When soliciting vendors for storage management solutions, what are the top five questions to ask them about security as it relates to storage?
- What type of authentication are you supporting? The T11 FC SP draft recommends support of DH CHAP with RADIUS server.
- What type of encryption is used to secure traffic between the management entities? They may use SSL, SSH and in certain environments VPN/IPSec may help.
- How the encryption keys are stored and secured?
- How the secrets (e.g. passwords) are secured while in storage?
- What kind of access control (RBAC etc.) is supported?
Ask expert Greg Schulz how to keep your stored data secure at SearchStorageChannel.com. I want to create a secure SAN with data encrypted in flight over FC. I think the host and disk side will need some hardware for encryption. Is my thinking correct?
Get more technical advice about Fibre channel at SearchStorageChannel.com. Is there anything similar to Domain Controller that stores user names, separately or with WWN, port numbers and domain names, and verifies against them when the user logs into to a particular server? I didn't see any user credentials in SNS table of the switch.
The WWN and port numbers may be saved in the individual devices. However, the security credentials should be saved in the RADIUS Server -- assuming the vendor implements the CHAP protocol for authentication.
Ask Vijay Ahuja your data storage security question at SearchStorage.com. What are the best options for VARs to help customers who want to ensure secure backup?
Cutting through the confusion of when to rely on backup to disk or tape, snapshots, off-site replication combined with where to leverage CDP or data deduplication or VTLs can be a daunting task that a VAR can assist their clients with. Consequently, a VAR can help their customers with risk assessment, technology alignment, best practices and looking for ways to help cost justify data protection solutions. One of the first things VARs should do however is make sure that their own environment is adequately protected using solutions, techniques and best practices that they would be selling to a client. Likewise if I'm a client of a VAR, one of the first questions I'm going to ask in addition to other references is how does a VAR protect its own business and data from various threats and risks.
Ask expert Greg Schulz how to keep your stored data secure at SearchStorageChannel.com. In light of the plethora of removable storage devices, such as flash drives, etc., what do you recommend for reducing the possibility of data being accessed by the "wrong people?" Also, what are the best methods and practices for encryption and password protection for these devices?
As always, layered security is the best way to protect your data, and at the heart of your defenses has to be strong authentication and access control lists so you know who has access to what data. When using Windows, this requires that all data be stored on NTFS drives, which also allows you to encrypt sensitive data. With regard to your PCs, keep their cases locked and maintain control over physical access to them. They should all have the BIOS set to only boot from the hard drive to prevent users from booting them to an operating system stored on a portable device. The BIOS should also be password protected. You can use the Windows device manager to disable unwanted ports, such as FireWire or Bluetooth, to prevent their misuse. Your security policy should cover and restrict the use of privately owned devices within your organization, and where portable devices are allowed, the policy should state the need for passwords and encryption of any stored data.
Get more information about data security and backup at SearchStorageChannel.com. It seems that a blind eye is being turned to removable storage devices because of their portability and ability to transfer large amounts of data (such as over 25 million veterans' personal data). Not many places seem to understand the true risks that removable storage devices pose. So I question, if you're responsible for information security, where do you draw the line between convenience and strict security guidelines?
It is true that removable devices usually fly under the security radar. This is because security teams are too busy attempting to secure the more traditional methods used for data transfer, and removable storage devices have not fully hit the consciousness of those responsible for securing sensitive data, yet. Do not overlook PDAs, digital cameras, smartphones, Bluetooth and infrared devices. These are all potential points of danger; all allow data into and out of your environment, and must be properly identified and controlled.
It is also necessary to make users accountable for their actions. This is where most organizations fall short. Integrate removable storage risks into your security policy. Provide configuration standards for the type of product you choose to purchase and implement. Integrate these types of risks into your security awareness training programs and when people do not do as they are told, management should hold them accountable and potentially make an example out of them. Sadly, users will usually ignore the rules unless the rules are accompanied with repercussions. Since organizations can now get hit with penalties themselves (SOX, GLBA, HIPAA, Privacy laws, etc.) users need to be forced to act responsibly.
Read the rest of Shon Harris's answer on SearchSecurity.com.