By managing storage and information resources, users ensure that data protection processes (backup and recovery) are the first level of safeguarding information. If the system fails, it is possible to recover any data loss and continue from the point in time when the system failed. But when we ask today’s CIOs what their main concern is, data security inevitably comes to the fore. What they are looking for is an assured, stable and dependable environment whereby users have access to their information resources with total confidence. Their users will always have the correct data relayed to them, whether it was created today or some time in the past. The record or document can be trusted and will withstand the most stringent scrutiny in a court of law.
Security can be viewed in the following areas:
- Securing access to systems, networks, applications or information
- Securing information flow within the network
- Securing the recorded data, whether on media or via encryption
- Ensuring information is always available.
Keeping intruders out
By introducing passwords and access codes as the first level of protection, systems can be architected to be more secure; the emphasis is on authorised access, securing against unauthorised entry. In many cases, the assumption is that keeping intruders out will result in a totally trusted environment within the company. But the majority of frauds are committed from within the moated castle.
Establishing firewalls, introducing the virus police and managing access keys is a critical step to establishing a secure environment. This leads to a brittle shell built around systems. And for the most persistent intruders who try to break the shell, there are practices to deny them access to the network and the information assets.
Protecting the flow of information
Within the storage environment, the application of zoning on the SAN and the implementation of virtual networks will enable applications to access specific data resources only. The management framework to monitor and administer such an environment is critical. While testing such aspects of routing and assessing performance measures, a key concern is that the data is moved securely across a storage network whether within a single site or across multiple sites.
The Storage Networking Industry Association has established a basis by which this can be achieved within a Fibre Channel-based SAN. Encryption options will be added when transmitting data across the network. For users using FCIP or transmitting data across IP networks, especially between sites, IPsec is an established option available, providing network data encryption at the IP packet level.
Securing the stored data
There are several technologies available to support the securing of data on magnetic disks, tapes or optical devices. Organisations need to consider at what level security needs to be applied. For example, RAID is now a function of a disk array to secure the system against a single disk failure; new developments of RAID will enable disk arrays to regenerate themselves even if more than one disk fails.
WORM (Write Once Read Many) technologies, available for magnetic disk, tape and optical disks, are important for longer-term storage and are key when it is necessary to depend on a media not being overwritten; however they are not a prerequisite for storage of legally permissible data.
WORM is a key technology in archiving applications as data stored in an archive must be trusted when retrieved. As a result, if data archived onto WORM magnetic disks must be placed onto a removable media such as tape, practices must test whether it is necessary to ensure the data is written to WORM tape or optical disk. After all, system practices need to be seen to be consistent if put to compliancy tests.
A key element in securing the use of each of these media types is to keep a reliable record of what tape or disk unit has been recorded on, where it is located and if it has been recycled. This is part of the media management and vaulting elements of data protection systems and highlights the need for sound management principles and practices into which the technology choices must fit.
Encryption of stored data is another aspect of securing data. This can be achieved in various ways. Centera from EMC is one approach, Decru’s DataFort is another. Converting documents to a .pdf, .xml or .tif format is yet another option.
Policies and practices to ensure that data is always available
While the technology discussion can become very detailed, CIOs, the keepers of companies' information assets, must establish clear policies and practices that will match the demands of their business and the regulatory environment in which they operate.
Establishing an Information Security Policy is a key component of any business. This will address the issues of accessing information, moving it across the network, and recording the data in a trusted form. Data can be stored on or offsite. From a practical business view, the Information Security Policy must deliver a stable, dependable and assured environment for the company and its users. In making the data available as is required and demanded by the business, the system infrastructure must minimise the risk, if not free the business from all risk. Greater security will be an ongoing concern when managing the organisations information assets and it should be on every company’s IT priorities agenda.