What you will learn in this tip: Storage security is the one aspect of IT management that never seems to get the attention it deserves. Learn the best secure data storage strategies, and
what tools are best for small- to medium-sized businesses (SMBs) in this tip.
Whether it's data retention, e-discovery, security breaches or general information lifecycle management, storage security is a concern for any organization regardless of size or industry. However, SMBs often have unique storage security problems for the following reasons:
1. There aren’t enough eyes on the problem. Limited IT help often leads to increased security issues.
2. Increased usage of mobile devices (smartphones, laptops, iPads, etc.) and portable storage media (thumb drives, external hard drives, etc.). The more complex and consumerized your environment becomes, the harder it is to get storage security under control.
3. When people do get involved in SMB IT issues, there are often several hands in the pie, including software vendors, custom developers, consultants and systems integrators. When SMBs don’t have a dedicated IT staff to oversee storage, accountability becomes limited and risk is increased across the board.
4. There's a false impression that compliance requirements don’t apply to small businesses. Or, even or worse, SMB managers who don’t know about the requirements at all.
Storage security tools that can help
Just because you have a limited budget doesn’t mean you can’t get your arms around storage-related security risks. Larger storage management vendors offer expensive tools that can help you with storage security. However, there are also several smaller vendors well-suited to SMBs. In addition, you probably have some storage security tools on your network (or available for free download) that can help secure your data storage systems, such as:
- BitLocker in Windows 7 and Windows Server 2008 systems for hard disk and mobile storage encryption for laptops, desktops and servers, as well as external hard drives, thumb drives, etc.
- Storage management interfaces built into your storage area network and network-attached storage systems for systems administration tasks, including authentication and access controls
- Windows and Active Directory built-in controls for basic user provisioning and management for general operating system, application and storage environment access
- Open-source tools such as AlienVault Open Source SEIM and Openfiler for keeping both network storage, applications and operating systems in check and protected from malicious attack
Secure data storage checklist
To get started, you first need to understand where you’re at risk. Start by looking at things such as unstructured data, Web interfaces, access controls, etc. Using ethical hacking techniques and tools is an absolute must. You cannot fix what you don’t know about.
Moving forward, the bottom-line formula for making storage security work on a budget is to follow these steps:
- Find where information is located across your storage realm (network, mobile and everything in between), and then determine your technical and operational weaknesses related to storage (if it has an IP address and is managed by humans, there are going to be vulnerabilities) by performing a security assessment. The security assessment should include running vulnerability scanners and performing manual security checks, using an ethical hacking methodology.
- Put reasonable -- and free -- storage security policies in place to keep things in check (both now and moving forward).
By focusing on the systems that count, slowly securing the data that matters, and remaining ever vigilant you can master your storage security problems in no time.
About the author: Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic LLC. With more than 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around compliance and managing information risks. He has authored/co-authored nine books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies, 3rd edition. Kevin can be reached at his website www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.
This was first published in April 2011