Striking the Balance Between Storage Security and Availability
by Glenn Groshans Director - Director od the Data Management Group at Symantec - Monday, 26 June 2006.
In addition to encryption, add another layer of security by using shipping boxes that canít be easily opened when transporting backup tapes. Also, determine if unused ports to the network are disabled and lockable racks and cabinets are locked. Consider using a backup product that includes a vault option for keeping track of containers full of media. Also, be particularly careful about securing and encrypting data while itís in transport and keep track of all of the organizationís backup tape with a detailed inventory. Create a plan for finding missing backup tapes.

Lock down process, manage data throughout the lifecycle

Storage professionals should avoid retaining backup tapes longer than necessary. One organization kept data longer than required, leaving information vulnerable and ultimately resulting in a recent security breach. A plan for managing data and information from creation to deletion will ensure that only the information that is needed remains accessible. Information should be analyzed when itís created or received and then assigned an appropriate policy for management and deletion or retention.

In addition to taking the obvious step of not using manufacturersí default passwords for data storage access, organizations should also have a clear plan for changing passwords often and use separate IDs and passwords for each user. Also, storage professionals should ensure that they are choosing the correct storage option for their data. For example, data that does not need to be accessed often can be easily saved on tapes, rather than wasting space on more expensive disk-based storage options.

Access control is another basic security measure that should be in place within any organization. IT should implement granular control of who can access data and the applications that manage data, providing appropriate rights and permissions to various types of data.

Consider Disk-to-Disk-to-Tape

While backing up to and securing tape is important, ďRecoverabilityĒ is even more critical. Organizations should consider a combination of disk and tape-based solutions to ensure the integrity of information. Disk-based solutions provide ease-of-use and recoverability, ultimately ensuring a more effective recovery strategy. Storage professionals should deploy the combination of disk and tape solutions that works best for their organizations and provides the benefits of both technologies.

Compliance Drives Concerns

By implementing these best practices, organizations can not only gain the trust of consumers by avoiding embarrassing and potentially damaging data and information losses, but also comply with industry regulations. All public companies are feeling greater regulatory pressure to improve information security because of the Sarbanes-Oxley Act, which includes control over data security as one of the audit criteria for proper corporate governance.

Additionally, laws such as the California Security Breach Information Act (SB-1386) have called more attention to the problem and increased consumer awareness surrounding identity theft and personal data protection. The California law requires organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised. The Act stipulates that if thereís a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained information. The far-reaching law affects organizations outside California as it applies to anyone who might have a customer or conduct business with an entity within California. Additionally, 26 states now have laws similar to SB-1386.



Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th