By Ann Silverthorn
A recent survey conducted by GlassHouse Technologies, a storage consulting and services provider, reveals that of the 344 participating companies 54% have no documented procedures for protecting stored data from theft or tampering, and a whopping 69% of executives rate their storage departments’ security readiness as “fair” or “poor” (see figure). The storage security report is the first in a planned series on data storage issues by GlassHouse.
The survey revealed that although CEOs and CIOs consider data storage protection to be one of the top IT issues for 2006, they are often operating under false assumptions. For instance, the lack of documented procedures for protecting stored data shows that these executives believe stored data is not as vulnerable as data on the LAN. For many companies, SANs are new and are seen as “islands” separated from the primary network. But the GlassHouse report disputes that view: “SAN infrastructures are expanding and are being connected to more and more systems. …In addition, most SANs are accessed for management purposes via the LAN.” The report concludes that “this dramatically increasing accessibility requires that SAN networks be treated with the same level of security that organizations apply to their corporate LANs.”
When considering online and offline data, 62% of the executives surveyed believe that online data poses more security threats than offline data (see figure), even though internal users have greater access to sensitive data. However, GlassHouse believes that the threat to offline data is under-rated. Security measures for online data are well-established, but the media where offline data is stored (e.g., backup tapes) is highly vulnerable to outside attacks.
Although they under-rate the threat to offline storage, the IT executives surveyed are in general highly aware of outside threats to their organizations. The survey also found that 61% of the respondents believe that external threats are more dangerous than internal ones. However, this is a mistaken assumption because internal users often have more access to sensitive data than is necessary.
Whether data resides online or off-line, or threats come from outside or inside, data that is not encrypted is vulnerable. In the GlassHouse survey, 80% of the companies do not use encryption for their backup data (see figure), despite highly publicized cases of backup tapes being stolen or lost.
In the past, this was understandable because of cost and complexity, but encryption technologies have been evolving, making key management easier, so GlassHouse strongly recommends that companies consider encrypting their backup data.
The primary motivating factor for executives to research storage security solutions is compliance.
“The survey results clearly show that those of us in the storage data security field have a lot of educating to do,” says W. Curtis Preston, GlassHouse’s VP of data security.
“Over the last year we’ve seen a steady increase in the number of CEOs and CIOs getting directly involved in data storage issues. That suggests to us that storage security is going to be near the top of the IT agenda.”
(Note: This survey and a white paper on best practices in storage security, “A 5-step Guide to Protecting Backup Data, Best Practices You Can’t Afford to Overlook,” are available at www.glass house.com.