INDIA SECURITY DATA A SERIOUS ISSUE Securing Storage - Express Computer

Securing Storage

As enterprises consolidate their storage resources, they are facing the fact that tapes carrying data backups can be lost in transit, a trend that has forced businesses to look at storage security. By Akhtar Pasha.

In recent years ‘storage’ and ‘security’ were rarely placed in the same sentence. Earlier storage was considered a system peripheral, controlled by a mainframe, midrange or server computer. As such, security for storage was a part of the host’s security set-up. As long as the host was protected against a malicious code attack or hacker, storage devices and stored information remained secure.

While the advantages of networked data storage technologies such as Network Attached Storage (NAS) and Storage Area Networks (SAN), iSCSI are well established in large enterprises, storing an organisation’s data on a network creates significant security risks. Data replication, backup, off-site mirroring, and other disaster recovery techniques increase the risk of unauthorised access from people both inside and outside the enterprise. Srikiran Raghavan, regional head, India, RSA (The Security Division of EMC) says, “As companies consolidate and centralise their data storage in data centres vulnerabilities are emerging. At the same time companies have to comply with regulations. Both these factors have given a fillip to the market for data storage security products.” Perimeter-centric approaches to security ignore the fact that information lives and moves throughout its lifecycle. When data moves outside the protected perimeters that have been built, it is largely unprotected leading to breaches and losses.

According to the Storage Networking Industry Association (SNIA) Europe, data in all its forms can come under attack but offsite storage is of particular concern. The extension of storage networks outside data centres and across IP networks makes data more vulnerable than ever. Manoj Suvarna, country manager, HP StorageWorks Division - TSG, HP India says, “While perimeter security is important in its own right, it does not adequately secure storage—especially when organisations begin to consolidate their storage infrastructure.”

For that reason companies are investing in security products such as encryption to protect not only ‘data in flight’ but also ‘data at rest’ on disc and tape. The proliferation of mobile data held on laptops and personal devices such as phones, PDAs and memory sticks makes the situation critical. Shailesh Agarwal, country manager-Storage, IBM India says, “Tape encryption is one way to secure storage.” He however feels that the problem is not as grave as it appears to be. He says, “More than securing networked storage, business should look at securing the data that is lying on the client device.” He explains that data residing in notebook PCs is in greater danger, if a notebook is stolen as it would have the company’s entire business report in concise form in the form of reports and balance sheets, profit/loss statements and the like. He vouches for storage policies rather than technology as a cure all. Business should disable all USB-ports so that employees cannot take out the data through USB keys.

The need for secure storage

Recent highly-visible security breaches are causing companies to rethink security practices for data at rest in databases, storage networks, and during backup and disaster recovery. Research organisations such as Gartner, Enterprise Strategy Group (ESG) and the Computer Security Institute/FBI are closely following incidents related to data security. They have published troubling statistics about the cost and impact of security breaches, as organisations grow increasingly dependent on digital storage of their corporate data assets.

Gartner predicts that by end 2006, failure to encrypt credit card numbers stored in a database will be considered legal negligence in civil cases of unauthorised disclosures. And by end 2007, 80 percent of Fortune 1000 enterprises will encrypt most critical ‘data at rest’.

Suvarna says, “Storage security is top of the mind when it comes to IT heads or CIOs but in my opinion only 15 percent of them are actively thinking about storage security and the balance are focusing on effective utilisation of networked storage.”

Protecting confidential data: According to a recent ESG Research report, 47 percent of security professionals believe that at least half of their enterprise data could be classified as confidential. Again, since confidential and private information most often exists as data-at-rest (i.e. on storage), storage networks and devices must be protected from accidental or malicious breaches (i.e. Application or hardware corruption of data, malicious code attacks, unauthorised data access, physical theft, etc). Raghavan says, “Another major driver for interest and investment in this area is the fear of public disclosure or customer scrutiny in sourcing. The series of media exposures around lost or stolen customer personal information or credit card data resulting in identity theft are a major concern for organisations wanting to increase customer confidence in their business processes.”

Soumitra Agarwal, marketing director, India, Network Appliance says, “BFSI and ITeS hold confidential customer information pertaining to their ATM pin number, account bank balance, credit card information etc, all of which are vulnerable whenever businesses are taking backups on disk, tapes and sending to their remote recovery centre either on-or off-site.”

Sivasankaran L, director-Storage Practice, Sun Microsystems says, “IT heads of BFSI and telecom companies agree that they need to regulate their storage security and they want to ensure that their customer data is protected and not lost. The CIO’s concern is how does it [storage security] affect us and what will be the quantum of loss eventually. The sooner they realise this, the faster is the adoption of storage security at various levels in data storage. Since most large businesses have understood the value of backing up their data at various stages and the cost of not doing it, the realisation is storage security is slowly seeping in.”

Adhering to regulations: ESG Research demonstrates that regulatory compliance is the primary driver of security policy and technology defences focused on protecting confidential data. With regard to storage, regulatory compliance demands protection of private data such as patient records (HIPAA) and financial customer information (GLBA), ITIL, ISO27001 and Payment Card Industry Data Security Standard–this standard is focused on the hospitality, travel and retail markets where credit card and customer personal information is exchanged. Security Breach Disclosure Laws require organisations that maintain personal information about individuals to inform those individuals if the security of their information is compromised. Raghavan adds, “Given the financial and legal implications of a breach or non-compliance, preventing unauthorised access to data and preserving its confidentiality and integrity are major security priorities for most organisations.”

Protecting tape-based data from loss or theft: Agarwal of NetApp says, “The phenomenon of storage security primarily stems from the fact there are increasing instances wherein backup tapes are being lost in transit or data on tape getting lost—this trend is pushing businesses to protect customer data. In addition to tapes being lost, various surveys points out the threat is from inside, which is why businesses are starting to encrypt data. As large business consolidates their storage, the threat perception rises.”

While there were many publicly-disclosed data breaches in 2006 some of the biggest incidents at firms like Bank of America, Citibank, ABN Amro, and Marriott were the result of lost backup tapes. These events resulted in embarrassing headlines, millions of dollars in unexpected costs and a new wave of paranoia around off-site storage rotation vulnerabilities.

Recent disclosures about the loss of backup tapes containing regulated customer data have led organisations to rethink their data protection strategies. Though the phenomenon of tape vaulting to third party service providers (such as Iron Mountain) is not evident in India, large enterprises are doing this themselves by sending their tapes to off-site locations.

Security holes

As attention is paid to compliance, confidential data protection, and information security, business and IT executives recognise the need for storage security. The question remains however, where is storage most vulnerable? In other words, which areas of storage security need immediate attention.

Encryption can be deployed at three points in your backup environment: at the host within the OS or application software, at the tape drive, or in the network with a dedicated appliance. “Where you choose to deploy encryption will depend on customer requirements for performance, security, scalability, and overall ease of use and maintenance,” says Sivasankaran.

Storage security applications

Secure storage consolidation Insider threat mitigation Regulatory compliance Database security Secure tape backup and disaster recovery

Encryption at the Host level

Many applications, including backup applications, support encryption on the host server at a granular level based on the type of data. Application and server encryption solutions are often the least expensive, but they continue to pose challenges that have historically slowed the adoption of encryption. They affect application performance because they are usually software-based and entail CPU overhead. Because this type of security is tied to individual applications or servers, it can be complex to manage and maintain. For example, every patch or upgrade for either the operating system or the application software may affect the functioning of the built-in security. Server and application-specific encryption may have poor compatibility with other systems in a heterogeneous environment. The major drawback of the currently available encryption solutions at the server/host/ backup application level is weak key management. Typically, encryption keys for this type of encryption are stored in clear text and are insecure. If application performance, long-term manageability, and encryption key security are priorities for you, these solutions will not be your best option.

Agarwal of NetApp says, “Most business fear that the servers that are running their application and databases may not be able to do the additional job of encrypting data. This additional burden on servers will slow down the applications.” Sivasankaran adds, “Doing storage encryption at the host level can be taxing as we all know that 40 percent of the CPU time cycle would go into encrypting the data, which may bring down application performance.” He adds that NetApp (Decru) has taken a leap into this market with its separate storage security encryption appliances.

Agarwal of NetApp says, “One of the many advantages of using dedicated hardware for encryption is exceptional performance. Strong encryption is computationally expensive, and traditional, software-based encryption methods are notoriously slow and cumbersome to implement. In contrast, appliances can be deployed into an existing infrastructure in a matter of hours, without ever taking the data offline.”

NetApp has an early mover advantage with the acquisition of Decru, a storage security appliances company. The Decru solution represents the first and only unified platform for securing stored data across the enterprise, with support for NAS, DAS, SAN, Tape and iSCSI environments.

Currently CitiGroup is using Decru in India as a part of the global deal.

What’s available
NetApp	Decru DataFort storage security appliances offer wire-speed 256-bit encryption and granular access controls, strong authentication, and cryptographically-signed auditing to protect stored data.
HP	StorageWorks LUN Security XP Extension provides tools for advanced data protection for HP StorageWorks XP Disk Arrays. Storage administrators can protect datasets from being updated, copied, accessed, or queried after they have been initially created or written. LUN Security XP Extension has been designed to be part of a complete server, storage, and application solution by providing the key features necessary to assist in deploying a solution to address SEC regulatory compliance requirements for data retention. It employs 128-bit encryption.
HP	Refer Infomation Storage Systems (RISS) is an appliance with smart cell technology wherein data is stored securely with date and time stamping of all objects to mitigate risk and prevent tampering or changing of the retained records.
HP	Data Protector Software 6.0 provides 256-bit Advanced Encryption Standard (AES) encryption. AES helps to protect data from unauthorised access and allows backups to meet all compliance and regulatory requirements for government agencies and financial institutions.
IBM *	The TS1120 tape drive offers the ability to encrypt data at the tape-drive level. avoiding use of host resources. Since tape drives are already part of existing storage and backup infrastructure, using the drive itself to perform encryption has a cost advantage over buying and installing a dedicated piece of hardware just to encrypt data.
Sun Microsystems *	StorageTek Crypto-Ready T10000 tape drive uses the AES-256 encryption algorithm as it is written to the drive, regardless of the application, operating platform or primary storage device, and without impacting backup or restore times. Its StorageTek Crypto KMS (Key Management Station) manages keys used to encrypt and decrypt data on the StorageTek T10000 tape drive. It comprises a Sun Ultra 20 Workstation-based appliance running the Solaris 10 OS and Key Management Software. It utilises AES-256 encryption and is designed for compliance with the Federal Information Processing Standard 140-2 certification.
* Both methodologies (IBM and Sun) enable users to encrypt data from the storage servers directly onto the tapes, whether they are using mainframes or Unix, Windows, AIX or Linux tape storage systems. IBM uses public-key while Sun uses symmetric key encryption (AES-256), which uses the same key to both write and read data. Public Key encryption is more computationally intensive and requires a much longer key than a symmetric key algorithm to achieve the same level of security.

Encrypting Tape Storage

Many manufacturers of tape drive backup systems have included encryption capabilities in their products and others are expected to follow suit. Being bundled with hardware, they are potentially cost-effective. They are also easy to implement because they do not require changes to servers or applications. Their most significant drawback is that they require a major upgrade effort to convert old tape drives and libraries to encryption-enabled systems. Further, encryption that is bundled with tape drives or libraries will not integrate well in environments with tape drives and libraries from multiple vendors. If you have a homogeneous tape backup infrastructure and are able to manage keys locally, you might want to consider this approach. Most storage vendors are focusing here.

Recommendations

Start evaluating storage security solutions immediately. It will take six months to evaluate products while analysing an enterprise’s requirements. Choose security storage vendors whose products integrate with a directory strategy. Require storage security vendors to provide integration services as part of the purchase. Vendors may not know your environment and unique requirements, and you have limited or no experience with their platforms. Start with tape encryption to provide for the most data at the greatest risk. Remote backup to disk is the second priority. To thoroughly protect mission-critical data in the data centre, data should be encrypted on primary systems before sending that data to backup. When considering an encryption solution, keep in mind that key management is crucial. Encryption keys must themselves be encrypted when stored, and your encryption key management system will need to make the keys available whenever they are needed.

Encryption in the Network

The big advancement in securing data through encryption is the development of solutions that plug right into the network itself. In such security appliances, just about every impediment to securing backups by encryption has been solved. These solutions can be deployed with virtually zero downtime because they require no modification to applications, hosts, or servers. You no longer have to choose between compression and encryption—today’s encryption appliances are capable of compressing and then encrypting data at wire speeds, making them well suited for a wide variety of backup and recovery environments. Designed to provide the most robust security available, encryption appliances today come with strong logging capabilities, access controls, and secure key management systems. If application performance, long-term manageability, scalability, and encryption key security are priorities for you, these solutions will be your best option. In fact, whether or not you have other encryption solutions at the host or tape drive levels, it may still make good sense to have appliance-based solutions to complement your security.

RSA has a comprehensive approach to enterprise data protection, wherever that data resides. The EDP framework also addresses the management of associated encryption keys, access control and authentication.

Though the storage security is very new to India, the driving factors for seriously considering it same as that of global trends as discussed above and some IT heads of large businesses (BFSI and telecom) are seriously reviewing it. However the IT departments that have not implemented encryption based on old biases need to know that encryption technology has advanced to the point where the advantages of encryption are available without disruption to normal backup processes and tools.