Regulations have made secure storage a necessity for companies of all sizes, including small and medium-sized businesses (SMBs). Stored data can be contradictory, with some information readily available for auditors and regulators, while other stored data is high-risk customer information. SMBs are just as liable as larger companies for lost or stolen unprotected data.
For SMBs, this isn't an easy puzzle to solve. The high cost of setting up a storage area network (SAN), or even standalone dedicated file servers for high-volume storage, combined with the complexities of implementing the required encryption, are enough to scare away any SMB with a limited IT hardware budget.
But there are options for securing storage for SMBs, even from big vendors that normally sell their products to large enterprises, scaled down, priced right and with manageable encryption that won't require an army of mathematicians and engineers to understand it.
There are three steps for securing IT storage at an SMB: planning, choosing the hardware and architecture, and implementing it.
The planning stage consists of a thorough risk analysis of the data needing to be archived. Usually, such data falls into three broad categories: marketing and sales records, old email and documents with customer information and details of past transactions or confidential company plans.
Marketing and sales records, if they can't be tied back to individual customers, are often of low risk. Used for projecting long-term sales trends, they don't require as much airtight security as customer information, company plans or transaction details, all of which, if exposed, could put the company at risk. Email is hit or miss. It ranges from the innocuous to the deadly, laden with juicy corporate information that would make an industrial spy salivate.
After categorizing the data, it should be sorted based on risk. High-risk data should never be stored with low-risk data that's on less secure storage. Storage security isn't just about encryption; it's also about strategically putting your data in the right place. Just because something is encrypted, doesn't mean it's secure.
Choosing the right tools
Choosing hardware and architecture can be the most difficult part of the whole process. The number of vendors and range of products is staggering. Large vendors, like EMC Corp, Hewlett-Packard Co., Cisco Systems Inc. and IBM, all have offerings with security features and are scaled down due to increased demand by SMBs.
But there are also smaller players catering to the SMB market, like Brocade Communication Systems Inc., Decru Inc., MaXXan Systems Inc. and NeoScale Systems Inc. San Jose, Calif.-based Brocade allows segmenting hardware for different levels of storage, say, based on risk, and uses Fibre Channel SANs to connect servers and storage. It uses Secure Shell Telnet to manage switches and a Web-based interface for administration. Redwood City, Calif.-based Decru offers its own DataFort encryption technology, which encrypts data in transit, without having to install new switches. Both Brocade and Decru are in the $10,000 to $30,000 price range, depending on implementation.
San Jose, Calif.-based MaXXan's CipherMax similarly encrypts data en route and integrates into an existing SAN, even with different types of media, such as tapes or drives. CipherMax is a hardware encryption solution meant to increase performance over software encryption. It also provides a built-in key management system.
CryptoStor from Milpitas, Calif.-based NeoScale is another intriguing product that bills itself as easy to use for smaller storage networks. It provides encryption and centralized management, allows for SAN segregation and separate access management, and is scalable for future growth of your network storage. CryptoStor works with Fibre Channel SANs rather than IP SANs.
Accompanying software for security management of these products includes the SANtegrity Security Suite from McData Corp. in Broomfield, Colo. The suite provides reports on security events and incidents and checks for secure configuration of networks and ports.
When shopping for storage security products, keep the following in mind:
- Make sure the product is compatible with your existing network and SAN infrastructure. Even smaller vendors have arrangements with larger partners, such as Brocade's with HP, and they may already have a deal with your current hardware supplier. Even though your SAN might be segregated from the rest of your network, databases in your network, for example, still have to communicate and transmit data to the system.
- Work with the vendor to set up acceptable maintenance and service contracts. Can this system be maintained by your existing network staff? Is it easy to administer with a Web interface? In an SMB without a dedicated information security department, it might have to be.
- Check how the product integrates into your existing access management system. The whole point of keeping storage secure is to make sure only system administrators can get in.
- Review how encryption is managed to make sure keys themselves are handled and stored securely within the system. Does the product work with existing thick-of-the-market hardware and software encryption technology? How does the encryption affect performance?
- See if the product scales and allows for expansion in your SAN as your company, and its data storage needs, grows. Is it flexible enough to connect with a heterogeneous SAN made up of both Windows and Unix boxes?
Security storage products are part of the communication link between your network and your SAN. The two options are Fibre Channel and IP. Conventional wisdom is that Fibre Channel is faster than IP. The drawback is that it's also more expensive and requires technical expertise that might not be available in-house.
In some cases, the decision may already be made for you, depending on the product you purchase and which option it supports. For an SMB, the cheaper and easier route might be IP. Again, consider this when shopping around, so as not to get locked into something incompatible with your network or SAN.
With careful planning, a strong risk assessment to segregate data and a thorough review of your network needs, securing your storage can be painless and cost effective.
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and the author of The Little Black Book of Computer Security, available from Amazon.com.