Decru's 'Ten things to know when selecting storage solutions' white paper discusses storage security. You might well find it a useful aide-memoire. It's little use consolidating storage if you leave the access gates wide open.
By Steve Willson, Technical Director EMEA, Decru 10 THINGS TO KNOW WHEN SELECTING A STORAGE SECURITY SOLUTION With data threats and security breaches at an all time high, protecting sensitive information is a major concern for organisations around the world. Unfortunately, many companies leave terabytes of business-critical information sitting in storage networks, unprotected. Protecting sensitive information is a key concern as organisations seek to grow their businesses and keep costs at bay. By consolidating multiple storage islands into one or two large data centres, organisations can increase asset utilisation and reduce management costs. But with consolidation comes risk. Rogue employees, third-party contractors and external hackers all know that storage networks are the weakest link in an organisation s defence shield. A single breach into a large data centre can expose terabytes of data and result in significant damages to an organisation s business and reputation. To mitigate these risks, a number of vendors have begun offering storage security solutions. Storage security solutions, however, were not created equal. Before selecting a storage security solution, organisations must evaluate them based on the following criteria: 1. Hardware-based -- Traditional software encryption solutions weren t designed for high-speed storage networks. Subsequently, they suffer from a number of shortcomings, such as low performance, high operational cost, and incomplete protection. Because of these shortcomings, any robust storage security solution must maintain all security functions in a separate, secure hardware platform that conducts all security functions in secure hardware, with a separate layer of password and smart card authentication. 2. Invisible to the user -- Storage security solutions must be transparent to existing infrastructures, applications and workflow. They must not require custom integration with applications, servers, or desktops, and must be easily deployed without taking key applications offline. In other words they must not disrupt the business. 3. Encryption keys are always protected -- Key management is often the weakest component of encryption systems. Encryption keys, tickets and credentials must not be exposed in cleartext on any unprotected operating system. Keys must be encrypted whenever they are exposed outside the secure hardware and key management systems must automate key backups to ensure that hardware failures are easily recoverable. The system should allow cryptographically secure replication, sharing, and deletion of keys. The cryptographic protection of key management and clustering Untitled Document should be at least as strong as the keys themselves (e.g. it is inappropriate to protect AES-256 keys with RSA encryption). 4. Works across all storage networks -- Organisations manage enormous amounts of sensitive data across heterogeneous environments. Any robust storage security solution must provide a single, integrated platform for securing data, regardless of where it resides (NAS, DAS, SAN or tape). 5. Easy maintenance -- Storage security solutions must be easily and securely managed via Web and CLI interfaces. Clusters of devices should be manageable as a group, common tasks should be scriptable and compatibility with SNMP monitoring is required. Administrator access should be secured by two-factor authentication (e.g. password and smart card or other token). Additionally, multiple administrator roles should be supported, allowing contractors or junior team members to manage rudimentary tasks without gaining access to sensitive functionality. 6. Agent software is strictly optional --The cost and complexity of deploying agent software across thousands of desktops and servers is prohibitive. Moreover, the wide variety of operating systems and versions, as well as ongoing updates and patches, makes this approach costly and unreliable. The storage security solution must be able to perform all primary functions transparently with only optional features delivered through selective software agents. 7. Virtual storage vaults -- In today s environment, cost and manageability concerns are driving consolidation of information and applications onto shared storage systems. Storage security solutions must provide the ability to cryptographically compartmentalise data on shared devices or networks, and customise access controls and security requirements for each vault. This is particularly important in enforcing need to know policies and protecting information from the risk of insider theft. 8. Complete interoperability -- The storage security solution must interoperate seamlessly with all major operating systems, network and storage vendors. Interoperability testing and certification with major vendors, such as IBM, HP, EMC, NetApp, Hitachi, McDATA, Brocade, Veritas, Legato and Cisco is highly desirable. 9. Tried and tested -- Encryption algorithms and implementations must have been validated and certified by third-party evaluation labs. Official certifications such as FIPS 140-2 Level 3, NIST encryption certification and Common Criteria are highly desired. 10. Fully recoverable -- In case an organisation s storage infrastructure is made inoperable, the storage security solution must provide for multi-layered recovery capabilities to insure uninterrupted access to encrypted data. Recovery and availability methods should include clustering, cloning and software-based recovery. All recovery methods must be protected by security measures such as two-factor authentication and quorum requirements (the two-man rule ).