.
2005 Storage Security Survey Results EXECUTIVE SUMMARY A recent survey conducted by GlassHouse reveals that more than half of the companies surveyed have no formal policies for protecting enterprise data from theft or tampering. In fact, 54% of storage managers from more than 300 companies around the world responded that they had no documented procedures for protecting enterprise data and 70% of executives rated their storage department's data security as only fair or poor. In the 2005 Storage Security survey, GlassHouse Technologies gauged the awareness of legal and financial threats posed by improperly secured data. The survey showed that many companies have a tenuous grip on data storage security issues, and in some cases are proceeding on wrong assumptions. Other insights from the survey were: 61 percent of survey respondents believe that external threats are more dangerous than internal threats, even though internal users have greater access to sensitive data; 80 percent of survey respondents said that they do not encrypt their backup data, despite highly publicized recent cases of backup tapes being stolen and lost; and 51 percent of survey respondents said the company's intellectual property was their greatest concern even though there are greater legal consequences for mishandling customer's personal information. At the strategic level, however, executives demonstrated a solid grasp of storage security issues; 80 percent identified either regulatory compliance or loss of public trust as the worst consequences of data theft. HOW THE STORAGE SECURITY SURVEY WAS CONDUCTED An e-mail request was sent out to storage executives around the world from multiple industries. They were asked to answer six questions in a web-based survey. Final survey results were collected from 344 storage managers over a twelve day period from October 13 - October 24, 2005. STORAGE MANAGEMENT SURVEY RESPONDENT INFORMATION Job titles included: CIO, VP of IT, Director of IT, Director of Storage, Director of Security and Storage Manager. Countries included in the survey: United States, United Kingdom, Canada, China, Japan, Netherlands, India, South Africa and Mexico. Industries included in the survey were across the board and included Education, Financial Services, Pharmaceutical, Government, and High Tech. 1 2005 GlassHouse Technologies. Reproduction of this survey in any form without accreditation given to GlassHouse is forbidden. The information contained herein has been obtained from sources believed to be credible. GlassHouse disclaims all warranties as to the accuracy, completeness or adequacy of such information. GlassHouse shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Untitled Document DO YOU HAVE DOCUMENTED SECURITY PROCEDURES IN PLACE FOR YOUR STORAGE INFRASTRUCTURE? GLASSHOUSE PERSPECTIVE: The lack of documented storage security procedures indicated here demonstrates that a significant storage security gap exists within many environments. In many organizations, IT security is primarily focused on areas such as host access, network intrusion detection/prevention, and host-based threats like viruses. Storage has largely been ignored or perceived as a low priority threat. One reason for this perception may be that the phenomenon of networked storage for many environments is a relatively recent occurrence. Coupled with the fact that in many of these environments fibre channel-based storage area networks (SANs) existed as somewhat independent islands , it was generally believed that these SANs were safe. In fact, SAN infrastructures are expanding and are being connected to more and more systems. Instead of SAN islands, there is increasing interconnectivity over both fibre channel and TCP/IP. In addition, most SANs are accessed for management purposes via the LAN. This dramatically increasing accessibility requires that SAN networks be treated with the same level of security that organizations apply to their corporate LANs. WHICH OF THE FOLLOWING STATEMENTS DO YOU MOST STRONGLY AGREE WITH? OFF-LINE MEDIA POSES THE MOST SERIOUS THREAT TO STORED DATA? ONLINE INFORMATION POSES THE MOST SERIOUS THREAT TO STORED DATA? Percent of storage management storage management 54%46%YesNoPercent of 38%62%Off-lineOnline 2Untitled Document GLASSHOUSE PERSPECTIVE: Storage management indicated that the security for off-line data is less of a threat than the security threat to online data. We believe that this risk is being underrated. While on-line data is typically protected within a secured data center and under well-controlled host access within the organization, off-line data is more likely to be stored on media that can be physically exposed to persons outside the corporation. Witness the many recent news stories about the loss of backup tapes, and consider the fact that every piece of critical data (hopefully) moves through the backup system and is most often stored on a piece of removable media. The security controls on the handling and disposition of this media has historically been minimal. While networks and servers have received considerable security attention, another logical entry point for someone with malicious intent toward corporate data would be this removable media. For this reason, it is critical to consider risks to both on-line and off-line data. ARE YOU CURRENTLY ENCRYPTING YOUR BACKUP DATA? 20%80%YesNostorage management Percent of GLASSHOUSE PERSPECTIVE: Given the challenges of administrative issues around encryption key control and traditionally, the lack of viable options for encrypting backup data, it is not surprising that a relatively small number of environments employ backup encryption. However, given the combination of off-site data risk, as discussed above, and the potential regulatory and legal exposure, we strongly recommend considering encryption of backup data. The good news is that technology, such as network-based encryption appliances, now exists to address many of the historic encryption challenges. WHAT ARE YOU MOST CONCERNED ABOUT? LOSING PRIVATE CUSTOMER INFORMATION? LOSING YOUR COMPANY S INTELLECTUAL PROPERTY? 49%51%Customer DataIntellectual Propertystorage management Percent of 3Untitled Document GLASSHOUSE PERSPECTIVE: When storage management was asked if they were most concerned about losing private customer information or losing their company s intellectual property, they indicated that they were split equally between the two. This is reasonable because both are highly undesirable and potentially damaging occurrences. Nonetheless, the visible penalty for losing customer information can be so damaging to an organizations reputation, to say nothing of legal exposures, that in some industries it should take precedence if a choice has to be made. Legislation relating to customer privacy includes industry-specific laws such as HIPAA and the Gramm-Leach-Bliley Act of 1999, as well as state legislation such as California s Security Breach Information Act (SB 1386) and New York s recent Information Security Breach and Notification Act. WHAT S MOTIVATING YOU TO RESEARCH STORAGE SECURITY SOLUTIONS? COMPLIANCE? RECENT HEADLINES? A RECENT DATA LOSS? SOMETHING ELSE? 57%12%3%28%ComplianceHeadlinesData lossSomething elsestorage management Percent of GLASSHOUSE PERSPECTIVE: It is not surprising that Compliance and Recent Headlines account for nearly 70% of storage management interest in the security of their data. Legislation, such as Sarbanes-Oxley and the numerous front-page headlines involving security breaches at major corporations has raised security awareness to an all-time high. Regarding the factors contributing to the Something Else category, some possible elements might include auditor recommendation, adherence to corporate security policy, competitive pressures, or business interruption. 4Untitled Document WHAT GRADE WOULD YOU GIVE YOUR STORAGE DEPARTMENT FOR SECURITY READINESS? GOOD? FAIR? POOR? DO NOT KNOW? 24%52%17%7%GoodFairPoorDo not knowstorage management Percent of GLASSHOUSE PERSPECTIVE: The survey indicated that 69% of storage managers graded themselves either Fair or Poor when it came to security readiness. While somewhat alarming, it is wholly consistent with the previous responses relating to security policy and protection of backup data. Given the traditional lack of focus on storage security, the results suggest that in many environments, storage managers are doing what they consider a fair job considering budget, staff and other priorities, but realize that they could be doing a better job. It also clearly indicates that there is substantial opportunity for improvement. CONCLUSION So what does it all mean and what needs to be done? IT organizations have invested significantly and developed a high level of maturity in the protection of data as it is processed and transported across networks ( data in motion ). Standard security management practices applied daily to corporate networks, when compared to common practice 10 to 15 years ago, are dramatically more advanced. Unfortunately, the same cannot be said regarding the protection of stored data, or data at rest . For anyone tasked with the responsibility of establishing, implementing, and enforcing security policy, this represents a gaping hole. To address this problem, organizations should conduct a detailed review of their storage security practices for both on-line primary and off-line secondary storage. Current internal practices should then be evaluated against best practices and a remediation plan developed based on prioritization of risks and threats, level of impact, and cost. A GlassHouse whitepaper outlining best practices in storage security is available on www.glasshouse.com. 5Untitled Document About GlassHouse Technologies, Inc. GlassHouse is the leading provider of independent services that help organizations solve the business problems of enterprise storage. From strategy through implementation, operations and customer support, GlassHouse partners with clients to achieve predictability and manageability in storage operations, enabling cost control, risk mitigation and increased service levels. GlassHouse clients include UBS, Exxon Mobil, Charles Schwab, Virgin Mobile, and The Guardian Life Insurance Company of America. 6