When you hear the phrase data security, what comes to mind? Encryption, key management, locked doors, tamper-proof audit logs, firewalls, biometric card key access, passwords, logical, physical, privacy screen filters or secure erase and asset disposal? Answer 'yes' to any of these among others and you are on track with regard to data security. However, there is confusion between terms like data protection, which can mean protecting data through backup, snapshots and replication, and terms that infer data security from a logical or physical standpoint.
This tip compares data security to data protection, including backup, replication for business continuity and disaster recovery, which you can learn about in other SearchStorageChannel.com tips (see sidebar). Data security, or, put a different way, securing data involves different techniques and technologies for some logical and some physical entities. To help understand how, as a storage reseller or services provider, you can provide different data security solutions to help your customers secure data, let's take a closer look at logical and physical data security and when and where they apply.
Logical vs. physical data security
Logical security, particularly encryption, tends to get more coverage due to the increase in reported incidents of data being lost or stolen on laptop computers, disk drives or magnetic tapes. However, lost or stolen data can also be attributed to a lack of physical security and issues with logical security. Granted there are more external threats to data now than ever before, and you must secure data against threats beyond the confines of a customer's business to meet privacy and regulatory compliance requirements. Yet when speaking with IT organizations of all sizes, a common concern is internal threats, in addition to external threats.
Let's review some techniques and technologies to address various security threat risks.
Physical security services may include the following:
- Physical card and ID, if not biometric access card, for secure facilities
- Security and safe disposition of storage media and assets
- Asset and media audits on site and off site
- RFID-enabled volume labels for removable magnetic tape and disks
- GPS-enabled tracking transportation or shipping cases for removable media
- Secure digital shredding of deleted data with appropriate audit controls
- Video surveillance of IT assets and equipment and management consoles
- Physical transportation of removable media (disks, tapes, CDs) and printouts
- Monitoring of IT equipment, including power, cooling and ventilation
- Locked doors to equipment rooms and secure cabinets and network ports
- Background checks on employees and contractors who handle data and media
- Usage or disablement of portable media including PDA and USB thumb drives
- Asset tracking of portable devices and personal or visiting devices
- Limits or restrictions on photo or camera usage in and around data centers
- Low-key facilities absent of large signs advertising a data center's location
- Closed window blinds, especially when using backup power during a power outage
- Protected (hardened) facility against fire, flood, tornado and other events
Logical security services may include the following:
- Usernames and passwords along with rights management
- Virtual private networks (VPNs)
- User credential authentication and individual rights authorization
- Logical storage partitions and logical or virtual storage systems
- Audit trails and logs of who accessed what, when and from where
- LUN and volume mapping and masking, and SAN port and device zoning
- SAN segmentation and logical isolation (logical SANs)
- Encryption of data at rest (on disk or tape) or in flight (transmitted over network)
- Encryption key and digital rights management
- Secure servers, file systems, storage, network devices and management tools
Data Security Technology When and Where to Use It Encryption Data in flight (being transmitted locally or remotely), data at rest on disk or tape, including online and offline data across different tiers of storage. Key management is an important part of implementing security. Firewalls Implementing rings or perimeters of defense around your servers and storage systems can involve firewalls to guard external and internal threat risks. Secure erase Host-software based, appliance or storage-system based to insure that deleted data is in fact deleted, and to insure the disk drives and tape media are securely erased. Asset disposition Make sure that discarded or retired tape media, laptops, desktops, servers and storage systems are safely and securely disposed and media is erased. Authentication Verify identity using at least username and password, if not additional means including biometrics. Authorization Based on valid credentials and permitted access rights, enable access to certain functions or resources. LUN and volume mapping Map or allocate specific storage volumes or LUNs to specific servers to insure that unauthorized servers do not gain access (read or write) to data and storage. LUN and volume masking Conceal certain devices, LUNs or volumes from servers on a shared SAN to prevent those servers from seeing and trying to access data storage resources. Zoning Control which servers and devices can see and access various resources in a SAN. Video surveillance Monitor who accesses various IT resources and equipment. File system and directory access Control who can read, modify or perform functions like backup on different forms of data. Logical storage partitions Create the illusion of separate, virtual storage systems to isolate various applications, customers or data types on a shared storage system. Tamper-proof logs Audit logs to track who accessed what resources, performed what functions, when and from where. Intrusion detection Determine when someone has accessed resources, and if they have been authorized or not authorized to do so.
Figure-1: Various logical and physical security techniques and technologies
As a storage channel professional, understanding the many dimensions of securing data including logical and physical security measures, opens the door for you to provide more data security services to your customers. For example, are your customers currently encrypting their data and if not, how can you help them overcome barriers preventing them from leveraging encryption. If your customers are currently encrypting data being sent off site because they are concerned about losing data, then you can work with them to address the bigger issue of avoiding data loss and theft.
The key -- pun intended -- to unlocking the data security potential for services is identifying various threat risks applicable to your clients' environments and aligning the appropriate logical and physical security to counter those threats. That's where you can be creative in offering new security services that encompass servers, storage, networks, facilities and software. You can learn more about securing your data, data protection and data security in general in some of my various tips and expert responses, as noted in the sidebar.
About the author:: Greg Schulz is founder and senior analyst of the independent storage analyst firm the StorageIO Group and author of the book Resilient Storage Networks (Elsevier).
This was first published in June 2007