|
STORAGE Security covers a wide area of products, services and
applications and has meant different things at different times.
In the late 1980's I noticed that my defense and intelligence
customers would, whenever they left their offices, unplug the removable disk
shuttles from their workstations and lock them in solid filing cabinets which
were built like safes with two heavy duty padlocks. Since there were armed
guards on the gates going into those establishments, and electrified fences I
knew they weren't worried about burglars. I remember joking once to a customer
at GCHQ (that's the UK
equivalent of the NSA - if you're not familiar with
Tom Clancy settings) that my own
insurance company insisted on having window locks on all the ground floor
windows of my house and that they didn't seem to have any... surely a weak
point since anyone could just hop in.
I too, took physical security
seriously, but I wasn't worried that anyone would be interested in stealing our
obscure software and schematics. As a Sun oem and VAR I decided that we
wouldn't use the low cost pizza box disk storage which became fashionable at
that time. Sun's ads used to claim that you could now store all your company
data and run your applications on these little boxes. This exaggeration was
designed to show the contrast between the speedy little SPARCstation 2 servers
which were three times faster than the older VAX minicomputers which cost ten
times as much and needed air conditioned computer rooms.
After seeing
how our office cleaners used to move around the stuff on people's desks when
they were dusting, I got worried that one night all our data might just end up
falling off a desk, crashing the disks. One of my engineers used to have about
seven monitors connected to the different systems he was working on, and his
desks used to get wobbly enough without any external help. So I decided that my
form of physical security would be to use one of our production VME based SPARC
servers as the R & D data store. This sat on the floor and was a two man
lift. You could hit it with a hammer without doing any harm. Our VME crates had
been type tested for RFI and physical vibration immunity by the electricity
generating company who used them as high speed dataloggers when testing large
electrical spikes across the national grid. So although it cost more than the
pizza boxes, I didn't have to worry about minor physical accidents.
We
even found, one morning, that the system had protected our data against a
small fire which filled our offices with smoke, luckily when no one was there.
That was an added bonus.
In today's computing environment, every
company is under threat every second of every day. Not only do you have to block
out malicious viruses which come down the wires in your email, but terrorists
and criminals probe and attack every internet connected server so they can
steal computing resources for sending out junk email, or steal your credit card
data or shut down your web site. Recently a company that my wife consults for as
a marketer, was upgrading their database and operating system. In the ten
minutes or so that their system was running without a new firewall, every PC and
server was trashed by viruses in both their sites. It took days to restore
operation. The upgrade was being done by an IT services company.
The
role of data security products is to protect against external and internal
threats to your data integrity, while not impeding the smooth flow of legitimate
information flows throughout your organization. Managing storage security is
very complicated task because it involves actions at so many different levels.
Some security service companies can audit your current networks and recommend
how you can fix vulnerabilities. A marketing manager in one of those storage
security companies told me recently that no one likes to admit that they have
security problems, but even security conscious companies like banks are
vulnerable. There have been several well publicised occasions when online banks
and other major financial institutions have had security lapses which exposed
all their customer details to anyone who wanted to take a look.
No
single product can fix all the problems and hazards created by networked
storage. A good approach is to go back and look at what works for physical
security like my old customers in the defense world. Outside you have the signs
warning unauthorized people to keep away. On the approach road you have the
concrete pillars to deter suicide ram raids by trucks laden with explosive. At
the perimeter you have the barbed wire fences and the armed guards at the gate.
Overhead you have constant helicopter patrols, and inside the perimeter you
have surveillance by cameras, listening devices and foot patrols. And if an
intruder gets that far, he may still be deterred when he discovers that what he
wants is in a locked room. Inside that room is a locked steel case. And the data
is inside the case. And just to make sure it's all encrypted. Inside that data
there are fake entries (just as in commercial mailing lists) so that if the data
is ever used, there's a chance that the use can be detected and the user traced.
That's the kind of security you need. And just to be sure, you have a real time
off site backup which can restore your data in case of fire or flood.
Not
much to ask really, is it?
See also:-
Storage Security,
Disk and tape
sanitizers, SPARC
history, storage
history |
