The chain runs from storage systems on the back-end to users on the front-end and requires a blending of security, storage, application, and database skills. This article emphasizes database security.
By Eric Ogren
The role of storage professionals is expanding as corporations race to protect against inadvertent leakage of consumer information and confidential data. The last thing that any enterprise wants to see is its name spread over the front page because it had to disclose the exposure of customer data. It can take years for your business to recover the trust that is lost when customers question the ability to secure sensitive information. Integrating information security with network security and IT programs will be one of high tech’s hottest activities this year.
Protecting sensitive data from exposure entails coordinated security all along the chain from storage systems at the back-end to end users at the front-end, as shown in the figure, below.
Leveraging the expertise of storage professionals is critical to the success of establishing a reliable chain of data security. If a storage structure, database, application server, or Web server is compromised, then so is the data. Data may be encrypted in the storage network, but if the database is vulnerable when the data is decrypted for delivery to an application, then the entire storage security effort is defeated. Enterprises are blending the top security, storage, application, and database skills in the company to improve their data security profile.
When most people think of network security they think of a strong technical perimeter where unauthorized users or data are blocked from accessing the network. Security teams man the ramparts of firewalls, identity and access management systems, and anti-virus software to allow IT the freedom it needs to support the business. This model of protecting against inbound threats has been the accepted best practice for years, with a belief that most security concerns were resolved well before storage was affected. This is reflected in recent surveys by the Enterprise Strategy Group (ESG) showing that 90% of storage professionals believe their storage infrastructures are very secure, as shown in in the figure, below.
The greatest new influence in storage security is the risk to the business from unauthorized exposure of consumer information. Storage teams have been doing their part to secure corporate data, but changes in business drivers are broadening the roles of storage professionals. It is no longer enough to keep evil intrusions away from the business. Storage teams must now also protect the enterprise against inadvertent leakage of critical data, where the leakage often involves internal users violating authorized application use policies.
This new emphasis on the chain of data security is reflected in compliance with the requirements of regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Payment Card Industry Data Security Standard. In particular, specifications on controlling privileged user access, auditing activity affecting sensitive data, judiciously encrypting data both at rest and in transit are challenging cross-functional teams all along the chain of data security.
Storage security building blocks
Storage security is a core element of an enterprise program for strengthening the chain of data security. While there are many features to drive product comparisons, the five to focus on are the following:
■ Support the business: Security issues are irrelevant if the storage product cannot meet corporate business requirements. Storage security must clear business hurdles for performance, reliability, and administration;
■ Control access to storage: Restrict access to storage systems to authorized users and processes only. Make sure there are no access paths that avoid security processes at the database or applications;
■ Segregate system management: Privileged users may have the power to subvert security mechanisms. Segregate access to system management functions to retain checks and balances between security and operational teams:
■ Apply transparent encryption and key management: This is especially critical for offline storage that may not be under the control of data-center security; and
■ Audit and assess storage activity: Keep log files, audit activity, and assess security performance on a regular basis.
ESG recommends that every large enterprise evaluate high-speed inline storage security appliances from vendors such as EMC, Kasten Chase, NeoScale, and Network Appliance to secure storage.
Storage teams can more easily protect data residing in secure storage within the data center, where access is limited and comprehensive audit trails allow teams to monitor and improve the security process. However, archived data is often stored off-site, away from the controls at the data center. This information is seldom protected against unauthorized viewing, as shown in the figure, above.
Archived information can be every bit as sensitive as information persisting on primary storage. Securing this data throughout the archive process is a problem that is easy to fix. Device manufacturers are placing automatic encryption into controllers, and service companies are building archive security into their processes. ESG recommends that sensitive data - whether it resides in structured databases, unstructured file servers, or streamed to transaction log files - be specially marked for secure archival. Be sure that key management procedures are reliable to be able to recover encrypted archives.
Most of the enterprise’s sensitive data resides in databases, followed by file-share repositories for documents and e-mail content, respectively. In the chain of data security, strong storage security measures can only be as effective as the strength of security for the associated databases. ESG research shows that enterprises report that 86% of their storage security breaches originate with internal sources, as shown in the figure, above. Data security for databases has a very similar profile.
Coordination among storage, database, and application teams pays the tidiest dividends here, as many of the database security issues are shared with storage and applications.
The most obvious point of coordination is transparent encryption. Depending on business requirements, it may be more effective to encrypt data at the database, instead of in the storage network. Database encryption vendors such as Ingrian, nCipher, Protegrity, and Vormetric can select the database tables and columns that should be encrypted, while leaving the rest untouched for easier handling. For example, a financial application within a large enterprise may have tens of thousands of tables in its database. However, only a couple of hundred of them may contain data that PCI requires to be encrypted, and that data may only exist in specific fields of the database table. The PCI standard, which applies to firms handling credit card transactions, is driving database encryption deployments with its mandate for strong cryptography for sensitive cardholder data wherever that data appears.
Database security products specialize in interpreting SQL and application behavior can be deployed as either appliances on network segments in front of the data center or as host software installed on each instance of corporate database servers. Each approach has its set of technical, operational, and organizational advantages that must be considered.
Database security appliances are passively deployed on the network, operating on real-time copies of traffic to avoid placement on the SQL data path. There is no risk of increased transaction latency or interruption of traffic flow to the database. Consider database appliances for these characteristics:
■ Non-invasive to databases: Appliances connect directly to the network without consuming resources or other side effects on the database servers;
■ Processes raw inbound and outbound data: Appliances see all of the transactions to the database and can correlate return statuses, including error codes that may not be seen at the host;
■ Segregation of duties: A network appliance is comfortably managed by network and security teams, away from the purview of application and database owners; and
■ Scale: A single appliance in the network can support many downstream databases.
The largest downside to database appliances is an inability to see local activity, especially with privileged users, on the database itself. If the information is not on the network, then an appliance simply cannot see it. Leading vendors to consider for database security appliances include Crossroads, Guardium, Imperva, and IPlocks.
Host database security software is installed on each instance of a database server. Database owners that are more comfortable with software solutions in the data center than with appliances in the network will prefer the host software approach.
Consider host-resident database security for the following:
■ Detailed inspection of all user activity: Only host software can adequately monitor local activity of privileged administrators;
■ Assessment and auditing of entire database: Host software also oversees security controls for items such as data dictionaries and schemas, execution of stored procedures, and access rights to the complete database environment; and
■ Organizational alignment with application owners: Interpretation of application behavior requires insight into business logic for security decisions with fewer false alarms.
The largest downside to host software is the administrative overhead of managing what could be hundreds of software agents scattered throughout the enterprise. Vendors to consider for host database security include Application Security and Lumigent, as well as database vendors IBM, Microsoft, and Oracle.
A discussion of application server security is beyond the scope of this article. These approaches focus on Web interfaces, before the commands are translated to SQL transactions.
As with databases, there are appliance and software approaches to be considered. Recommended appliance vendors are Citrix, F5, Netcontinuum, and Protegrity. The short list of software vendors to consider are Fortify, SPI Dynamics, and Watchfire. Including application servers completes the chain of data security within the enterprise.
■ Form a cross-functional Data Storage Security Council with expert representatives from applications, databases, storage, security, and corporate audit: Use trend data derived from audit and assessment processes to communicate to executive management the corporation’s ability to cost-effectively protect sensitive data;
■ Assess databases and storage structures for sensitive data: There are too many read-only transactions to log and audit everything. Information that is healthcare-related or otherwise contains information related to personal identity, as well as company confidential material, should be marked for the full data security treatment of access control, encrypted storage, and audit mechanisms; and
■ Encrypt archived sensitive data now: It is imperative to use cryptography on archived storage. The technology exists and it can be implemented without impacting performance of production applications. Check out capabilities from EMC, IBM, Iron Mountain, or Network Appliances to get started.
As with anything in the corporate world, budget allocations drive operational priorities. To date, the investment in storage security has been moderate with no responses in the ESG research showing a high level of storage security investment, as shown in the figure on p. 30, bottom right. Interviews with chief security officers indicate that portions of internal network security and host security are being applied to the data security problem. Break down the technical buckets of security investment to reflect the integrated demands of data security. Use the team approach to define budget investments based on the chain of data security problem.
There is much work remaining to protect your customer’s information and your company’s confidential data. Securing access to the storage system is only the beginning.
Proper coordination among teams reduces duplication of work and leads to a balanced solution. The chain of data security mandates that storage, database, and application security efforts stay aligned for maximum impact.
Eric Ogren is a security analyst with the Enterprise Strategy Group research and consulting firm (www.enterprisestrategygoup.com).