Striking the Balance Between Storage Security and Availability

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

Every business owner knows that information is much more than one of an organization’s strategic resources. In a very real way, information is the organization. For IT professionals, there is no shortage of challenges when it comes to protecting and efficiently managing such a vital asset.

The year 2005 was proof that loss of information can be detrimental to any organization. Almost every week another organization was involved in a security breach involving valuable corporate data or customer information, several of which involved stolen or lost backup tapes. As a result, high-profile organizations are scrambling to ensure more effective storage security and data protection, while concerns surrounding identity theft continue to mount among consumers. Adding to storage professionals’ anxiety is the amount of data that can be compromised on a single backup tape. Because of the concentrated pool of data they contain, a single tape can compromise more personal information than many of this year’s online break-ins.

Any good strategy for data storage protection includes a strategic balance between information availability and information security. IT managers today are tasked with maintaining this balance at a reasonable cost. It’s easy to make information completely secure—by locking it up in a safe, for example—but the trick is to also ensure that it is available when needed. However, by providing information access, there are always risks, which generally fall into four main categories:

Malicious attacks: Organized crime has moved online and will continue to do so in 2006 with a variety of tricks, including the latest flavors of worms, viruses, bot networks, and phishing attacks. During 2005, there has been a noted shift from pesky virus writers looking for attention, to more organized, malicious attackers seeking financial gain. Human error: To err is human, and unfortunately it happens all too often. Employees leave laptops in airplanes, trip over wires, or cause system crashes. Or, as in one high-profile case from 2005, storage tapes are simply lost in transport. Infrastructure failures: IT infrastructures are not foolproof and all it takes is a power loss, or a server failure to lose business-critical information. Natural disasters: 2005 also reminded us how quickly natural disasters can strike and bring any business to its knees. According to Gartner, 50 percent of enterprises that lack a recovery plan go out of business within one year of a significant disaster.

A good strategy for effective storage security should take all of these risks into consideration. Data and information on its own is not valuable to any organization. Applications, servers and operating systems must be up and running to make use of information and to maintain the highest degree of information availability and integrity.

As IT managers and storage professionals plan for 2006, storage security should be top-of-mind. By implementing the following best practices, organizations can avoid many of the embarrassing storage security incidents that made news in 2005.

Online Data Protection

Organizations should maintain multiple point-in-time copies of data for uninterrupted operation. Also, for a higher level of online data protection, consider replicating to another location in either real-time (synchronous replication), or very near real time (asynchronous replication).

Encrypt data

Unencrypted data is always going to be subject to some level of risk. A recent survey by Enterprise Strategy Group noted that 60 percent of storage professionals said they never encrypt backup tapes and only 7 percent do so routinely. Storage professionals should focus on encrypting any data going outside the company or facility. Also, ensure there is a plan for decryption and the appropriate individuals have access to the encryption keys.

Physical security measures

In addition to encryption, add another layer of security by using shipping boxes that can’t be easily opened when transporting backup tapes. Also, determine if unused ports to the network are disabled and lockable racks and cabinets are locked. Consider using a backup product that includes a vault option for keeping track of containers full of media. Also, be particularly careful about securing and encrypting data while it’s in transport and keep track of all of the organization’s backup tape with a detailed inventory. Create a plan for finding missing backup tapes.

Lock down process, manage data throughout the lifecycle

Storage professionals should avoid retaining backup tapes longer than necessary. One organization kept data longer than required, leaving information vulnerable and ultimately resulting in a recent security breach. A plan for managing data and information from creation to deletion will ensure that only the information that is needed remains accessible. Information should be analyzed when it’s created or received and then assigned an appropriate policy for management and deletion or retention.

In addition to taking the obvious step of not using manufacturers’ default passwords for data storage access, organizations should also have a clear plan for changing passwords often and use separate IDs and passwords for each user. Also, storage professionals should ensure that they are choosing the correct storage option for their data. For example, data that does not need to be accessed often can be easily saved on tapes, rather than wasting space on more expensive disk-based storage options.

Access control is another basic security measure that should be in place within any organization. IT should implement granular control of who can access data and the applications that manage data, providing appropriate rights and permissions to various types of data.

Consider Disk-to-Disk-to-Tape

While backing up to and securing tape is important, “Recoverability” is even more critical. Organizations should consider a combination of disk and tape-based solutions to ensure the integrity of information. Disk-based solutions provide ease-of-use and recoverability, ultimately ensuring a more effective recovery strategy. Storage professionals should deploy the combination of disk and tape solutions that works best for their organizations and provides the benefits of both technologies.

Compliance Drives Concerns

By implementing these best practices, organizations can not only gain the trust of consumers by avoiding embarrassing and potentially damaging data and information losses, but also comply with industry regulations. All public companies are feeling greater regulatory pressure to improve information security because of the Sarbanes-Oxley Act, which includes control over data security as one of the audit criteria for proper corporate governance.

Additionally, laws such as the California Security Breach Information Act (SB-1386) have called more attention to the problem and increased consumer awareness surrounding identity theft and personal data protection. The California law requires organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised. The Act stipulates that if there’s a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained information. The far-reaching law affects organizations outside California as it applies to anyone who might have a customer or conduct business with an entity within California. Additionally, 26 states now have laws similar to SB-1386.


Demands to have an always-on IT infrastructure will continue to increase while threats are constantly evolving based on profit motives. Not only is it important for enterprises to protect their stored data by deploying the best practices discussed, it is of paramount importance that they continue to reexamine their storage security strategy, consider any new information access requirement, ensure regulatory compliance and keep a few steps ahead of potential data storage loss.