With careful planning and the proper tools, an organization can address these threats and put in place a proper security net around their data.
One of the first things a company can do is to carry out an extensive audit of all security measures in place. This should start with the SMEs physical security set-up – are the file servers and databases stored in a secure area? Is the server room adequately protected? Who has the keys or access codes to the room?
This would then by followed by an extensive audit of all hardware, software and other devices, especially laptops; their location within the building and a list of those who use or have access to this property.
When the physical aspect of storage security is addressed, administrators then need to look very carefully at how this data is accessed by employees within the organization. The next step would be to audit the privileges and file permissions given to all employees in the organization. It is often the case that employees are giving access privileges to data systems they do not need. Others change departments with the same level of access they had before. Group Policies in Active Directory are very important but they must be configured properly.
The next and final step – and often forgotten – would be to actively test the security of the storage environment. This can be done internally by the IT administrator or outsourced to third parties who will carry out penetration testing to identify flaws in the network’s security net. Although this may be an expensive exercise, it is certainly much cheaper than the cost of a security breach.
It is also good practice that during testing or at least when testing is completed, the logs of the network and storage security controls such as firewalls, IDSs and access logs are checked to see if anything was discovered and highlighted as a possible security event. Event logs are an important, but often neglected, source of security information.
Looking to the future: risk management
Now that the basic premise has been understood, that is, the company’s data is not as secure as it is believed it to be, it is time to act and continue taking action.
Apart from addressing the vulnerabilties mentioned earlier, it is important that administrators make good use of the tools that are available to address network and storage vulnerabilities. These tools can greatly reduce the time it takes an administrator to manually check for, assess and remedy any vulnerabilities, as well as provide a snapshot of the network’s security set-up. These tools should not be seen as a cost but as an investment in line with the business needs of the organization and the importance of the data the organization holds.
Recent security breaches that made the headlines revealed that these organizations had failed to enforce or implement stringent security policies with regard to how data is accessed, handled and transferred. Although security policies are important they must not be written for the sake of having a thick file that no one in the organization will ever read. Security policies are there to be enforced.
Internal communication is also important and often overlooked. Administrators need to explain in clear and simple language what each policy means and how each one is implemented throughout the organization. If security policies cover the use of portable devices, administrators should explain why certain devices are banned and not reply with a curt, ‘because I said so’. This approach is counterproductive.
Business practices change and IT is there as a function to enable business to maximize on its investment. The key is to manage these resources and manage them well!
Education is also important. Employees are not as tech savvy as the administrator is. They need to be told over and over that they should not leave their passwords written on a sticky note on their monitor. They need to understand that sharing passwords is equivalent to sharing the key to their home. And they need to understand that their actions are being monitored and that they are accountable to the company.
Something that IT administrators in SMBs need to be wary of is the false belief that once they have deployed a security product, they can put their mind at rest that the network and data is secure. Wrong. Technology alone will not protect a company’s data. Strong and enforceable security policies as well as employee and management awareness of security issues will go a long way towards improving the level of storage security in the organization.
Effective storage policies
As I said, security storage policies are important and businesses, in general, and IT administrators, in particular, must understand that they need them. Administrators should not look at policies as a time-consuming burden and realize that by helping management to understand their importance they will find it easier to obtain funding to implement changes or bring in new security systems to protect the company’s data.
Every policy must be effective, easy to understand and above everything else, enforceable without creating other problems. It is useless tightening access controls if in the end groups of employees will not be able to do their job effectively. Security policies also need to be updated regularly to take into account new threats, developments within the organization and changes in processes and or data storage requirements.
An effective storage security policy should be a dynamic document – revisited regularly and updated as per a defined schedule - and not another piece of paper gathering dust in a cupboard behind the administrator’s desk. Over and above this baseline setting, deployment of solutions allowing the admin to manage these policies will make massive steps towards achieving this target.
Storage security is more than protecting the data using technology or placing it under lock and key; it is also an exercise in people management – because it is the people who are using this data who are the great threat and weakest security link.
This post is part of the series: Protecting your most important assets
Information and data are the lifeblood of any organization. Threat vectors abound and unfortunately human behavior is often very low on the list