Enterprises are increasingly amassing terabytes of data into SAN environments as they seek to improve access to information and simplify network management. Yet, says, Rory Sweet, Managing Director of Zycko, companies are still not doing enough to protect business critical data stored on the network.
Many companies have moved towards networked storage architectures in recent years as a result of increased file sizes, rocketing email use and, more recently, the wealth of laws and regulations requiring companies to hold on to data, all data, for much longer than before. The business benefits of implementing SAN storage solutions for such companies are many and varied, including reduced costs, increased scalability and greater operational flexibility.
However, as increasing amounts of data is stored, not enough is being done to ensure that malevolent intrusions or even prying eyes from within the company are being kept at bay. A trend highlighted by recent revelations that hundreds of civil servants were disciplined throughout 2003 for accessing confidential computer files they had no right to read. The risk to confidential information at government departments such as the Inland Revenue was first revealed last year when a warning was issued to all staff waiting for tax credits not to check their own records on the departments IT systems.
In todays enterprise environment, a single internal or external breach can compromise millions of private records. The first step to ensuring that stored data is secure is recognising how essential it is to a companys reputation a security breach can cost millions in terms of revenue and have still more devastating effects in terms of loss of reputation and lack of customer confidence. While most companies are techno-savvy enough to install security measures to prevent external attacks many are still doing little to avoid breaches from within.
In light of the Gartner Groups recent estimation that as many as 70% of unauthorised attempts to access private data originate within an organisation this lack of defence seems to be a significant oversight. The problem is inherent in the fact that IT managers have traditionally had to have certain root privileges in order to manage and configure their systems or to perform necessary maintenance such as performing backup or adding patches. Until recently this has meant that they were, by extension, able to see all the data managed by these systems. One consequence of this ability is that, should a security breach occur, there is an ever-present temptation to point the finger at the attacked companys IT department a phenomenon that is seemingly on the rise. Says Bill Spernow, security research director for technology-industry consultancy Gartner: I have seen a lot of cases of a systems administrator gone bad.
The new DataFort security solution from Decru ensures that the management of data can be fully separated from the ability to read it. This means that IT departments can still perform all their normal administration tasks without being able to access the data contained. Not only can the IT department access everything they need to manage the allocation of storage space effectively but they can also do so without the fear of retribution if, or when, private or classified information is leaked.
In terms of peace of mind, this technology gives companies a definite step up which is strengthened by a role separation function, guaranteeing that at least two people must participate in any decision to modify security privileges to access data. This means that no employee is able to act alone to change settings or passwords. As a highly respected storage journalist observed recently, In any multinational corporation there are as many as 500 or more people who are able to see pretty much everything. Odds are one of them will have a bone to pick. Im not a gambling man but they dont seem like such great odds when that one person could have potentially disastrous results for the corporations reputation, and more importantly, its revenue.