Want to Prevent Inadvertent Disclosure? Shore Up Your Weakest Security Link.

In recent months, several companies have disclosed incidents that may have compromised personal information. While most of these cases involved malicious, online identity theft, some of the events were due to the accidental loss of computer backup tapes. The loss of confidential backup tapes is a result of the fact that current, commonly used disaster recovery processes do not address increased requirements for protecting personal information from inadvertent disclosure. On a broader level, the accidental loss of these tapes is a symptom of a bigger problem - corporate America's data storage infrastructure is often the Achilles' heel when it comes to corporate security.

Storage has operated outside of the realm of security officers for some time, because the main security focus has been on areas such as perimeter security, intrusion detection/prevention and protection of host systems. But to protect personal information from inadvertent disclosure, corporations must make storage security an integral part of their corporate security strategy. To make storage security a fundamental element of your overall enterprise security strategy, you will need to take five essential steps:

• Assign accountability, responsibility and authority
• Assess risk
• Develop a data protection process
• Communicate the process
• Execute and test the process

1. Assign accountability, responsibility and authority.

Make storage security a function of overall information security policies and architecture. Even if you decide that backup or storage security responsibilities should reside within the storage team, you still must integrate any storage and backup security measures with those that secure the rest of the infrastructure.

2. Assess storage risk as it pertains to information security.

Perform a risk analysis of the entire backup process. Managers must examine each step of their backup methodology looking for security vulnerabilities. Could a tape administrator secretly create copies of backup tapes? Are boxes of tapes left out in the open? Is there a tight, end-to-end chain of custody for your backup tapes?

Execute a cost/benefit analysis on backup data encryption to determine how extensively it should be deployed. If a risk analysis exposes numerous vulnerabilities, you need to consider whether encryption is warranted. The total cost of encryption should be compared to potential risks and the likelihood of a security breach to determine whether it makes economic sense to implement encryption broadly, narrowly, or not at all. Know what files, databases, and columns are considered sufficiently sensitive by the business units to warrant the additional cost of protection. Given the increasing focus on and visibility of inadvertent disclosure, tape encryption is the best method for protecting personal or sensitive information.

3. Develop an information protection program that ensures the security of your corporation's information, regardless of where it is at any point in time.

Adopt a multi-layered approach to data protection by taking best practices that may already exist for the data network and applying them to the storage network, while adding layers unique to the characteristics of data at rest.

These include the areas of:

• Authentication: Apply multi-level authentication and anti-spoofing techniques.
• Authorization: Enforce privileges based on roles and responsibilities versus full administrative access. Where available, leverage role-based administrative capabilities of storage management applications -- especially backup.
• Encryption: All sensitive data should be encrypted when it is stored or copied. In addition, all management interface data transmitted over any non-private network should be encrypted. Sensitive data is usually defined as information containing either personal information or trade secrets.
• Auditing: Logs of administrative operation by any user should be maintained to ensure traceability and accountability.

4. Communicate the processes that are to be taken around information protection and security.

It is vital that the people who are responsible for protecting sensitive data are properly informed and trained.

Inform business managers of risks, countermeasures, and costs. Data loss and intellectual property theft are a business issue, not an IT issue. As such, the Chief Information Security Officer (CISO) should begin a data security effort by educating business executives on risks, threats, and potential losses from security breaches, plus the cost of various security countermeasure options.

Assess risk and train staff. Organizations that assess risks and train staff are more likely to implement security policies, procedures, and technologies that protect vital assets. On the other hand, vulnerable infrastructure and unskilled staff are a problem waiting to happen.

5. Execute and test the information protection security plan.

Secure data protection is not about technology; it is about process. That's why it is important to test the process. Once the end-to-end plan has been developed, defined, and communicated to the appropriate people, it is time to begin execution. Ensure that the tools, technologies and methodologies that need to be deployed for information classification are in place. Test the process once it is in place. Remember, the process to be tested needs to include both backup and recovery. Attempt to inject any conceivable threat into the process including server and tape loss, network issues, device issues, data classification issues and any other scenario that may affect the business. Test with people who may be less familiar with the process.

Storage Security is Everyone's Business

Finally, everyone who manages, administers, or operates storage IT infrastructure needs to become fully security conscious. Storage security is as much a culture of awareness as it is a corporate policy directive. To truly protect the organization's critical data, continuous focus on culture, practice, and control is imperative to a successful secure data protection strategy.