Security Planning: Data Storage and Sharing

As I wrote in the previous section, planning for a secure network begins with understanding the types of data on your network as well as where and how they’re stored, processed, and transmitted. We’ve already reviewed various data types. This section continues our look at understanding data risks with a discussion of how to understand where and how data lives on your network. We’ll add to the initial classification of public, confidential, or restricted, five additional attributes for each data type: how it’s stored, how it’s shared, data retention requirements, and e-discovery considerations.

The media used to store data at various points in the information lifecycle determines data protection security controls required and how to configure them. The principles types of storage include:

• Magnetic media. Magnetic storage is the most common place to find sensitive information. In most cases, information frequently accessed--information still used for day-to-day operations--is found on local server disks, local end-user computers, or in centralized disk arrays. Centralized disk arrays are a good choice for storing confidential or restricted data. Data residing in one place is easier to lock down, easier to backup, and easier to recover during disaster recovery operations.
• Backup tape. Most organizations still backup to tape as part of business continuity efforts. (Business continuity is covered in a later section of this manual.) These tapes typically contain information important to the business and valuable to criminals.
• Tape/Optical disk archives. Storage archives differ from backup tapes in how data on them are accessed. Data on backup tapes are not intended for daily access. Rather, information is stored on backups for recovery if a database, or the entire data center, is lost or damaged. Tape archives are used as off-line storage, accessed when users need information no longer stored on expensive magnetic online or near-line disks. These archives are designed for relatively easy access to specific pieces of information.
• Other removable storage. The storage media listed under the first three bullets are, for the most part, controlled by the organization’s information services (IS) department or team. However, storage technology today allows users to copy sensitive information to removable, portable storage, where it is more susceptible to compromise through theft or loss. These devices include,
• • MP3 players (e.g., iPods)
  • Thumb drives
  • USB-connected magnetic storage systems (hard drives)
  • CD-ROM or DVD drives
  • Floppy drives
  • Digital cameras

Organizations often have to share sensitive information with satellite offices, suppliers, legal teams, insurance companies, etc. How the data are moved from within your network to outside entities plays a large role in network security design. The following are the most common methods of sharing small or large amounts of information:

• Email. Email is often the preferred method of sharing information. However, email transfer of sensitive data is very risky, requiring special consideration.
• Instant messaging. I include instant messaging because of its popularity. As you’ll see later, there is only one smart way to deal with public instant messaging services—block them.
• Electronic Data Interchange (EDI)/File Transfer Protocol (FTP). File transfer methods, such as FTP and EDI, are common ways to move large amounts of data from one location to another. Like email, these transfers often occur over insecure Internet connections. And like email, they require special consideration when designing your network security framework.
• Removable storage. Removable storage devices, as defined earlier in How data are stored, are used to send information via traditional ground or air shipping methods, or via person-to-person transfers.
• Direct connection. The nature of some business-to-business relationships might require a permanent connection with a network outside your direct control.
• Remote connection via Internet. Today’s workplace often requires employees to connect to the network while on the road or at home. One-off connections might also be more appropriate for vendor connections than more expensive direct-connect circuits.
• Dial-up. We won’t spend too much time on dial-up solutions. There are too many easier, and safer, ways to allow remote users to connect.

The final two characteristics of your data are closely related. Data retention is important not only for regulatory purposes. It is also critical to any e-discovery policy you develop. As you plan your network security framework, make sure you understand how long you need to keep information, including email. If you keep it beyond the period dictated by regulatory necessity (e.g., payroll or financial data), be sure it’s kept for a very good reason. The same goes for retention policies regarding non-regulated email, Office documents, etc. If you have it, it is subject to discovery during legal proceedings.

When classifying your information, mark anything you believe might be discoverable. Discoverable information should be kept on accessible storage, such as magnetic or optical disk or tape archives. Failure to ensure easy access may result in heavy costs for retrieval or court sanctions resulting from not complying with discovery orders. We’ll look at e-discovery issues in more detail in a later section.

In the next section, we’ll conclude the data identification and classification portion of network security planning with a look at regulations that mandate certain controls for specific types of data.