Almost all blogs, articles and papers on security start with fear mongering. They typically ramble off a list of the bad things that could or will happen if you do not have the right security. Yes, we all know that there are a lot of regulatory, legal, financial and business reasons for securing your data. At Emulex, we do not even have to make the business case for security, as others will do that for us, including the media, the U.S. Congress, state assemblies, the European Union, the Securities and Exchange Commission and a long list of other alphabet soup administrations. The key question is not whether you will secure your data, but how you will secure your data with minimum time, money and fuss.
As you may have noticed, the title of this blog is “Security Shouldn’t Be Scary. It’s like Going to the Dentist.” It sounds contradictory, but it isn’t really. If you brush your teeth, floss and see the dentist on a regular basis, the visits are usually simple and painless. It is only when you ignore these simple rules that these trips to the chair become unpleasant. The same is true of security. If you have a plan, educate the users and are consistent in your security model, it will be simple and painless. You may be thinking, “That’s all well and good, but how do I make storage security simple and painless?” Here are eight major ways:
- 1. Have an Audit Plan in Place before You Start – You cannot make security simple and painless unless you know what is being secured, how it needs to be accessed, how it needs to be reported, who needs access and who needs to validate the integrity of the data. You need to have your audit plan in place before you start the security process, as it will make sure you have the right tools, reporting, tracking and access control mechanisms in place.2. Reach Across the Aisle – Every book that explains how to be a good IT leader talks about involving the business side of the house in planning projects. This is never more relevant than when you are implementing security. As I mentioned, I don’t want to discuss the typical scare tactics in this blog, but security affects the entire organization. Just like with e-mail, everyone needs to use it, everyone will be affected and everyone needs to know the rules.
3. Keep the Cost Down – When it comes to storage security, there are three basic implementation models: host-based (host bus adapters [HBAs] and software), network-based (switch blades or appliances) or at-rest device-based encryption (disk or tape). When it comes to keeping the cost of storage encryption down, host-based encryption has proven to be the most cost-effective and has the added benefit of supporting the best practice of ding encryption at the host. For more details, check out our Security Cost Calculator here: http://bit.ly/2VqHQt
4. Offload Encryption from the Host CPU – When it comes to encryption, IT managers do not want to impact service-level agreements (SLAs) and application performance. This is why using a technology, such as an encryption HBA with hardware-based encryption, to remove the encryption overhead off the CPU is vital to a solid security plan. This typically rules out software-based encryption since it will use up CPU resources and impact application performance.
5. Perform Encryption at the Source – One of the most often quoted best practices of security is to do it at the source. Why? So the data in question is always encrypted. This is one of the reasons that software-based encryption has been popular, but the overhead and cost do not make it painless and simple.
6. Use a Proven Key Management System, Like RSA – Key management may be the most important element of making security simple and painless. The management of keys is complex and requires a well-conceived plan for dealing policies, mobility and access control. RSA is our partner for this task, and they help make implementing storage security a low-impact process for your organization.
7. Make Sure It Works with Your Virtual Machines – Server virtualization adds a new level of security challenge to the process. You need to ensure that your key management and storage infrastructure are able to support the right access and key management functions to make virtual machines (VMs) and their data secure and safe with minimal overhead.
8. Trust…but Verify – We started this list with the need for an audit plan, but now it is time to test the plan and make sure your security plan will pass muster and keep you in line with the requirements of your business.
Some of these points are obvious and are common sense, but some will provoke further thought and discussion. Over the next year, we will delve into each of these areas in future blogs. So, what can we do to help you eliminate your fears?