Group Calls for Security Shakeup

Users should keep their eyes peeled for potential security breaches, implement rigorous backups, and lock down data center access if they want to keep systems secure. These are some of the key storage warnings from TRUSTe, which unveiled its latest set of security guidelines today.

The non-profit organization, which was set up to tackle Internet security and privacy, is calling on firms to identify gaps in their storage procedures. This, according to Cathy Bump, TRUSTes vice president of policy, means developing internal systems to nail all possible threats.

“Employees need to understand that a lost disk, for example, is a potential security threat,” she explains. “Even if the disk was lost and found, that still points to a flaw in your safeguards.”

Sound far-fetched? Hardly. Last year the Los Alamos National Lab, which is at the forefront of the U.S.’s nuclear research, was thrown into turmoil when two disks containing classified information were reported missing, prompting a massive overhaul of its procedures. (See Los Alamos Launches Monitoring System and Los Alamos Searches for Lost Media.)

TRUSTe urges users to think seriously about how they back up their data. This, according to the guidelines, should include checks on current access controls, to find out who is getting hold of what. Users should make sure they review and test their backup processes, and if necessary, redesign them.One user in the throes of a backup overhaul is Les Martin, tactical systems engineer at the U.S. Navy’s Surface Combat Systems Center. “We were doing backups on individual pieces of media,” explained Martin. "Now we’re shifting to a new backup model using storage area networks.”

Rather than dealing with the hassle and risk of shifting media from one naval location to another, Martin says that the SAN, which will be built over the next two fiscal years, will enable “electronic transport” of data. “We will be doing a lot more effective backups.”

But it's not just backups that need to be constantly reappraised. “You have to be reviewing anything related to security and privacy because of the changing nature of threats,” says Bump.

Although security devices such as firewalls, Secure Sockets Layer Virtual Private Networks (SSL VPNs), and unified threat management (UTM) boxes have been grabbing the headlines lately, TRUSTe warns users about basic procedures -- such as the physical security of their data centers. This could include installing PIN devices, smart cards, and biometric readers at entrances, and even using Radio Frequency Identification (RFID) to monitor the movement of visitors.

Once again, this is not as far-fetched as it may sound -- some organizations have already started down this path. One professional services firm, which asked not to be named, recently told Byte&Switch that it is using RFID tags to keep track of who visits one of its main R&D facilities. (See Reva Taps Into RFID Data.)For Martin, based in Wallop’s Island, Virginia, data center access is already tight. “All the time on the site there are naval personnel with weapons. We also have non-naval security that have weapons, so the access is really limited.”

Backups and data center access are not the only security issues that TRUSTe wants users to focus on. The guidelines also urge “reasonable” encryption methods for storage, especially when maintaining sensitive information on servers, desktop PCs, and laptops.

Encryption is big news at the moment. Sun Microsystems Inc., for example unveiled its new device-level encryption strategy this week, which will eventually stretch across a range of both disk and tape technologies. (See Sun Fills in Storage Crypto Details and Sun Gets Secretive on Storage.)

Storage encryption is already offered by Decru (now part of Network Appliance), Neoscale Systems, and Kasten Chase. This month Spectra Logic will ship tape libraries with built-in encryption; virtual tape library vendor Sepaton Inc. will soon offer encryption through a partnership with Decru.

How does your security measure up? Why not take the latest Byte&Switch poll and tell us all about it. (See The Monster Within.)TRUSTe’s full set of guidelines can be found at: TRUSTe.

— James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article: