Getting tough on data security
- 16 November, 2005 12:21
One job I don't envy is being the person responsible for data security at a major company. There are very few other jobs where there is so little you can do to prevent so much from going wrong.
Not surprisingly, many companies view their security guru pretty much like the way ancient tribal people saw their medicine man -- although perhaps with much less confidence these days. Take, for example, the recent rise in security breaches (lost backup tapes, disclosure of customers' data, and such). I don't believe -- not even for a second -- that those companies saw the possibility of a security breach coming and chose to do nothing to prevent it.
Rather, I believe their priority was to attend to other security measures considered more pressing at the time than, say, encrypting tapes or verifying access to e-mail archives. The scary part is that right at this moment, your company (and mine) could be making the same mistake.
Is it reasonable to assume that the same incident won't happen again -- that lightning won't strike twice? Perhaps, but a security breach in a different area is still possible because a full security blanket does not exist. Also, there's no well-defined framework for data security, which makes it difficult for companies to effectively integrate different products. As a result, even if the security manager is making every possible effort to protect the confidentiality and integrity of company data, those measures are not guaranteed to work.
Luckily, things are beginning to change, perhaps fueled by the public uproar following some of the recent security breaches. I recently spoke to at least two vendors who gave me a ray of hope for the future of data security.
"The problem our company really focuses on is how to simplify data management, and security is a fundamental component of that," says Kevin Brown, vice president of marketing at Decru, a storage security vendor that was acquired by NetApp earlier this year. I spoke with Brown to learn more about NetApp's new Uncompromised Security Initiative program.
"If you look at the storage industry, there has been very little security built into any of the products," Brown says. This candid statement probably explains why the early stages of NetApp's initiative take a critical look at the status quo of data security.
"You can steal a lot more money by stealing a backup tape today than by assaulting an armored truck," Brown continues, adding that a company's backup data is much less protected that those tanklike trucks.
"What we are trying to do [with the Uncompromised Security Initiative] is to listen to customers' concerns [about security] and see how we are going to fulfill them," Brown says.
Brown lines up the major building blocks of a comprehensive approach to data security, including keeping the bad guys at bay, protecting the company perimeter, and implementing comprehensive data-protection measures. Customers may have skipped some of these data-protection measures because they were too onerous on daily operations, he says.
"We can do a lot better," Brown says. "We can build security into the infrastructure, and as vendors start building security into all their products, we can make systems a lot more secure."
I couldn't agree more with that. But NetApp is not alone -- at least one vendor, Atempo, has already started to build security into their systems. Atempo's data-protection solution, Time Navigator, was one of the first products to offer data recovery from any point in time.
Other products built around Time Navigator include continuous data protection, e-mail archiving, and disk-to-disk-to-tape, which makes Atempo a likely partner for a customer pursuing ILM (information lifecycle management).
Early in November, Atempo added SCM (Security and Compliance Manager) to the suite, an application that makes it easier for companies to comply with the dictates from Sarbanes-Oxley, SEC, HIPAA, and other regulations.
Compliance is an interesting proposition in itself, but Atempo built several layers of security into SCM, including the capability to manage security certificates, enforce several encryption methods, and diversify security policies depending on business requirements.
"Protecting data security is a bigger and bigger issue, something that has not been addressed effectively to date primarily because of the tools available to the customers," says Stephen Terlizzi, vice president of global marketing at Atempo.
Sounds a lot like what NetApp's Brown was saying, doesn't it? Seize this moment: the storage industry reciting the "mea culpa" on data security -- although, to be fair, these two vendors are not the major sinners.
Terlizzi says the security measures built into SCM add value to the compliance enforcement, protecting data from tampering and malicious disclosure regardless of its location.
I will probably hear a similar pledge from others (especially after this column), but it's comforting to see at least two vendors take a decisive stand on security. If you have not already, I suggest questioning your storage vendor about data security from now on. Ask what security measures are in their products and what plans they have for the future. If you don't like their answers, move on.
To close, I'll quote Ben Page, senior manager at Deloitte Services, who ended a rather interesting Storage Networking World session with this sentence on what's important to focus on when shopping for storage: "You are not just choosing technology but a business partner."
Make sure your storage partner has the same vision you have on data protection. After all, it's your head on the chopping block.