Secure DAS without breaking the bank

Secure DAS without breaking the bank

Whether you're using direct-attached storage (DAS) for primary data storage, backups or archiving, there are a ton of common security issues affecting storage confidentiality, integrity and availability. Here are four

    Requires Free Membership to View

    Login

    When you register for SearchSMBStorage.com, you’ll also receive targeted emails from my team of award-winning editorial writers. Your company has different needs from that of an enterprise, and it’s our goal to keep you informed on the hottest topics, the latest news and the biggest challenges that are unique to your job.

    Rich Castagna, Editorial Director

    By submitting your registration information to SearchSMBStorage.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSMBStorage.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

DAS security issues SMBs can't afford to overlook:

Not knowing where you stand on DAS security issues

Arguably the greatest security risk to an organization is not knowing what's vulnerable and how each weakness can affect the business. Simply put, you can never assume that all is well. The solution is very straightforward: Perform a security assessment using ethical hacking techniques and see where your weaknesses are.

If you don't find any, you're probably not using the right tools or looking hard enough. Hire an outsider if you have to. Obvious or not, it's important to remember that there are security vulnerabilities such as missing patches, misconfigured systems and lax user permissions in your DAS environment.

Relying on users to do the right thing

It's easy to put up a firewall and claim that everything is secure, but it doesn't work that way with data storage. Insiders are your greatest threat and the most stringent policies in the world aren't going to make things right if basic internal controls aren't in place. Perform a user permissions audit and scan for unstructured information that everyone on the network has access to. Then lock permissions down and even segment your network in order to keep critical DAS systems out of harm's way.

Not adequately patching server software

Unpatched operating systems and applications are still a problem. In my work, I see it time and time again, presumably because servers aren't that easy to patch. It's often believed that any sort of risk applying a patch could introduce, is simply not worth it. Someone on the inside -- and even the outside via Web applications and wireless vulnerabilities -- could take complete control of a server on your network. Once they're in, anything and everything on the DAS system is at their disposal and no one will ever know about it. Make patching a priority.

Fault tolerance and business continuity testing

Vendor claims and RAID standards have little to do with how well your particular DAS will stand up to a hardware failure or emergency situation in your specific environment. In my years of security assessment work, I've seen one business that actually performed a continuity/recovery test of their DAS systems. Yes, one out of hundreds!

We all know what assumptions will ultimately bring us, so do yourself and your business a favor and test your storage system resiliency. This means performing focused and realistic system failure scenarios (i.e., the storage hardware dies or your data center gets damaged or destroyed). There's no doubt you'll need to rely on it one day so why not find out where it's weak now while things are calm.

Information is much more vulnerable at rest. The direction many SMBs are headed with virtualization -- and the associated system complexities and increased attack surfaces -- only compounds the problem. Combine that with the lack of time and resources I'm seeing in IT shops in SMBs across the board and you've got some formidable storage security issues in the making.

Even with relatively basic DAS configurations, no SMB can afford to overlook the security element. The good news is that you don't have to spend a ton. In fact, most of the controls you need are right before your eyes. Look at the existing controls built into your storage devices, applications, operating systems and network infrastructure devices. Focus on the principle of least privilege so that people can only access what they need to access and nothing more. Then it's just a matter of making it happen.

About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC, where he specializes in performing independent information security assessments and audits.

Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.

Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for SearchSMBStorage.com.

This was first published in November 2008

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top