Look at the big IT picture to ensure storage security

Imagine a situation where day-to-day storage administration is all you're responsible for; nothing else -- no users to deal with, no meetings to attend and no reports to your boss. All you have to worry about is keeping the storage environment chugging along. If it was only that easy. However, nearly all storage administrators have a lot more day-to-day IT stuff to worry about. If you don't, I'd suggest laying low and not telling anyone. Many others would do whatever they could to have that kind of 21st century IT role.

((Content component not found.)) Consider the importance of the relationship between storage administration and information security. Storage environments of the past have been sacred -- protected by four strong walls on top of a raised floor and never at risk. That doesn't exist anymore.

The vulnerabilities are there, the tools are available and the expertise required to compromise storage systems is often minimal. Sure, security may be addressed elsewhere in the network, but that doesn't mean storage security controls have to be lax or nonexistent. Without the proper storage security controls in place alongside automated security monitoring, it's just a matter of time before something happens.

Also, there's hardly an organization in business today that doesn't have to comply with the PCI Security Standards, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) or any number of the state breach notifications and international information privacy regulations. If anything, the incentive is there because of these regulations.

Businesses can't control their information risks unless everyone in IT is onboard. This includes not only network and email administrators, desktop support personnel and developers, but also storage administrators and others under the IT umbrella responsible for systems that process or house sensitive information. It can be argued that storage systems hold information and security controls protect information. So why shouldn't each team just focus on their own area? That can't be relied on -- it's like saying our homes store our belongings and the police are there to protect our belongings. Sure, it looks good on paper, but we cannot rely on it. With our complex networks and information systems currently running our businesses, we all have to take responsibility for building in security controls at every reasonable level to keep sensitive information under wraps.

If you take anything away from this, learn and remember the concept that information threats (i.e., a disgruntled yet trusted user) exploit vulnerabilities (i.e. storage flaws at the network, operating system and storage device levels), which leads to the business risks of falling out of compliance, not meeting business contracts, losing intellectual property and so on. Risks that your organization may or may not be willing to take on, especially in the storage environment where all things critical reside. It doesn't matter from what angle you are looking at IT -- from the network perspective, from the messaging perspective, from the operating system perspective or from the storage perspective, the threats, vulnerabilities, attack vectors, security management requirements and overall risks are all the same.

The more you think about these fundamental rules of security, the more they'll become ingrained into your subconscious. Thinking about security and relating it to what you do on your job every day will eventually lead to the point where you don't think much about security at all. It'll become a part of the way you work. You'll be making storage decisions with security in mind -- balancing what really doesn't matter with what needs to be addressed -- which benefits the business and everyone involved long term.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels series of audiobooks. Kevin can be reached at kbeaver ~at~ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchStorage.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data storage management Server virtualisation may have big disaster recovery payoff How to mitigate the performance penalties of data encryption software Avoiding storage-related bottlenecks in virtualized environments How to resolve storage issues in virtualized server environments How to choose an e-discovery tool Ten reasons storage security is critical How to reduce risk with storage security policies How to increase your storage energy efficiency Why you should perform data classification What to expect from a storage audit Secure data storage CommVault, McAfee partner to integrate storage and security management solution Storage news in brief Notes from SNW: Encryption shifts to disk drives 8 steps to better data security Policy and technology: the belt and braces of data protection Iron Mountain digitizes documents to bolster security Disclosure becomes a fact of life in leaky Britain nCipher grabs NeoScale for $1.9M How to mitigate the performance penalties of data encryption software Users: Storage security becoming a priority RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.