Storage - Security - Company Data and Information
Last year's famous disappearance of unencrypted backup tapes by Bank of America is the poster child for storage security. 1.2 million customer records with personal and financial information went missing mid-flight. This would have been bad enough, but unfortunately for Bank of America the account holders included U.S. federal government employees galore - and U.S. Senators.
The bank is not alone in its habit of sending unencrypted backup tapes hither and yon, even though the process is potentially embarrassing and very, very costly. According to the Enterprise Strategy Group, a mere 6% of financial services firms always encrypt their backup data, while 65% say that they never encrypt their backup data - this is from one of the most highly regulated industries in the U.S. Government and healthcare are even worse, with only 3% of organizations in both arenas always encrypting their data. Encryption (not to mention related key management) to protect tape, nearline or online storage mechanisms is not the only new security issue afoot.
ESG's senior analyst Jon Oltsik wrote, "Clearly, a security audit or breach can be an unpleasant eye-opening experience that leads to action. Users come face-to-face with risks and vulnerabilities and address them with the appropriate security countermeasures."
Are security issues getting worse? In January 2006, the FBI weighed in with their 2005 FBI Computer Crime Survey. The survey covered 2,000-plus public and private organizations on incidences of security breaches in 2005. The FBI reported that almost 90 percent of the surveyed companies suffered cyber-crime incidents causing total losses of a steep $32 million. The majority of attacks that cause the most damage are internal threats that result in data theft, unauthorized data access and service disruption. Since most users with internal access do not set off bells and whistles - reducing this exposure requires new approaches to monitoring and analyzing both system and user behavior.
The growth of industry and government compliance requirements, such as TSA, SOX, PCI, HIPAA and FISMA, are placing even greater demands upon storage and security. Most compliance mandates require a variety of data access controls, data protection controls and documented policies - all which necessitate storage and security professional dialogue and alignment. Now storage resources need to account for storing and accessing compliance documentation. This can include the raw data relating to network and system access, as well as user activities even within applications. This is not a few gigabytes a month and it may very well consume a considerable amount of storage capacity. As internal and external auditing requirements evolve, more compliance-relevant data will have to be retained, managed and remain usable.
And the most common pitfall? Simple human error and oversight. Even with known vulnerabilities (with the Windows OS alone), inappropriately configured systems and poorly maintained access privileges still account for the most visible incidents. This exposure does enable "bad" employees and consultants to go to town on a network - corporate espionage does happen. But most often employee-based security breaches and related system issues occur in corporate environments with defined use policies and security countermeasures. The question is how can organizations be aware of and best recover from employee accidents as well as less obvious malicious activity? Have your procedures and tools to ensure availability been appropriately assessed and implemented?
The General Accounting Office (GAO) reported 1.5 million cyber-attacks against government facilities alone in 2003, three times the attacks from 2002. And in 2005, firms reported the loss or theft of more than 55 million consumer records. So what's ahead? More losses, more uncertainties, more incidents, more headlines? More identity theft, failed audits, Windows vulnerabilities and nasty BotNets?
At times, it looks like the overall security scenario is not getting better. Clearly greater demands are being placed on IT staff to advance "Storage & Security" capabilities. Preparing you is what this issue is all about.
EMC takes the wide view, writing about securing information throughout the information lifecycle using a comprehensive, risk-based approach.
CipherOptics presents secure IP-based storage networking, where the issue is securing data in motion.
SenSage's Scott Gordon weighs in on the advantages and data management issues surrounding Security Information Management and event log consolidation.
NeoScale's Dore Rosenblum writes about key security, a key (pardon the pun) technology for securing data storage today and into the future.
ESG's Jon Oltsik expands the discussion with a senior analyst's significant take on managing storage encryption.
These and other important articles build on the storage security theme while case studies provide real-world examples. So read the articles. Study the studies.
And be careful out there.
|
Aircrew Identity Verification (Ground and In-Route).
Biometrics can be incorporated into aircrew and ATC operations in much the same way as the
systems described to reduce potential threats.
Concept of Operations
Pre-Flight Aircrew Verification
Crew identities need to be positively verified through the combination of two biometrics at the
Airline Flight Operations Center. Of all of the biometrics available, the Steering Committee
believes that iris and fingerprint could be the technologies with the greatest potential, but
Technology Evaluations must be performed to analyze this assumption. Alternatively, speaker
recognition could be used instead of fingerprints as this biometric will also play a significant role
in later in-flight identity verification. The combination of two biometrics should significantly
minimize any chance of false identification.
At the same time, crew identities can be cross-referenced to other legitimate crew members that
will be on the plane, validated by FAA or airline database, downloaded to the aircraft directly or
into air crew “smart cards,” and transmitted to air traffic control for in-flight verification/identification. Information that should be downloaded would include as a minimum:
• Identification information cross-referencing assigned members of the flight crew or air
marshals for this specific flight.
• Identification information on the specific aircraft being utilized for the specific flight.
• A time stamp of when verification occurred in the Flight Lounge Onboard Re-verification
Crew identities should be re-verified upon boarding their aircraft by presentation of a single
biometric and their smart card. The system should verify that all crew have checked in and
monitor the amount of time between initial verification and aircraft check-in for discrepancies.
The focus group believes that fingerprint is most suitable for this application. The fingerprint system should be interconnected with the aircraft control system and its results should be both logged onboard the aircraft and transmitted to ATC.
In-flight Re-verification
In-flight re-verification of identities should occur between air traffic control and the aircrew.
This should be incorporated covertly in standard air traffic control communications in the event of an alarm condition on-board the aircraft. Speaker recognition was most recommended and the U.S. Air Force has a significant amount of experience in its use.
Face recognition is also a technical possibility, but is not being recommended by the Steering Committee because of anticipated resistance by pilot unions.
Speaker verification can be performed locally in the aircraft as well as remotely at the ATC, although local verification will allow much higher quality sound input prior to transmission.
Re-verification should also be triggered in-flight by intelligent monitoring of aircraft “health” by
on-board and ATC systems. NASA already provides sophisticated onboard and ground-based “health" monitoring systems that make alarm situation determinations indirectly by overseeing the actions and behaviors of the crew and the state of the aircraft. Today’s high-end aircraft engines are already providing in-flight performance monitoring and transmission to groundmonitoring
systems and there may be a possibility to take advantage of systems like this for further status monitoring.
|
