Security Planning: Data Storage and Sharing

As I wrote in the previous section, planning for a secure network begins with understanding the types of data on your network as well as where and how they’re stored, processed, and transmitted. We’ve already reviewed various data types. This section continues our look at understanding data risks with a discussion of how to understand where and how data lives on your network. We’ll add to the initial classification of public, confidential, or restricted, five additional attributes for each data type: how it’s stored, how it’s shared, data retention requirements, and e-discovery considerations.

The media used to store data at various points in the information lifecycle determines data protection security controls required and how to configure them. The principles types of storage include:

• Magnetic media. Magnetic storage is the most common place to find sensitive information. In most cases, information frequently accessed--information still used for day-to-day operations--is found on local server disks, local end-user computers, or in centralized disk arrays. Centralized disk arrays are a good choice for storing confidential or restricted data. Data residing in one place is easier to lock down, easier to backup, and easier to recover during disaster recovery operations.
• Backup tape. Most organizations still backup to tape as part of business continuity efforts. (Business continuity is covered in a later section of this manual.) These tapes typically contain information important to the business and valuable to criminals.
• Tape/Optical disk archives. Storage archives differ from backup tapes in how data on them are accessed. Data on backup tapes are not intended for daily access. Rather, information is stored on backups for recovery if a database, or the entire data center, is lost or damaged. Tape archives are used as off-line storage, accessed when users need information no longer stored on expensive magnetic online or near-line disks. These archives are designed for relatively easy access to specific pieces of information.
• Other removable storage. The storage media listed under the first three bullets are, for the most part, controlled by the organization’s information services (IS) department or team. However, storage technology today allows users to copy sensitive information to removable, portable storage, where it is more susceptible to compromise through theft or loss. These devices include,
• • MP3 players (e.g., iPods)
  • Thumb drives
  • USB-connected magnetic storage systems (hard drives)
  • CD-ROM or DVD drives
  • Floppy drives
  • Digital cameras

As we’ll see in future sections, where you allow data to reside in many ways dictates how certain controls are implemented and managed.