View from the Hill - Storage Securityby
- editor - StorageSearch.com
- September 16, 2003
Storage Security covers a wide area of
products, services and applications and has meant different things at different
In the late 1980's I noticed that my defense and intelligence
customers would, whenever they left their offices, unplug the removable disk
shuttles from their workstations and lock them in solid filing cabinets which
were built like safes with two heavy duty padlocks. Since there were armed
guards on the gates going into those establishments, and electrified fences I
knew they weren't worried about burglars. I remember joking once to a customer
at GCHQ (that's the UK
equivalent of the NSA - if you're not familiar with
Tom Clancy settings) that my own
insurance company insisted on having window locks on all the ground floor
windows of my house and that they didn't seem to have any... surely a weak
point since anyone could just hop in.
I too, took physical security
seriously, but I wasn't worried that anyone would be interested in stealing our
obscure software and schematics. As a Sun oem and VAR I decided that we
wouldn't use the low cost pizza box disk storage which became fashionable at
that time. Sun's ads used to claim that you could now store all your company
data and run your applications on these little boxes. This exaggeration was
designed to show the contrast between the speedy little SPARCstation 2 servers
which were three times faster than the older VAX minicomputers which cost ten
times as much and needed air conditioned computer rooms.
how our office cleaners used to move around the stuff on people's desks when
they were dusting, I got worried that one night all our data might just end up
falling off a desk, crashing the disks. One of my engineers used to have about
seven monitors connected to the different systems he was working on, and his
desks used to get wobbly enough without any external help. So I decided that my
form of physical security would be to use one of our production VME based SPARC
servers as the R & D data store. This sat on the floor and was a two man
lift. You could hit it with a hammer without doing any harm. Our VME crates had
been type tested for RFI and physical vibration immunity by the electricity
generating company who used them as high speed dataloggers when testing large
electrical spikes across the national grid. So although it cost more than the
pizza boxes, I didn't have to worry about minor physical accidents.
even found, one morning, that the system had protected our data against a
small fire which filled our offices with smoke, luckily when no one was there.
That was an added bonus.
In today's computing environment, every
company is under threat every second of every day. Not only do you have to block
out malicious viruses which come down the wires in your email, but terrorists
and criminals probe and attack every internet connected server so they can
steal computing resources for sending out junk email, or steal your credit card
data or shut down your web site. Recently a company that my wife consults for as
a marketer, was upgrading their database and operating system. In the ten
minutes or so that their system was running without a new firewall, every PC and
server was trashed by viruses in both their sites. It took days to restore
operation. The upgrade was being done by an IT services company.
role of data security products is to protect against external and internal
threats to your data
integrity, while not impeding the smooth flow of legitimate information
flows throughout your organization. Managing storage security is very
complicated task because it involves actions at so many different levels. Some
security service companies can audit your current networks and recommend how you
can fix vulnerabilities. A marketing manager in one of those storage security
companies told me recently that no one likes to admit that they have security
problems, but even security conscious companies like banks are vulnerable. There
have been several well publicised occasions when online banks and other major
financial institutions have had security lapses which exposed all their
customer details to anyone who wanted to take a look.
No single product
can fix all the problems and hazards created by networked storage. A good
approach is to go back and look at what works for physical security like my old
customers in the defense world.
Outside you have the signs warning
unauthorized people to keep away. On the approach road you have the concrete
pillars to deter suicide ram raids by trucks laden with explosive. At the
perimeter you have the barbed wire fences and the armed guards at the gate.
Overhead you have constant helicopter patrols, and inside the perimeter you
have surveillance by cameras, listening devices and foot patrols. And if an
intruder gets that far, he may still be deterred when he discovers that what he
wants is in a locked room. Inside that room is a locked steel case. And the data
is inside the case. And just to make sure it's all encrypted.
that data there are fake entries (just as in commercial mailing lists) so that
if the data is ever used, there's a chance that the use can be detected and the
That's the kind of security you need. And just to be
sure, you have a real time off site backup which can restore your data in case
of fire, chlorine gas
leak or flood.
Not much to ask really, is it?
Disk and tape
|If you're seriously
interested in data security in SSDs you'll already know that encryption is
simply a promise to delay access to secured data rather than a guarantee that it
will remain denied to those who shouldn't see it.
patent warning shot re flash destruct |
| These scams rarely get
trapped by spam filters... More importantly, the attacker is going to the
trouble of understanding the various relationships within the targeted company.|
Use CEO Emails to Target Companies |