The year 2005 was proof that loss of information can be detrimental to any organization. Almost every week another organization was involved in a security breach involving valuable corporate data or customer information, several of which involved stolen or lost backup tapes. As a result, high-profile organizations are scrambling to ensure more effective storage security and data protection, while concerns surrounding identity theft continue to mount among consumers. Adding to storage professionalsí anxiety is the amount of data that can be compromised on a single backup tape. Because of the concentrated pool of data they contain, a single tape can compromise more personal information than many of this yearís online break-ins.
Any good strategy for data storage protection includes a strategic balance between information availability and information security. IT managers today are tasked with maintaining this balance at a reasonable cost. Itís easy to make information completely secureóby locking it up in a safe, for exampleóbut the trick is to also ensure that it is available when needed. However, by providing information access, there are always risks, which generally fall into four main categories:
Malicious attacks: Organized crime has moved online and will continue to do so in 2006 with a variety of tricks, including the latest flavors of worms, viruses, bot networks, and phishing attacks. During 2005, there has been a noted shift from pesky virus writers looking for attention, to more organized, malicious attackers seeking financial gain. Human error: To err is human, and unfortunately it happens all too often. Employees leave laptops in airplanes, trip over wires, or cause system crashes. Or, as in one high-profile case from 2005, storage tapes are simply lost in transport. Infrastructure failures: IT infrastructures are not foolproof and all it takes is a power loss, or a server failure to lose business-critical information. Natural disasters: 2005 also reminded us how quickly natural disasters can strike and bring any business to its knees. According to Gartner, 50 percent of enterprises that lack a recovery plan go out of business within one year of a significant disaster.
A good strategy for effective storage security should take all of these risks into consideration. Data and information on its own is not valuable to any organization. Applications, servers and operating systems must be up and running to make use of information and to maintain the highest degree of information availability and integrity.
As IT managers and storage professionals plan for 2006, storage security should be top-of-mind. By implementing the following best practices, organizations can avoid many of the embarrassing storage security incidents that made news in 2005.
Online Data Protection
Organizations should maintain multiple point-in-time copies of data for uninterrupted operation. Also, for a higher level of online data protection, consider replicating to another location in either real-time (synchronous replication), or very near real time (asynchronous replication).
Unencrypted data is always going to be subject to some level of risk. A recent survey by Enterprise Strategy Group noted that 60 percent of storage professionals said they never encrypt backup tapes and only 7 percent do so routinely. Storage professionals should focus on encrypting any data going outside the company or facility. Also, ensure there is a plan for decryption and the appropriate individuals have access to the encryption keys.
Physical security measures