Compliance

Organizations are facing an increasing challenge from regulations and legislative mandates that are dictating a more data-centric approach to information security.

Main Privacy-Related Legislation and Standards

In general, most compliance legislation dictates the following four parameters that organizations should follow with regards to sensitive customer data:

  • Authorized Access: only authorized user(s)/system(s) can access and modify certain information, where they have the appropriate clearance levels and necessity to access it.
  • Privacy: organizations need to take appropriate security measures to maintain the privacy of their customer data.
  • Integrity: the initial quality and integrity of the data stored on company systems cannot be compromised.
  • Auditability: the company must maintain auditable records that track and demonstrate a company's success or failure at achieving the first three criteria (authorized access, privacy and integrity of sensitive data). This includes information about potential security breaches that may have occurred and the company's response to said incidents.

To mitigate such risks and demonstrate compliance to legislation, IT management has instituted a number of perimeter security measures to protect and limit access to company networks, critical systems and applications. Measures such as firewalls, antivirus software, access control lists, etc. go a long way to protect company data. Likewise, database and backup applications in use offer other security protections for their own data.

In this era of loosely coupled, distributed architectures, one area of risk to data is often overlooked: this is at the back-end storage layer, consisting of a company's primary, nearline and secondary (or off-site) storage. At these layers, data that is either "in flight" or "at rest" may still be vulnerable to unwanted access or misuse.

Often, primary storage is set up in some form of a storage area network (SAN) which allows company data to be centrally managed and stored on several, disparate storage devices that present themselves as a unified storage "pool" to various servers or applications.

Secondary or off-site storage may also consist of removable media, such as magnetic tape. This type of storage often contains plain text versions of sensitive company data that may be transferred to a remote vault or facility for storage in case of a disaster. Without proper safeguards, data on this portable media can be easily accessed, stolen or modified.

To accommodate a robust data protection and business continuity scheme, IT groups may also use advanced techniques, such as synchronous/asynchronous replication or snapshots to copy or back up mission-critical data to remote storage devices. They may also take advantage of third-party service providers to help store or process portions of their sensitive data.

In the early days of networked storage, back-end storage often existed in a "glasshouse" data center – where access to the data was physically limited to a select number of individuals. This is not the case today. The loosely coupled, distributed nature of most back-end storage infrastructures sheds new light on the security risks to company data while it is "in flight" to or from back-end storage devices; and while the data is "at rest," in stored or archived forms.

All of these functions occurring at the back-end storage layer raise new security risks and potential access points that can compromise data.

In fact, any storage media that is accessible internally, handled by many staff, or sent outside the confines of the data center can be vulnerable to unauthorized data access, theft or corruption.

To guarantee compliance and data security at all levels of the IT infrastructure, organizations need to weigh carefully these risks at the storage layer and determine how best to mitigate them.