Avatar

An advert from Byte magazine dating from July 1980 proudly offers a 10MB hard disk drive for only US$3495. Accounting for the effects of inflation, that equates to approximately US$10,000 in today’s prices. If data storage prices had remained constant, this would mean that the 1GB flash drive in my pocket would cost in excess of US$1,000,000, with possibly a price premium for small size and portability. In fact, it cost me about US$10, evidence of the continuing drop in the price of electronic storage media in terms of price by stored byte. The amount of storage that can be acquired for a given cost has roughly doubled every 14 months since 1980 [1]. There is nothing to suggest that this trend won’t continue for the foreseeable future. We can look forward to larger and larger data storage devices at cheaper cost. But what are the implications of this trend for security professionals?

I am sure that every file on the 1980 hard disk was stored for a clear reason that was almost certainly known to the system administrator. Superfluous files that had not been accessed in a long time would have been cleared out to free up precious storage space for files that needed to be on the hard disk. I’m equally sure that I have no idea what it stored on my 1GB flash drive, and that there are certainly files stored on the device that I shall never access again, but which might come in handy at some point in the future. The stability of modern storage media means that these files will probably still be accessible many years in the future. This wasn’t an assertion that could have been made regarding the storage media of the early 80’s. The ubiquity, cheapness and stability of modern data storage means that it is easy for users to store information for far longer than it is required, which entails its own risks.

Just because a file is no longer actively accessed does not mean that the data in the file is without value. The Financial Times reported that attackers had stolen personal data collected from a competition in 2001 during the Sony PlayStation Network Hack in 2011[2]. If storage had remained at 1980 prices, it is unlikely that such old data would have been retained since it had served its purpose and after ten years much of the information would no longer be accurate. Nevertheless the data was kept and proved to be especially valuable since the theft, along with other data, lead to a £250 000 fine [3].

Security professionals need to be aware of the types of data that may be kept simply because it is cheap to do so, but which require a high degree of protection against unauthorized access. Cheap and easily available storage devices may hide other costs associated with storing data, such as the need to maintain security and to ensure only authorized users access the data.

Cheap storage is one of the forces fueling the growth of big data. Storing vast amounts of data in a format that permits indexing and analysis allows patterns and trends to be identified that can be used to improve services. This is certainly applicable to security, where logging data from networked devices can be aggregated and analyzed to identify and remediate threats as soon as they appear on a network.

Although each small piece of information in a big data system may be meaningless, when aggregated together with many other pieces of information these may become valuable, and may become the platform from which future corporate innovation is created. As such, security professionals need to be aware of the value held in these systems and to ensure their protection against attack, as well as against the loss of data, both intentional and accidental.

Cost per byte of storage will almost certainly keep decreasing for the foreseeable future. Network and security professionals are ideally situated to take advantage of the possibilities that this brings, but we also need to be aware of the hidden costs. The costs of securing stored data need to factored into any project that stores information for long periods. In many cases, it might be cheaper and easier to take the decision not to retain some information. The best option might just be to think like the administrator of a 10MB hard disk and to delete that which you don’t actively need.

References
[1] “A History of Storage Cost.”, M. Komorowski.
http://www.mkomo.com/cost-per-gigabyte
[2] “Sony takes stolen user data off the internet”, Financial Times, 8th May 2011.
http://www.ft.com/intl/cms/s/2/75a28780-78bc-11e0-b655-00144feabdc0.html#axzz1LrWLd6fE
[3] “Sony coughs up £250K ICO fine after security fears”, The Register, 17th July 2013.
http://www.theregister.co.uk/2013/07/17/sony_ico_fine_accepted/



Authors

Martin Lee

EMEA Lead, Strategic Planning & Communications

Cisco Talos