But it's not just external attackers gaining access through an IP gateway that enterprise storage managers must guard against. They also must be able to stop unauthorized access to stored data by employees and other insiders. CMP Media's Computer Security Institute, in its recently-released eighth annual Computer Crime and Security Survey, said 45% of enterprises in the last year reported unauthorized access to data by insiders. In one such breach, an employee of Coca-Cola Enterprises Inc. reportedly downloaded the salary information and Social Security numbers of about 450 coworkers.
Such breaches are becoming increasingly costly, particularly as government regulators pass new laws intended to safeguard private consumer information. One such law, California's Senate Bill 1386, went into effect in July and is considered something of a model for other states and the federal government. The California bill requires businesses to publicly notify consumers within 48 hours of any compromise of their personal information. Businesses, however, are exempt from the notification requirement if they've first encrypted the stored customer records.
"Those sorts of regulations, as they spread throughout the United States and elsewhere, will certainly bring the need for storage security into sharper focus," says Simon Robinson, head of the storage and systems practice at analyst firm The451.
Despite new privacy regulations and increased security vulnerabilities introduced by networked storage, many IT managers have yet to recognize storage as a potential security vulnerability. Government agencies, concerned about safeguarding information about individuals as they place more data online, have shown the most willingness to address the potential problem, leading the way in deploying new storage-security technologies. The Italian federal government, for example, as part of a major eGovernment project, has decided to deploy appliances from start-up Decru Inc. that encrypt all data in storage and authenticate server access.
"We have to secure that only the authorized persons should access sensitive data even in the data center, so we are protecting the data at the lowest level," said Marco Pissarello, business-development manager at systems integrator AGSM Telecomunicazioni in Verona, which is working on the project.
