Is data-centric security essential in modern storage solutions?

Data storage security has quickly become both a hot-topic and a new budget line item for CTO/CIO’s in 2015, both here in the US and around the world. An organization’s data is most often its most valued asset, while keeping it stored safely is increasingly both a commercial and legal imperative. Managing not only how data is stored but how to securely access and communicate it across a wide range of media and services is the fundamental building block of information assurance.

Regulatory compliance has driven a variety of storage practices over the years to guarantee information assurance, but one of the most sweeping new international reforms comes from the pending new EU General Data Protection Regulation (GDPR) being adopted by all 28 of the EU member states.  Substantial changes in scope to embrace globalization of cloud computing, social networks and data-breeches, brings in new levels of enforcement and heavy fines that will forever shake up EU data protection practices and privacy guidelines.

graph 01

Often the security associated with data storage systems and supporting infrastructure has been overlooked due to basic misunderstanding of the inherent risks to data storage ecosystems, leading to data risk compromised from a wide variety of events. The new NIST-sponsored Cyber-Physical Systems (CPS) framework was initiated to define key characteristics to better manage development and implementation of both the Industrial Internet and Internet of Things (IoT) physical computational and data storage components across multiple smart application domains including energy, healthcare, law enforcement, manufacturing and transportation.

The brand new ISO/IEC 27040:2015 defines data storage-centric security as application of physical, technical and administrative controls to protect storage systems and infrastructure against unauthorized disclosure, modification or destruction. These controls can be compensatory, corrective, detective, deterrent, preventive or recovery in nature.

The rapid adoption of complex software-defined storage systems (SDS), ie. the uniting of compute, networking, storage, and virtualization into a hyper-converged storage solution, became a top data center trend impacting both data security and data recovery strategies in 2015.  Although simplifying rapid provisioning, ease of implementation and redundancy, while providing significant saving in cost, power and space, data storage-centric security remains a significant gap in the SDS infrastructure.

Due to superior accessibility, capacity-on-demand, flexibility and lower overall IT costs compared to legacy on-line compute and data storage methodologies, cloud computing has quickly become a mainstay on a worldwide basis. Yet, just like traditional online compute/storage methodologies, cloud computing has its own set of unique data security issues. Mitigating risks before and throughout a cloud adoption is the number one imperative among CIO/CISO/DPO’s, as they transition applications and data to the cloud. The decision to move to the cloud depends on the sensitivity of the data/application, service-level-agreement and overall cloud security infrastructure, and ultimately does the business value offset the risks?

In a recently released 2016 Trend Micro Security report, despite the need for Data Protection Officers (DPO) or a Chief Information Security Officer (CISO), less than 50% of enterprise organizations will have one, or a budget for them, by the end of 2016. With the EU GPDR directive, coupled with the ISO 27040 data security standard mandating a significantly higher degree of data protection, a DPO/CISO job slot designated solely to ensure the integrity of data within and outside the enterprise is a wise investment. With this higher degree of awareness, legislation and technology around data storage-centric security, we will begin to see a proactive shift in the enterprise policies, practices and strategies that will bring effective protection to the storage infrastructure.

Public safety is now a concern of every commercial enterprise, municipality, school and university. High-resolution video surveillance and law enforcement body-worn cameras (BWC) are generating more long-term video storage requirements than ever before. Enterprise IT must be able to balance a budget for both cameras and a secure infrastructure that enables easy, yet secure, data access. A wide variety of new BWC, chain-of-custody, evidence management and surveillance technology solutions are blossoming as new local, state and federal budget resources are being made available in 2016.

In the first quarter of 2015, IDC reported 28.3 Exabytes (28Billion Gigabytes) of data storage capacity was shipped worldwide. The majority (23%) of this spending was on server-based storage and hyperscale (SDS architecture) cloud infrastructures, while traditional external storage arrays fell significantly and were replaced by all-flash and hybrid flash arrays (NAND/HDD). Less than .05% of all these storage products shipped employed Self-Encrypting-Drive (SED) technology, while almost 90% of all flash ar
rays shipped were SED capable. SED offer FIPS 140-2 compliant security without all the overhead of a software-based encryption schema, coupled with self-describing encryption key management capability, making it a valued component in the secure data storage infrastructure.blog graph 02

Over the next several months throughout 2016, we will delve more deeply into the practical application of specific secure storage technologies, why and how to put security directly into the physical storage technology, advantages and disadvantages between specific data storage technology, cost analysis and more. Stay Tuned..

Related posts: