|
The purpose of this document is to provide guidance into some of the factors you should consider when evaluating storage security technology and solutions. As with any security project, acquiring technology is not the only step to properly protecting your data. Part of this process should include an evaluation of the current processes and security controls in place, such as physical access controls, environmental controls, and administrative controls.
While there is no single set of requirements that applies to all organizations, this document can provide some baseline considerations.
Why Should You Encrypt Your Data?
Data in networked storage environments is significantly more vulnerable to unauthorized access, theft, or misuse than data stored in more traditional, direct-attached storage. Aggregated storage is not designed to compartmentalize the data it contains, and data from different departments or divisions becomes co-mingled in the network. Data backup, off-site mirroring, and other data replication techniques increase the risk of unauthorized access from people both inside and outside the enterprise. Partner access through firewalls and other legitimate business needs can also create undesirable security risks, and current research indicates a significant percentage of attacks come from within the firewall. With storage networks, a single security breach can threaten the data assets of an entire organization.
Data in cleartext is vulnerable to attacks. Curious or malicious insiders, administrators, partners, hackers, contractors, or outsourced service providers can all gain access to data quite easily. Technologies such as firewalls, Intrusion Prevention Systems (IPS), and Virtual Private Networks (VPN) seek to secure data assets by protecting the perimeter of the network. SAN security features such as LUN Masking and Zoning, as well as NAS security features such as access controls also attempt to address concerns about security. Unfortunately, these targeted approaches do not adequately secure storage, as data is still stored in cleartext, dangerously open to a wide range of internal and external attacks.
Encrypting your data at rest, on tape and disk, will significantly mitigate these threats and allow you to secure your data while maintaining your current service levels for operations.
How Much Would a Breach Cost Your Company?
As you analyze your protection strategies, you?ll also need to consider what a breach could cost your organization. Ultimately, the value you assign to this will depend on your business and the legislation that applies to your organization. Recent studies by Gartner and other research organizations estimate the cost of a breach at roughly $90 per customer record compromised, including notification costs, credit reporting services and administrative time.
There are many other costs that may apply, depending on the nature of your business:
- Criminal or civil penalties enforced by the courts
- Legal costs required to defend the company in such cases
- Loss of trade secrets or other intellectual property made public or falling into competitors hands
- Brand damage
- Loss of customers, or at a minimum, customer trust
Traditionally, decisions regarding the amount of security for data were based on a pretty simple assessment -- if the cost to my adversary to breach the data was higher than the data?s worth, then it didn?t make sense to apply the protection. However, with the myriad legislation that requires organizations to protect their customer data, this dynamic has changed drastically. The actual value of the data itself could be dwarfed by the cost of penalties enforced upon your organization. In general, identifying the general cost of a breach can help you justify a reasonable budget to put defensive measures in place to prevent it.
Vendor Evaluation
There are a range of different approaches to securing data at rest. When evaluating storage security solutions, especially those that incorporate encryption, there are some unique criteria that should be considered. For example, you may determine that you need to keep a piece of encrypted data for 10, 20 or more years. In this case, you should be very comfortable that the solution provider, and their technology, will be available to you that far in the future.
Some of the general factors you should consider when evaluating a vendor include:
- Financial stability and long-term viability
- Leadership position in the market
- Industry awards and other recognition
|
