By Ann Silverthorn
—A recent survey conducted by GlassHouse Technologies, a storage consulting and services provider, reveals that of the more than 300 participating companies 54% have no documented procedures for protecting stored data, and a whopping 70% of executives rate their storage departments' data storage security readiness as fair or poor (see Figures 1 and 2). The survey is the first in a planned series on data storage issues.
The findings from the "2005 Data Storage Security Survey" were based on the responses of executives in government, telecommunications, technology, energy, financial services, aerospace, and healthcare worldwide.
The survey revealed that although CEOs and CIOs consider data storage protection to be one of the top IT issues for 2006, they are often operating under false assumptions. For instance, the lack of documented procedures for protecting stored data shows that these executives believe stored data is not as vulnerable as data on the LAN. For many companies, SANs are new and are seen as "islands" separated from the network. But the GlassHouse report disputes that view: "SAN infrastructures are expanding and are being connected to more and more systems. . . . In addition, most SANs are accessed for management purposes via the LAN," according to the report.
When considering online and offline data, 62% of the executives surveyed believe that online data is faced with more security threats than offline data. However, GlassHouse believes that the threat to offline data is underrated. Security measures for online data are well-established, but the media where offline data is stored (e.g. backup tapes) is highly vulnerable to outside attacks.
Although they underrate the threat to offline storage, the IT executives surveyed are in general highly aware of outside threats to their organizations. The survey also found that 61% of respondents believe that external threats are more dangerous than internal threats. However, this is a mistaken assumption because internal users often have more access to sensitive data than is necessary.
Whether data resides online or offline, or threats come from outside or inside, data that is not encrypted is vulnerable. Of the executives surveyed, 85% do not use encryption for their backup data. In the past, this was understandable because of cost and complexity, but encryption technologies have been evolving, making key management easier, so GlassHouse strongly recommends that companies encrypt their backup data.
"The survey results clearly show that those of us in the storage data security field have a lot of educating to do," says W. Curtis Preston, GlassHouse's vice president of data security. "Over the last year we've seen a steady increase in the number of CEOs and CIOs getting directly involved in data storage issues. That suggests to us that storage security is going to be near the top of the IT agenda."
The survey also revealed that the strongest motivator for executives to research storage security is compliance (see Figure 3).
This survey and a white paper on best practices in storage security, "A 5-step Guide to Protecting Backup Data, Best Practices You Can't Afford to Overlook," is available at www.glasshouse.com.