According to legend, when bank robber Willie Sutton was asked why he robbed banks, he replied "because that's where the money is." In his autobiography, Sutton denies ever having made that statement, but the quote nevertheless persists.
Regardless of its truth, this story has important security implications for enterprise storage managers. Widely distributed storage such as traditional direct attached storage (DAS) doesn't present much of an attraction to hackers, since it requires too much work for a low chance of return.
But with server consolidation, Network Attached Security (NAS), and Storage Area Networks (SANs) bringing a corporation's intellectual assets into one location (virtual or otherwise), these attractive data depositories must be protected like Fort Knox. Unfortunately, organizations have been slow to realize this.
"Direct attached storage has good security, but NAS has definite security issues and weaknesses," says Brandon Hoff, McDATA Corp.'s advisor to the Storage Networking Industry Association's (SNIA) Storage Security Industry Forum (SSIF). "Centralizing and globalizing storage means that it is exposed on the network."
Perimeter defenses such as firewalls and honey pots (sometimes) keep out hackers, and intrusion detection systems (hopefully) catch invaders before they do too much damage. At least that's the theory. Ninety percent of respondents to the FBI/Computer Security Institute's 2002 Computer Crime and Security Survey, though, reported that they had detected computer security breaches within the previous 12 months. We don't know whether the other 10% had adequate security protection or lacked adequate means of detecting breaches.
While most of these attacks are small scale, some are large enough to make the headlines, such as the incident this past February where someone hacked into a database containing 8 million Visa, MasterCard, and American Express credit card account numbers.
Then there are all the internal jobs, such as the case where an employee of credit report processing firm Teledata last year was arrested for accessing the credit reports on more than 30,000 people and selling them to criminals for $60 each, and the case of an ISM Canada employee who was accused of stealing a hard drive containing personal information on more than one million customers.
"Consolidation of resources opens storage up to a number of security risks that did not exist in the past," says Nancy Marrone, senior analyst for the Enterprise Storage Group. "Administrators now need to make sure each client is secure and that each portal to the storage itself cannot be breached."
Although companies have their own business reasons for protecting storage assets from destruction or illegal access, these days there is now outside pressure to ensure they do so. At least two of the above incidents, for example, have resulting in the filing of class-action lawsuits.
In addition, there are a growing number of laws regulating the field. Companies doing business in Europe must comply with the EU Data Privacy Directive, which lays out strict rules regarding the gathering, storage, and transmission of personal data.
In the United States, there is the Health Insurance Portability and Accountability Act (HIPAA), which similarly sets data privacy standards, and the Gramm-Leach-Bliley Act, which applies specifically to financial records.
Further, the State of California last September passed Senate Bill 1386, which mandates that, beginning July 1, 2003, companies must notify California residents whenever there is a security breach resulting in their personal data being acquired by an unauthorized person. This applies whether or not the data is stored in California. Such announcements could have severe implications on stockholder as well as public confidence.
"CEOs and CFOs have recently become far more interested in storage security," says Hari Venkatacharya, senior vice president of Secure Networked Storage for Mississauga, Ontario-based data security firm Kasten Chase, "since they have to sign off on it for regulations such as HIPAA."