Storage Security Becoming A Top Concern

Charles Kolodgy, research director for secure content and threat management products at IDC, said that as the value of corporate data has risen, improved security of information and information systems has jumped to fourth place in a long list of the most urgent IT improvements, an IDC survey shows.

Kolodgy was addressing a crowd of end users at the Storage Networking World conference, being held this week in San Diego.

Brian McCarthy, president and owner of Sencilo, a Lake Mary, Fla.-based storage security solution provider, said that the two topics go hand-in-hand today because of issues related to regulatory compliance.

"People are looking for better performance and higher capacity," McCarthy said. "But they are also telling us they just talked to their legal people and CIOs, and they are concerned. We don't have to sell them on storage security. They've seen the pain and read the headlines."

Sponsored post

The threats to a company's data are no longer coming from "kiddie scripts" targeting enterprises, but are more and more coming from professional hackers and crackers looking to access data from any-size business, said Kolodgy. "This raises the bar on what you need for security," he said. "Small companies? All information is wanted by someone. No matter what your size."

Threats to a company's data include trojans, viruses and worms, as well as spyware, spam, application vulnerabilities, hackers and wireless LANs, Kolodgy said. "These tactical threats are after the bits, either to take your bits or keep you from accessing them," he said.

Compounding the problem is the fact that implementing security is harder than it looks because of the balance between security and the ability to access data for legitimate business reasons, said Kolodgy.

"It can be fully secure, but hard to get access to," he said. "Or it can be fully open, but anyone can access it," he said. "Also, security solutions cannot increase costs. You have to mitigate the costs, or show the extra value.

Nonsecure data is causing headlines, Kolodgy said. In 2005, security breaches at ChoicePoint, LexisNexis, MCI and the Bank of America resulted in stolen account information or Social Security numbers for a minimum of 580,000 customers. Also during the year, missing data backup tapes from Bank of America, Ameritrade, Time Warner and CitiGroup had the potential of exposing the account information or Social Security numbers of 5.9 million people, he said.

Part of the solution to data security is to ensure that standard security measures are in place, said Kolodgy. These include implementing firewalls and VPNs; intrusion detection and prevention technology; security and vulnerability management technology; identity and access management technology; and security content management capabilities, he said.

In addition, new technologies like encryption of data-in-transit and data-at-rest are becoming essential, he said. Data-in-transit refers to data that is being moved, typically by backup tapes but also over IP networks. Data-at-rest refers to data sitting on hard drives.

"Storage security is a combination of many components, not just one," he said. "There is no magic bullet."

During the question-and-answer period following Kolodgy's presentation, a member of the audience asked why it is important to protect data-at-rest when it is sitting on hard drives in a company's data center and protected by a wide range of other security measures.

Another member of the audience answered the question, saying that for storage consolidation purposes, it may be necessary to bring different departments onto a common storage infrastructure, and by encrypting the data for each department separately, it prevents nondepartmental personnel from accessing it. That user cited the Department of Defense as one place where such a regimen is already being implemented.

Sencilo's McCarthy said that encrypting data-at-rest is just as important as securing data-in-transit, especially in the midrange. "What if someone comes in at night and steals a couple of servers?" he said. "That's one of the biggest fears of midrange customers."