Enterprise IT Watch Blog » storage security

Book Recommendation: Securing Storage

Kevin Beaver — Fri, 02 Jul 2010 18:59:56 +0000

While I’m on my storage security kick I thought it’d be worth sharing a valuable book on the topic by Himanshu Dwivedi:

Securing Storage: A Practical Guide to SAN and NAS Security

It’s five years old but still very relevant in today’s storage environments. If anything, just browse through it the next time you’re in the bookstore. It delves into storage security weaknesses you can’t afford to overlook that so many people are still ignoring.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

Finding those needles in your storage haystack

Kevin Beaver — Wed, 30 Jun 2010 16:29:02 +0000

Information is at rest most of the time. Therein lies the problem. Give malicious attackers, rogue insiders or just a few bored employees any decent amount of time on your network and they’ll likely uncover sensitive information they shouldn’t be able to access. So what’s a network or storage admin to do? Unstructured information (PDFs, spreadsheets, word processing documents, etc.) is scattered all about the network in practically every nook and cranny. How you can possibly find out where everything is so you can ensure it’s safe from prying eyes?

The simple formula is to find out what you’ve got, determine how it’s at risk, classify it and do whatever it takes to keep it in order only accessible to those with a business need to know. It’s that first step though – finding what you have – that’s so difficult. I’d venture to guess even the sharpest network/storage admins don’t have a real sense of what’s actually stored in their environment. Not from lack of expertise or effort but rather because it’s just so darn difficult to find where everyone and every application has stored these files.

Here are some ideas on what you can do to figure out what’s where:

Simply ask information owners what they’ve got. It won’t be completely reliable but it’s a start.
Use search tools you’ve already got such as Windows Explorer or find in UNIX/Linux. Painful but possible.
Use more advanced search tools such as Google Desktop or FileLocator Pro.
Use enterprise search tools such as Identity Finder or even some of the more advanced e-discovery/ILM tools such as those offered by StoredIQ or EMC/Kazeon.

However you go about it, just do something. There’s undoubtedly unstructured information at risk in your storage environment and getting started finding out where it’s at today will serve your greatly down the road when things are even more complex.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

Beware the cloud marketing machine

Kevin Beaver — Mon, 21 Jun 2010 11:22:40 +0000

I saw this chat regarding storage, the cloud, and data protection and it reminded me of how nauseated I get when I hear about all the great new ways that the cloud is going to save those of us in IT from the evils of the world.

Be it in the cloud, in your data center, or in cousin Willy’s basement, the same data protection principles apply to storage systems. The reality is:

No cloud vendor can offer risk-free storage services.
No SAS 70 audit report is going to tell the whole story.
No contract or SLA is going to keep your business out of hot water or the headlines when an issue of confidentiality, integrity, or availability of your data is compromised.
A marketing spin can be put on anything.

If a storage device is on the network and a human being is somehow involved in its setup, ongoing management, and maintenance, you can bet your bottom dollar that there’s going to be risk. Cloud or not, do yourself and your business a favor and understand what you’re getting into before you jump on the bandwagon.

For further reading on the risks and realities of cloud backup, check this out:

Data security concerns with online backup

Find unexpected vulnerabilities to ensure cloud compliance

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

The ultimate solution for securing laptop storage?

Kevin Beaver — Thu, 17 Jun 2010 17:22:10 +0000

In preparation for my session at the upcoming Gartner Security Conference, I’ve been reviewing Intel’s Anti-Theft Technology. Have you seen it? It’s pretty neat and is a unique approach to the mobile security dilemma.

Basically, Intel is starting to integrate laptop security into their 2010 Intel Core hardware which promises to:

Detect suspicious behavior that could indicate someone trying to break into the computer.
Guard your hardware even if your hard drive is removed, replaced or reformatted.
Restore operation when (if) the laptop is recovered.

Intel claims the technology will work even if someone re-images the system, changes the boot order, installs a new drive, or keeps the system off the Internet.

Now this is change we can believe in!

I’ve always thought that unless and until the vendors integrate controls such as Intel’s Anti-Theft Technology and drive encryption from the factory, we’re going to continue having a ridiculous amount of mobile security breaches. Sure, these technologies aren’t going to run themselves, but I believe them being built-in will dramatically increase the chances that they’ll be used.

I’ll give it a few more years, but I think my continual ranting about mobile security may eventually come to an end.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

Storage Decisions 2010: Storage Insecurities Ride On

Kevin Beaver — Tue, 15 Jun 2010 11:01:32 +0000

As TechTarget’s Storage Decisions conference wrapped up today, I was perusing the conference site and noticed something peculiar about the sessions. There are sessions on backup. There are sessions on disaster recovery. There’s even one on ITIL. But nowhere could I find anything on storage security.

Sure, being a security guy, I’m biased in my approach, but if storage security is not being discussed at such a high-profile conference, where is it being discussed? Well, perhaps there’s some coverage at RSA, CSI, and related security shows, but I wouldn’t think those are the shows where storage admins are hanging out.

My point is, there’s still a disconnect between the perceived risks of storage systems and the actual risks. Based on just the storage-related vulnerabilities in the past 12 months alone (search the word “storage” here), there are obviously some things that should concern any given business. Storage is more than boring old disk drives; it’s applications, operating systems, and firmware that present a relatively broad attack surface on the network. What is your organization doing about it?

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

Moment of Truth: Storage and Business Risk

Kevin Beaver — Wed, 09 Jun 2010 12:00:59 +0000

When you hear the word “storage,” what typically comes to mind? Likely NAS, SANs, DAS, data centers and so on, right? Well, there’s another component to storage that tends to get overlooked…at least in the context of oversight, security, and compliance. That is: mobile storage. From smartphones to external hard drives to iPads and beyond, there’s easily as much storage capacity on your business’s mobile systems as there is in the traditional storage environment. That’s a big deal.

So how are you keeping that storage environment under wraps? Management will often proclaim,“We have a policy against placing sensitive information on mobile devices,” and go on to say, “We trust our users to do the right thing.” This is all fine and dandy on paper but in reality, there’s a lot of risk any given business is bearing due to unprotected – or underprotected – mobile storage. If I were a betting man – and I am – I’d venture to say that 95% of all storage-related risks is in your user’s hands, literally.

Keep this in mind when securing your storage systems; there’s a big payoff to be had if you do. Otherwise, when someone – such as a business partner, auditor, regulator, or opposing legal counsel – asks you if your storage environment is secure, what can you truthfully say?

For further reading, check out the pieces I’ve written for TechTarget on mobile storage security.

Who needs storage security anyway?

Kevin Beaver — Tue, 08 Jun 2010 12:00:41 +0000

I’m in the middle of writing a whitepaper on data protection for CSOs, and it occurred to me just how often storage systems are overlooked in security testing. The typical security assessment involves servers, workstations, mobile devices, databases, Web applications, WiFi, and network infrastructure systems. You rarely see/hear anyone scoping storage systems in particular. Why is this? Do people just assume that they’re secure because they’re on a hardware appliance or they paid a gagillion dollars for them and surely someone thought about security along the way?

The reality is, if it has an on/off switch and an IP address, it’s fair game on the network. Not only do high-end NAS and SAN storage systems meet these criteria, but they also have other attack surfaces – especially Web interfaces – that make them that much more susceptible to attack. Unfortunately, such IPs and URLs may or may not be tested during any given internal vulnerability assessment depending on the scope and how deep the tester looks.

Whether you do it yourself or hire an independent information security consultant, when it comes time to scope your next security assessment, be sure to include your storage environment. If you don’t find the weaknesses, surely a bored or malicious insider will. Better to be proactive for something so critical to your business.