Home > Store

Securing Storage: A Practical Guide to SAN and NAS Security

Register your product to gain access to bonus material or receive a coupon.

Securing Storage: A Practical Guide to SAN and NAS Security

Book

  • This product currently is not for sale.
Not for Sale

About

Features

  • Examines storage strengths and weaknesses, describes security concerns and considerations, and identifies ways to implement and design more secure storage systems
  • Recent regulations have highlighted an overlying issue of data protection
  • Himanshu Dwivedi is a thought leader and seasoned industry speaker in the emerging field of storage security.

Description

  • Copyright 2006
  • Dimensions: 7x9-1/4
  • Pages: 560
  • Edition: 1st
  • Book
  • ISBN-10: 0-321-34995-4
  • ISBN-13: 978-0-321-34995-8

The security of data, as shown by several recent high-profile cases, is weak. It is but a question of time before courts begin requiring more thorough steps to be taken--users and courts want data security. This book not only helps IT meet those growing needs, but shows the vendors where they need to improve. Regulations have highlighted an overlying issue of data protection. Data, whether it is financial data, non-public private information, or medical data, needs to be protected from unauthorized external and internal entities at all times. Much valuable data (i.e. customer and patient data) spends most of its lifetime in a storage device--not on computers, servers, or networks. Local failures and outside intruders can change, destroy, or compromise stored data even if the main network is secure: storage requires its own security. This book is a must read for IT personnel responsible for data security and security consultants who perform compliance audits at companies that use storage devices.

Sample Content

Downloadable Sample Chapter

Download the Sample Chapter related to this title.

Table of Contents

Preface.    

Acknowledgments.

About the Author.

 1. Introduction to Storage Security.

I. SAN SECURITY.

 2. SANs: Fibre Channel Security.

 3. SANs: LUN Masking and HBA.

 4. SANs: Zone and Switch Security.

II. NAS SECURITY.

 5. NAS Security.

 6. NAS: CIFS Security.

 7. NAS: NFS Security.

III. ISCSI SECURITY.

 8. SANs: iSCSI Security.

IV. STORAGE DEFENSES.

9.Securing Fibre Channel SANs.

10. Securing NAS.

11. Securing iSCSI.

V. SAN/NAS Policies, Trends, and Case Studies.

12. Compliance, Regulations, and Storage.

13. Auditing and Securing Storage Devices.

14. Storage Security Case Studies.

Index.

Preface

Untitled Document Storage security is the two-ton secret in your data center. It is the big white elephant that you walk by every day—you can see it from your desktop, you look for it on your servers, and you even rest your coffee mug on it every now and then. Despite the fact that the elephant is very large, heavy (two tons), albino (white), and sitting in the middle of the data center, it is the dirty little secret that no one speaks about. So why do people ignore such a large entity that can significantly damage their enterprise? The answers, as well as the solutions, are addressed in this book.

The storage industry is missing the mark in terms of security, data protection, availability, integrity, and compliance. The absence of security in storage makes it an open target for unauthorized access and data compromise. The most prominent security control for storage networks is the lack of knowledge many attackers have about the technology. Lack of knowledge, or better known as security by obscurity, never stands the test of time as shown in other technologies affected by security, such as application development, voice over IP, wireless, and even electronic voting stations. Furthermore, security by obscurity never passes a governmental compliance test for data protection or integrity.

The book's primary goal is to discuss security weaknesses and acceptable solutions for Storage Area Networks (SANs) and Network Attached Storage (NAS). The book will discuss the mechanisms to evaluate your own storage network, design security into storage networks, and implement security settings on common storage devices. The book will also cover the standard practices for securing storage by discussing strategies that will minimize security weaknesses in SAN and NAS architectures.

Before we dive deeper, let's define storage security for a moment. Security is an entity that can be applied to different things, such hosts, devices, networks, and communication mediums. Security can also be applied in several methods, such as encryption, access controls, authentication, checksums, logging, or dedicated products. Similarly, storage is an entity that is also applied in many ways. It can be applied as media (tapes, CD-ROMs, disk drives, USB drives), a communications medium (Internet Protocol, Fibre Channel, iSCSI), or even a network (Network Attached Storage or Storage Area Networks). Based on their different descriptions, security and storage traditionally are two items that are not usually paired together. Storage concentrates on holding data, while security concentrates on protecting data. Nevertheless, it is interesting that both entities address data needs and concerns, yet have not been addressed in a complementary fashion.

There are several reasons why security and storage are two strangers. One incorrect assumption is that storage does not need security because it already has been addressed elsewhere in a network, which unfortunately is not true. It is often unnoticed that it is easier for internal attackers to compromise storage devices when compared to applications or operating systems. For example, unlike most applications and operating systems, many storage devices do not even require authentication to get access to large volumes of data, a fact that would never pass on most security audits. Furthermore, if an internal server has ever been affect by a virus or worm, the perimeter of the network is probably not as secure as a Visio document may picture it to look. The fact is the network perimeter has disappeared with the advent of wireless networks, remote VPN users, site-to-site VPNs with business partners, back-end support connections, and internal unauthorized users such as contractors/consultants. This fact, combined with the large amount of internal data heists occurring every month, make storage a prime target of attackers. Compliance entities have also realized that data is not protected adequately and its integrity is at risk on the storage network.

It is often overlooked that perimeter security controls are easily subverted to gain access to entities connected to the storage network, thus creating an open gateway. It is also assumed that unauthorized users attack from their own machines, but actually they attack from compromised management servers, administrator workstations, or compromised applications. Another assumption is that if any entity, such as an application data owner, can gain access to the stored data, they must have been authorized to do so; thus, having the ability to access data equates into the authorization to access data, again simply not true (especially for regulated data). For example, if an Exchange administrator has access to the Exchange server, it does not mean that he or she is authorized to read everyone's email. Furthermore, the ability for unauthenticated users to connect directly to the storage network and view, copy, and delete data does not mean all users should have that authority. The assumptions also carry over to different organizational groups. Security groups are often preoccupied with network and application attacks to fully understand the high risks of insecure storage. Additionally, the storage group's lack of information security background combined with their focus on performance and capacity concerns make security a neglected entity. All these assumptions and groups make it hard to realize that a large amount of data is sitting wide open in the storage network for anyone to compromise.

What Does It Mean to Secure Storage?

What does it mean to secure storage? For the purposes of this book, securing storage is the process of assessing, implementing, and testing security on existing SAN and NAS architectures. The book will focus on the following items:
  • How do I assess my storage network for best practices?
  • How do I test my storage network from attacks and compliance breaches?
  • How do I implement security on my storage network based on industry standards?

The book will cover three primary themes. The first theme is to provide guidance and assessment techniques for storage networks. The second theme is to provide testing procedures for SAN and NAS architectures. The third theme of this book will discuss the security solutions for each attack class and security exposure currently presented on storage networks and devices. The book will discuss many security specifications and industry standards and how they affect storage security overall.

SAN and NAS Security

Storage Area Networks (SANs) and Network Attached Storage (NAS) are two types of storage networks. SANs have been based primarily on Fibre Channel (FC), with iSCSI becoming more popular, and NAS architectures have primarily been based on IP using CIFS or NFS. Both types of storage networks have one thing in common: SANs and NAS are not used for backup anymore.

Data from the storage network is being presented to applications and hosts in all parts of the network, which do not hold a high level of security. For example, a Fibre Channel SAN may be connected to a web or database cluster that is available to the Internet or internal network, allowing a single comprised web/database server to be the gateway to the SAN. If the SAN was using iSCSI, the storage device would be easier to break into. The attacker would only need to connect to the IP network and connect to the iSCSI storage device, bypassing the database application and web server all together. Furthermore, a NAS device might be holding medical data (patient information) that can be assessed by authorized doctors; however, it is also stored in clear-text, allowing any system administrator to access the sensitive data.

The need for SAN and NAS security is long overdue. This book will describe the specific implementation steps to deploy SAN and NAS security options, while also discussing the different ways to fully optimize current storage architectures. This book can also be used by organizations that have deployed a storage network and are interested in learning more ways to secure it.

Block Data Versus File Data

In order to understand security threats for storage networks, it is important to understand the differences between file-level data and block-level data. NAS storage devices support file-level data, which is the traditional type of data we are accustomed to on PC systems. NAS devices using file-level data present file systems remotely over the network. An entire file system, a partial file system, or even a single individual file can be presented to a remote server over the network. File-level data using NFS and CIFS (SMB) are the traditional methods of deployment. SAN storage devices use block data, where an entire SCSI partition is presented over the network. Unlike file-level data, block data does not present individual files, folders, or even file systems, but the entire drive (block) itself (usually 50 to 100 gigabytes in size at a time). For example, think of file-level data as an access to the remote file system (partial or full); however, think of block-level data as an access to the entire hard drive (regardless of file system type) over the network. Block data is like having two or three more hard drives inside a server, but presented to the server over the network using iSCSI or Fibre Channel and not installed inside the machine using IDE or SCSI ribbons.

The other difference between file-level data and block-level data is that file-level data (NAS devices) contain multi-system support and block data blocks usually do not. Multiple machines or users can access the same remote file system (NFS or CIFS) at the same time as long as it is formatted to the correct file system time (such as NTFS or FAT for Windows). On the other hand, block data is not necessarily meant to have multiple systems connected to a single block of data at the same time. (Note: Some Fibre Channel and iSCSI SANs do support multiple connections to the same block data, but it is not the default.) It would be difficult for a single hard drive to have two IDE or SCSI ribbons connected to two separate servers; similarly, block data does not usually have multiple servers connected to it at the same time. It is possible for multiple systems to connect to the same block data repository over iSCSI or Fibre Channel; however, it results in a denial-of-service problem because two separate servers are trying to mount the same block data. Until one of the servers stops sending requests for the block data, the other will not be able to access it either.

The key idea to understand with either file or block data is that they are both data targets that contain large amounts of data viewable to any attacker or unauthorized user. File data is what most systems are accustomed to. Block data, however, is just as valuable to an attacker (if not more) since it contains large volumes of data but in block format, which is just as easy to mount and read as file-level data but requires different mounting and reading steps.

Why Storage Security?

The necessity for storage security is similar to the need for security on any other entity of high value in your organization. For example, the popularity of patching utilities and anti-virus applications are not necessarily for their ability to provide security protection (even though that is an important benefit), but rather their ability to improve uptime and availability of computer systems, networks, and data integrity. Similarly, the unavailability of a storage network or the lack of integrity of data, which would leave an organization in a state of disarray, has a much bigger impact than an infected laptop or an offline application. A good example of this is the SASSER-RPC worm released in 2004 that targeted Microsoft operating systems. Although the worm was intended for Windows, many storage devices that support Windows protocols, such as CIFS and SMB, were also vulnerable, which essentially made the storage device unusable until a full system reboot and patch. The risk of data being unavailable, corrupted, abused, or even deleted will cause tremendous financial harm and storage downtime for many organizations. Furthermore, the regulatory issues that involve storage networks are confusing at best, requiring a resource to guide everyone through the process.

This book's primary attraction is its ability to discuss, demonstrate, and prioritize the storage security issues that every organization faces. The book will not use high-level or abstract language and fail to provide any details, but rather provide an abundant amount of security details to allow readers to finally understand what the real issues are with storage security and how they can asses the risk for themselves. The book will also provide details to distinguish the high-risk/high-impact issues versus low-risk/nominal-impact issues.

A key purpose for the book is to provide a clear understanding of the technology. Storage security is a relatively new industry and can be an overwhelming topic. Several years ago when I began researching storage and security, there were no storage security products, web sites, or whitepapers about storage security. There were only a few people willing to talk to me about the seriousness of storage security. Years later, there is not only an entire industry on securing storage, with large companies like Symantec and Veritas merging together, but with its new popularity, there is a lot more confusion.

The need to secure storage is important on many levels. From a security perspective, many organizations (and their security departments), are not aware of the data protection issues surrounding storage. From the storage perspective, many storage administrators are unaware of the security issues that will affect system uptime and data availability.

Another reason why storage security is needed is for the ease of comprehension. There are many sources that discuss attack classes in storage, but a few actually provide risk exposure descriptions. A key goal of this book is not to force arbitrary risk levels on your organizations, but to describe the threat vector and attack surface in detail and allow readers to deduce their own risk based on the outcomes of these possible attacks. Readers will find out that security attacks don't change, but get modified and improved (just like viruses and worms). History has shown that attack classes that affected networks in the 1990s will also affect applications in the 2000s. Similarly, the same attack classes, such as segmentation weakness, poor session maintenance, and poor authentication, have also affected storage networks. However, a successful attack on storage equates to data loss or outright compromise.

The completion of this book will provide a very detailed guide of securing storage and understanding attacks.

Regulations and Storage

Regulatory issues facing storage have created significant legal issues for many financial, e-commerce, and medical organizations. New acts and policies such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, Gramm-Leach Bliley Act (GLBA), SEC Rule 17a-4, DOD (Department of Defense) 5015, and California's SB1386 (Senate Bill 1386) are making a sizable impact on how the storage of data must be protected from unauthorized users, even if those unauthorized users are not hackers but internal employees. Furthermore, as internal audit groups and external IT auditors begin to understand that sensitive data is residing in the storage network/ devices (as opposed to servers or desktops), the focus will shift away from operating system security to storage networking security.

Government regulations primarily focus on security controls and auditing practices. A key issue for many storage networks, devices, and protocols is their lack of any security controls to protect data at-rest or in-flight. Additionally, government regulations don't decipher the difference between controls against outside attackers versus malicious internal employees. The fact that data is easier to compromise on a storage filer versus an operating system only adds to the storage security problem.

Regulations have highlighted an overlying issue of data protection. Data, whether it is financial data, non-public private information, or medical data, needs to be protected from unauthorized external and internal entities at all times. Government regulations have only helped raise the concerns that have existed since the first SAN or NAS network.

Best-Practice Benefits

Parts of certain chapters in this book are solely dedicated to best practices. Best practices are important in order to understand standard methods of secure deployment; however, they should not be used as inflexible guidelines. Implementation of security standards and practices will depend on the details and specifics of a storage network.

Best practices can be best described as items that are a prerequisite in order to deploy an acceptable amount of security in any given entity. Some of the sample best practices to secure storage are as follows:

  • High-level architecture (defense in depth)
  • Multi-layer architecture
  • Authentication with authorization
  • Encryption
  • Integrity
  • Auditing
  • Detailed implementation guidelines
  • Node hardening
  • Zoning
  • LUN masking
  • CT/CHAP authentication
  • SSL and IPSec encryption
  • At-rest (AES or SHA1) encryption
  • Management access

Who Should Read This Book

This book targets individuals who are responsible for IT infrastructure. Examples of these individuals are IT managers, storage administrators, network designers, architects, and engineers who want to evaluate security in storage architectures. It will also serve the needs of security consultants, engineers, architects, managers, auditors, trainers, and technical marketing managers who want to update their backgrounds in storage security.

The book is targeted toward readers who want to learn the common "how-tos" of securing storage. Readers requiring an essential reference guide can use the book as their primary resource. Generally speaking, this book is targeted for three types of individuals:

  • Individuals who are interested in establishing or expanding their knowledge of securing storage
  • Individuals who are interested in learning how to assess and audit their own storage networks
  • Individuals who are looking for best practices or new strategies for storage security

The book's audience will range from novice readers who are looking for the basics behind storage architectures, networking, and LANs, to moderately skilled administrators looking to gain information on Fibre Channel communication, iSCSI, and Internet Protocol.

Readers will benefit from the book in several different ways. First, readers will be able to remove the confusion from securing storage. Readers will be able to qualify the risk of their storage network with a clear description of the security issues in storage. Readers will also learn the security principles for designing, testing, and evaluating storage networks. Several chapters have hands-on self-assessment steps for critical security threats and vulnerabilities. Additionally, best practices security measures are discussed in the context of data availability, integrity, and compliance requirements. Finally, readers will understand the security concerns for storage and be able to determine the impact of each issue.

This book will provide readers with the data center's guide to analyzing, testing, and implement SAN and NAS security. This book will cover common "how-tos," provide the all-essential "reference steps," and provide recommendations for storage security best practices.

The book is not necessarily meant to be read from start to finish, but instead can be a quick reference, where individual chapters are self supporting without knowledge of prior chapters. For example, if a reader needs to understand how to secure a brocade Fibre Channel switch, he can turn directly to Chapter 4, "SANs: Zone and Switch Security." The book can provide insight for the following types of individuals:

  • Individuals interested in a practical method to secure SAN and NAS networks
  • Individuals interested in assessing the security of their existing SAN and NAS networks
  • Individuals interested in testing the security of their existing SAN and NAS networks
  • Individuals interested in expanding their security knowledge on emerging storage technologies, such as encryption, authentication, and management
  • Individuals interested in understanding how governmental regulations and compliance requirements affect storage

How This Book Is Organized

This book is organized into five parts consisting of fourteen chapters that include details on SAN security, NAS security, iSCSI security, storage defenses, polices, trends, and case studies.

The first three parts discuss core issues with SAN and NAS security, attacks against SAN and NAS devices, and SAN and NAS security solutions. These chapters target some of the most important topics in securing storage, as well as testing procedures for each attack class.

Chapter 1 begins with an overview of storage security, covering its basic premise, the problems encountered, typical uses, and future trends. Additionally, an overview of security and storage standards is discussed.

Chapters 2 through 4 discuss SAN security risks, including weaknesses of Fibre Channel (FC) and adjoining devices, such as switches and host-bus adapters (HBAs). Additionally, these chapters discuss SAN attacks, self-assessment steps (which allow readers to perform checks against their storage architecture), and mitigating solutions.

Chapters 5 and 7 are similar to Chapters 2 through 4, but focus on NAS architectures instead of SANs. Chapter 5 discusses the risks associated with NAS storage devices using IP protocols such as NFS and CIFS.

Chapters 6 and 7 discuss CIFS and NFS security issues, attacks, self-assessment steps, and mitigating solutions for storage architectures.

Chapter 8 discusses iSCSI security, including an overview of iSCSI communication, risks associated with iSCSI storage devices, and a discussion of the iSCSI attacks.

Part Four of the book focuses on storage defenses. Chapter 9 is a discussion on securing Fibre Channel SANs, Chapter 10 discusses the security of NFS/CIFS NAS, and Chapter 11 discusses the methods to secure iSCSI SANs. These chapters concentrate on how to take existing storage devices and ensure that they secure themselves. Part Five of the book shifts focus from SAN and NAS security risks and attacks, to larger storage security issues, such as emerging security technologies, regulations, and case studies. These three chapters discuss security from the adherence perspective, both from the governmental aspect as well as from best practices. Chapter 12 discusses some of the major governmental policies that affect storage architectures. Chapter 13 discusses how to audit your storage network based on the government compliances and security best practices. Finally, Chapter 14 is a discussion of real-world case studies in storage environments. Examples describe SAN and NAS architectures with the optimal amount of security and functionality.

How This Book Is Written

The book is written to address the topic of securing storage from a technology perspective. It does not discuss the proper paper policies and procedures that should be in place, nor does it describe the human processes of security as it pertains to storage. It also does not discuss storage security at a high level, but does specifically discuss how storage systems, networks, and protocols are affected by security. The key difference this book will offer is not to generically say storage has security problems and glaze over the details, but to start with the details first.

The book discusses the security weaknesses, threats, exploits, and attacks of storage systems, networks, and technologies in Chapters 2 through 8. After the discussion is complete, the book discusses the mitigating solutions of each prior attack identified in Chapters 9 through 14. The reason for a deep discussion of the attacks is because it is very difficult to discuss solutions only without any context of the problem. Although some vendors will not appreciate the fact that this book exposes problems, it is not written to embarrass any vendor or to prevent end-users from adopting storage devices, but instead to show organizations why certain security mitigations and solutions need to be in place when deploying a storage network. For example, after a virus infects a user's machine, it is easier to discuss why anti-virus software and host hardening procedures are very important items. The same idea applies to storage. Organizations will understand why taking active steps to secure storage is important after reviewing the attacks in Fibre Channel, iSCSI, CIFS, and NFS.

The book makes an attempt to classify the risk of each identified problem; however, the discussion is limited because risk is best measured when applied to specific scenarios and not generic examples. Many attacks shown in this book can be classified as low risk, but they are still discussed to expose the reader to the security problem. Conversely, many attacks shown in the book are also high risk and are shown to its full extent and detail.

The book is not vendor specific, but rather protocol specific (Fibre Channel and iSCSI for SANs and NFS and CIFS for IP NAS).

The book holds storage systems, networks, and protocols to the same standard of security as operating systems, wireless networks, and application security. Storage security strengths are discussed to show the reader the positive security aspects of storage; however, it also shows failed or poor security attempts in storage systems, networks, and protocols. The book does not give storage devices/networks any "breaks" since it is an emerging technology. Any system and/or network that controls a large portion of an organization's data must be held to the same high security standard expected from operating system vendors or even application product vendors.

Finally, the book is written in the context of full disclosure. The goal is to allow each reader to receive enough information to read, perform, and analyze each security problem and each discussion about the mitigating solution. This model should allow the reader to make risk acceptability decisions based on their own storage environment.

Index

Download the Index file related to this title.

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020