Are your storage resources (and data) really secure?

Click here to enlarge image

Maybe we just live in paranoid times, but security has once again become a top concern in many IT organizations. In a recent survey conducted by International Data Corp., security ranked number two (behind uptime) among the top issues for IT managers. However, unlike in the past, IT administrators are now focusing all the way down (up?) to the storage level.

Although partly due to world events, increased attention on storage security results from increased deployment of storage networks, which introduce many more "points of entry" than did direct-attached storage configurations. Physical security, access controls, and techniques such as zoning and LUN masking are no longer enough.

A lot of security hype often revolves around malicious hackers, viruses, or cyber-terrorism, but analysts estimate that more than 50% of all security attacks or breaches are internal.

Building an ironclad security infrastructure requires the cooperation of all IT groups—server, software, network, storage, etc. The combination of storage networks and the overall need for greater security should go a long way in getting the once-warring TCP/IP Titans and SCSI Spartans to work together.

Jim Cates, CIO at Brocade, says that there are five "levels" of security that he addresses in his "defense-in-depth" strategy:

  • IP networks (firewalls, etc.)
  • Applications (authentication, etc.)
  • Servers
  • Fabrics
  • Static data encryption (data "at rest"). This is a relatively new area that is being addressed by vendors such as Decru, Kasten Chase, NeoScale, and Vormetric. Encryption at the storage device level ensures that even if data is accessed or stolen it can't be read.

Of course, there's a price to pay for this level of security. Most encryption devices sit in the data path, which can lead to latencies that negatively effect performance (although vendors claim that they can mitigate this with cache). And the encryption products aren't cheap.

Before you shell out big bucks, do some in-depth analysis. First comes threat analysis. (What are the possible sources of security attacks? What existing measures have been taken to counter possible attacks? And, perhaps most importantly, what will it cost your company if data is stolen or corrupted?)

Next comes cost analysis. (How much will it cost to deploy encryption devices? Bear in mind that you'll probably have to install the devices in redundant pairs.) And, finally, perform a return on investment (ROI) analysis to see if it's worth the expense.

If you're not sure whether you need storage security, read "Why you need (more) storage security," by Nancy Marrone, in the April 2003 issue of InfoStor, p. 40. Also check out senior editor Lisa Coleman's cover story in this issue: "Storage security gains users' attention."

Another good source is the Storage Networking Industry Association's Website, www.snia.org. SNIA has formed a Storage Security Industry Forum (SSIF) that, among other goals, plans to provide a channel of communication between end users and vendors for security-related issues.

Dave Simpson,

This article was originally published on May 01, 2003