Beyond treatment of symptoms
A robust data protection strategy must go beyond applying solutions to the symptoms. It must solve the real vulnerabilities. The key question to consider is: Where is the best place to defend the enterprise infrastructure? The network is the common denominator. It's also the most likely route for an attack, as most data loss occurs via the network. So the network is where an end-to-end security infrastructure can best be established. A robust data protection strategy should focus on protecting data on the network.
A customer once mentioned to me, "If encryption was free, I would deploy it everywhere, but since it isn't, we need to strategically architect it into the right places and expand encryption when it makes sense."
The foundation of a data defensible architecture
The network's boundaries are disappearing and vulnerabilities are rising. At the same time, the network’s complexity is increasing as more demands are placed on it. Today's corporate networks include storage networks, virtual networks, third-party networks, and wireless networks. How does the enterprise build a data defensible architecture that will protect valuable data on the ever-evolving network?
Forward-looking organizations are recognizing that end-to-end encryption must be the foundation of protecting the company's valuable data. Indeed, at some point everything will be encrypted—the question is not if but when. Let's look at how data can be secured on unprotected networks and what specific solutions exist to build a data defensible architecture.
Protecting the network: IPSec
An excellent foundation for a secure network is established by protecting data packets from their source to their destination. Indeed, when the majority of security attacks are initiated from within the network perimeter, encrypting data as it travels on the core network, as well as when it goes to remote sites, becomes the only effective defense against unauthorized access to data.
IP Security (IPSec), defined by the Internet Engineering Task Force (IETF), is the accepted standard for protecting data in transit over an untrusted network. It is the mandated best practice for securing block-based storage protocols iSCSI, iFCP and FCIP. IPSec provides three levels of data security: Confidentiality, authentication and integrity.
- Confidentiality: Keeping the data secret. IPSec uses powerful standard encryption algorithms (AES or 3DES) to protect data confidentiality from unauthorized parties.
- Authentication: Trusting the source. IPSec uses packet authentication to verify who is on the other end of a channel.
- Integrity: Trusting the data. IPSec uses industry standard hashing algorithms (SHA1 and MD5) to create digital signatures that ensure the data has not been altered in transit.
Building a data defensible architecture
There are four major areas of data protection via encryption today.
Figure 3. The four major areas of data protection via encryption
In each of these areas, companies are asking questions about securing their valuable data. Let's outline some specific solutions, building blocks of a data defensible architecture.
1. Protecting data storage
Data storage is moving at an ever increasing pace to IP based SANs; IP based solutions for business continuity and disaster recovery; and, IP based electronic archiving to offsite tape storage instead of onsite backup tapes shipped to an offsite location. But the highest risk in IP based storage is whenever the storage system touches the IP world. These data protection solutions provide the means to protect data storage.
Deploy secure data replication
Data Security Concern: Today, 25 percent of data replication is done over IP connections, and that number is growing. Data is exposed over the unsecured network.
Solution: Data protection gateways at either end of the connection can secure the data replication channel. This solution provides hot onsite failover and defends against a hack of the replication application by protecting it at the network layer from attacks inside the perimeter and outside the LAN.
Deploy secure backup
Data Security Concern: Electronic archival to a remote tape storage site offers advantages ranging from guarantee of data delivery and recovery to stop of tape loss. But it also exposes the data as it travels on the network.
Solution: High-speed encryption appliances can protect the backup data as it travels between storage sites. A protected continuous backup scheme offers cost savings over secure nightly tape backups guaranteeing security delivery of data to offsite storage.