As IT managers and storage professionals plan for 2006, storage security should be top-of-mind. By implementing the following best practices, organizations can avoid many of the embarrassing storage security incidents that made news in 2005.

Online Data Protection

Organizations should maintain multiple point-in-time copies of data for uninterrupted operation. Also, for a higher level of online data protection, consider replicating to another location in either real-time (synchronous replication), or very near real time (asynchronous replication).

Encrypt data

Unencrypted data is always going to be subject to some level of risk. A recent survey by Enterprise Strategy Group noted that 60 percent of storage professionals said they never encrypt backup tapes and only 7 percent do so routinely. Storage professionals should focus on encrypting any data going outside the company or facility. Also, ensure there is a plan for decryption and the appropriate individuals have access to the encryption keys.

Physical security measures


In addition to encryption, add another layer of security by using shipping boxes that can’t be easily opened when transporting backup tapes. Also, determine if unused ports to the network are disabled and lockable racks and cabinets are locked. Consider using a backup product that includes a vault option for keeping track of containers full of media. Also, be particularly careful about securing and encrypting data while it’s in transport and keep track of all of the organization’s backup tape with a detailed inventory. Create a plan for finding missing backup tapes.

Lock down process, manage data throughout the lifecycle

Storage professionals should avoid retaining backup tapes longer than necessary. One organization kept data longer than required, leaving information vulnerable and ultimately resulting in a recent security breach. A plan for managing data and information from creation to deletion will ensure that only the information that is needed remains accessible. Information should be analyzed when it’s created or received and then assigned an appropriate policy for management and deletion or retention.

In addition to taking the obvious step of not using manufacturers’ default passwords for data storage access, organizations should also have a clear plan for changing passwords often and use separate IDs and passwords for each user. Also, storage professionals should ensure that they are choosing the correct storage option for their data. For example, data that does not need to be accessed often can be easily saved on tapes, rather than wasting space on more expensive disk-based storage options.

Access control is another basic security measure that should be in place within any organization. IT should implement granular control of who can access data and the applications that manage data, providing appropriate rights and permissions to various types of data.

Consider Disk-to-Disk-to-Tape