Popular Policies: Keeping Storage Secure
by Correy Voo - BT Global Security Practice - Thursday, 8 September 2005.
Secure storage of data has always been essential for any organisation, of whatever size. In the past this involved accurate filing of paper records, and then keeping the physical archive secure whether it was simply locking a filing cabinet, or guarding an entire building. Modern business technology may have virtualised much of this function, but the principle remains the same: preserving an accurate record of business activity, and ensuring that it is readily accessible to those who require it.

What has changed, however, is the regulatory environment within which many organisations now operate. Corporate governance legislation demands that certain information is retained securely, particularly when it relates to the financial management of the company and the manner in which it interacts with customers. Furthermore companies are required to manage their operational risks effectively through business continuity, which also relies on essential information being securely stored. As a result of recent high-profile cases of infringements, the regulators have become more vigilant, focusing on preventing any breaches, rather than post facto investigations. As a result secure storage and the protection of stored data has zoomed up the corporate agenda, and organisations need an effective policy for managing it.

There are three elements to any policy: people, processes and technology. It is tempting to focus almost exclusively on the IT, at the expense of everything else, and it is easy to see why. There are numerous technologies available for securing storage that operate at several levels. The data that is being stored can itself be secured through the use of encryption; digital certificates and watermarks; file splitting; or even highly locked down pdfs that prevent records being tampered with once they have been created and saved. In addition, the storage systems themselves can be protected. A new generation of wide area and caching systems can be used in conjunction with encryption technologies to preserve data when at rest, in transit or at presentation. Record management systems and storage-specific WORM (Write Once Read Many) products are also available to enhance archiving and storage security.

But, no matter how intelligent and sophisticated the technology, it is still subject to the whims of users. Its much harder to change human behaviour than it is to install systems. Ignoring the other two elements of the policy the people and the processes will inevitably compromise the capability of the technology to protect stored documents, databases and other information. Any policy must therefore take into account the way that employees currently work and should not constrict their ability to carry out their day to day tasks by introducing overly complicated procedures, and unnecessary red tape. People will simply find the easiest route to carrying out their job: and if that means bypassing the security policy then that is what the majority will do. If major behavioural changes are required, then these need to be carefully planned and gradually introduced.

Consider this scenario: a busy senior executive gives his PA his password to check his email, and with it all his access privileges to stored data. Its not an uncommon event, but it does present a potential security risk. Even if a policy forbids this, the chances are it will still happen, simply because it is the most convenient way for the senior executive to fulfil his role.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th