By Heidi Biggar
According to a recent end-user survey conducted by the Enterprise Strategy Group (ESG) consulting firm, storage security is a lingering and growing problem among companies of all sizes and across all industries.
ESG polled 388 storage professionals and 128 security professionals about their information security and storage security practices. Not surprisingly, the survey revealed that while "information security" is a top IT priority in most organizations, "storage security" is still, for the most part, a secondary consideration.
ESG defines information security as any method used to protect the confidentiality, integrity, or availability of proprietary corporate information, including network security, identity management, anti-virus protection, and access control.
Storage security, meanwhile, refers to methods specific to storage networking, including storage management software, encryption, data classification, and security measures related to other hardware components (e.g., disk arrays, SAN switches, etc.).
"People know storage networks are open, but they are putting more effort into building out the storage network than they are in securing it," says Jon Oltsik, ESG senior analyst and lead author of the Storage Security Perspectives survey.
ESG is one of a growing number of research and consulting firms that believe that storage security, if left unchecked, could become a significant problem for IT organizations going forward, if it isn't already.
"The situation gets to be explosive as more and more devices are added to the SAN," says Oltsik. "The more devices there are, the harder it is to keep things under control."
One of the objectives of the ESG survey was to identify areas where storage security processes and technologies were either absent or ignored. The firm looked specifically at storage management tools, tape encryption, and data classification, uncovering some significant security lapses with each.
In general, Oltsik says storage management tools are "believed to be a major storage security vulnerability" because of issues with the way passwords are stored (i.e., in cleartext), the way data is transmitted (over insecure protocols in clear-text), and how the applications are managed (e.g., using insecure management protocols, such as SNMP V1).
The problem with encryption and data classification, meanwhile, stems from the fact that they are not widely used.
Only 16% of the survey respondents said they "always" or "frequently" encrypt data when backing up to tape while 72% said they either "didn't" or "didn't know" if they encrypted their data. Twelve percent said they encrypted "infrequently."
As for whether they classified their data, 40% of the respondents said they did classify their data while 60% said they "didn't" or "didn't know" if they did (although 20% of those respondents said they planned to in the future). Based on survey findings, Oltsik says there appears to be a high correlation between data classification and overall security practices. Of those respondents who said their IT departments were "extremely diligent" about information security, 48% said they classified their data and another 17% said they planned to in the future.
InfoStor will examine these issues, as well as the processes and technologies that can be put in place to help IT professionals secure storage networks, in detail over the next few issues as part of its multi-part series on storage security: How secure is your storage?
This article serves as a springboard for a broader discussion about storage security; it gauges current IT interest in and concern about storage security based on findings from the recent ESG survey.
According to the survey, the majority of storage and security professionals believe they have information security and storage security under control, though more emphasis is currently put on information security than storage security.
Of the 388 storage professionals polled in the survey, 64% described their companies' information security practices as "extremely diligent," while 15% said that they believed their storage infrastructures were "very secure" (see figure below).
About 75% of respondents said they believed that their storage infrastructures were "secure;" however, 8% said that their storage infrastructures were "insecure" while 2% "didn't know."
Interestingly, when ESG posed the same question to 128 security professionals, 16% said that they thought their storage infrastructures were "insecure." ESG attributes this incongruity to a general disconnect between storage and security professionals. "Storage people don't really understand security and security people don't really know storage," says Oltsik.
To bridge this gap, most experts agree that companies need to cross-train their IT staff on security and storage. Also, vendors of storage systems need to do a better job of training their staff about the security features of their products and conveying this information to potential customers.
"Storage is a laggard in security," says Oltsik. "As security people say, you're only as secure as your weakest link in the security chain, and storage is a weak link right now."
While Oltsik acknowledges that it is still a lot easier to breach the security of a server versus a storage system, he says that storage security, not just system performance and availability, should factor into storage purchasing decisions.
"Storage is all about performance and availability," says Oltsik. "Security isn't sexy, but even a 2% risk [of a security breach] is too high."
Of the 388 storage professionals polled in the survey, 7% reported having experienced a storage security breach, while 12% said they "didn't know" if they have ever had a security breach and 8% said they "couldn't tell" if they have had a breach or not (see figure above).
When asked about any concerns they have about implementing storage security technologies, 42% of the respondents cited incremental cost as a primary issue; 36% said they were concerned about performance-related problems, and 33% were concerned about data-recovery issues (see figure, above).
But a general sense of trepidation among users about implementing storage security technologies may be more telling about the overall state of storage security than concerns about the cost and performance of security products, according to Oltsik.
To the same question, 27% of respondents said they were concerned about the level of knowledge their storage experts had about security, and 26% cited similar concerns about their security experts' knowledge base.
These findings may, in part, explain why nearly one-third of the storage professionals in the survey said that their information security policies and procedures don't currently include data storage technologies (see figure, right).
However, of those respondents who claim that their security policies and policies do not include storage technologies, 55% also said that their IT departments only address information security when necessary and only 16% claimed that their IT departments are "extremely diligent" about information security, according to Oltsik.
As for the future, Oltsik paints a different picture—one in which storage security is the norm rather than the exception: "Compliance is the number-one driver, but all the security risks they're finding out there—many of which don't apply directly to storage—have people really thinking about storage security."
Oltsik says users can expect to see vendors address the storage security problem with services centered on security policies and processes, not just technologies. "The biggest need—and, therefore, the biggest opportunity—is in security services," he says.