Secure DAS without breaking the bank

Not knowing where you stand on DAS security issues

Arguably the greatest security risk to an organization is not knowing what's vulnerable and how each weakness can affect the business. Simply put, you can never assume that all is well. The solution is very straightforward: Perform a security assessment using ethical hacking techniques and see where your weaknesses are.

If you don't find any, you're probably not using the right tools or looking hard enough. Hire an outsider if you have to. Obvious or not, it's important to remember that there are security vulnerabilities such as missing patches, misconfigured systems and lax user permissions in your DAS environment.

Relying on users to do the right thing

It's easy to put up a firewall and claim that everything is secure, but it doesn't work that way with data storage. Insiders are your greatest threat and the most stringent policies in the world aren't going to make things right if basic internal controls aren't in place. Perform a user permissions audit and scan for unstructured information that everyone on the network has access to. Then lock permissions down and even segment your network in order to keep critical DAS systems out of harm's way.

Not adequately patching server software

Unpatched operating systems and applications are still a problem. In my work, I see it time and time again, presumably because servers aren't that easy to patch. It's often believed that any sort of risk applying a patch could introduce, is simply not worth it. Someone on the inside -- and even the outside via Web applications and wireless vulnerabilities -- could take complete control of a server on your network. Once they're in, anything and everything on the DAS system is at their disposal and no one will ever know about it. Make patching a priority.

Fault tolerance and business continuity testing

Vendor claims and RAID standards have little to do with how well your particular DAS will stand up to a hardware failure or emergency situation in your specific environment. In my years of security assessment work, I've seen one business that actually performed a continuity/recovery test of their DAS systems. Yes, one out of hundreds!

We all know what assumptions will ultimately bring us, so do yourself and your business a favor and test your storage system resiliency. This means performing focused and realistic system failure scenarios (i.e., the storage hardware dies or your data center gets damaged or destroyed). There's no doubt you'll need to rely on it one day so why not find out where it's weak now while things are calm.

Information is much more vulnerable at rest. The direction many SMBs are headed with virtualization -- and the associated system complexities and increased attack surfaces -- only compounds the problem. Combine that with the lack of time and resources I'm seeing in IT shops in SMBs across the board and you've got some formidable storage security issues in the making.

Even with relatively basic DAS configurations, no SMB can afford to overlook the security element. The good news is that you don't have to spend a ton. In fact, most of the controls you need are right before your eyes. Look at the existing controls built into your storage devices, applications, operating systems and network infrastructure devices. Focus on the principle of least privilege so that people can only access what they need to access and nothing more. Then it's just a matter of making it happen.

About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC, where he specializes in performing independent information security assessments and audits.

Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.

Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for SearchSMBStorage.com.

Rate this Tip To rate tips, you must be a member of SearchSMBStorage.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SMB storage tips Backing up data with VMware vSphere vs. VMware Consolidated Backup (VCB) Cloud, disk or tape: Choosing the right data backup and recovery method for SMBs New data protection schemes impact RAID rebuild times Low-cost data storage replication options for SMBs Data migration strategies and best practices Five must-have data storage security tools for smaller businesses Data reduction strategies for SMBs Data migration strategies for multivendor storage systems Optimizing RAID data storage for your business Data backup and recovery choices for SMBs Small-midsized Business Data Storage Strategy Backing up data with VMware vSphere vs. VMware Consolidated Backup (VCB) Multiprotocol arrays for better SMB storage management New data protection schemes impact RAID rebuild times What type of server would have the capacity to service an SMB office of 50 people, and how would I back up that server? SMB data storage briefs: Thecus Tech Corp. launches new NAS server, the N8800PRO Data migration tools take SMBs to the next tier: Data migration and tiered storage tutorial Data migration strategies and best practices Electronic discovery best practices for SMBs SMB data storage news briefs: Vocalocity offers online storage and data backup services to SMBs Five must-have data storage security tools for smaller businesses Small-midsized Business Storage Hardware SMB data storage briefs: Tandberg announces SMB data protection products Multiprotocol and unified data storage tutorial for SMBs What type of server would have the capacity to service an SMB office of 50 people, and how would I back up that server? Low-cost data storage replication options for SMBs What are some examples of SMB data storage products versus enterprise data storage products? The state of RAID data protection in enterprise storage today Fibre Channel switch options for SMBs Synology launches RS409 NAS server for SMBs Tape library storage Fujitsu introduces the Eternus DX60 and DX80 midrange disk arrays RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.