By Kevin Komiega
Strict regulations for data retention and the rise of information lifecycle management (ILM) strategies are causing more and more interaction between storage and security in many IT organizations. This trend, according to a study from TheInfoPro (TIP) research firm (www.theinfopro.net), has spawned new concerns among end users over internal data security versus common external threats to network security.
TIP’s latest round of IT user surveys, dubbed “Information Security Wave 6,” indicates that 77% of those polled consider internal data security threats to be of greater or equal importance to external vulnerabilities (see figure). Couple that with the fact that 56% of the respondents believe storage implementations are increasingly affecting security decisions, and 67% believe that security implementations are impacting the storage infrastructure (see figure, below), and you have a huge overlap in priorities between enterprise storage and security teams.
TheInfoPro’s security research is based on semi-annual interviews with more than 250 IT professionals at Fortune 1000 and mid-sized enterprises in North America.
“There are a couple of major trends we have seen in our latest study that have been building over the past two years. There is much more of a shift toward dealing with internal network security vulnerabilities vs. external security threats,” says Robert Stevenson, managing director for storage research at TheInfoPro. “There has also been a growing interest in securing data at rest vs. data in transit.”
But despite the overlap in priorities, storage professionals still believe security is someone else’s responsibility and are barely beginning to evaluate storage-specific security products.
“On the storage side we saw that unless the company was a healthcare, pharmaceutical, or financial institution they were somewhat dismissive about storage security technologies,” says Stevenson. He adds that storage professionals tend to think storage security is the responsibility of the security team and should be added at the application layer. “People, for the most part, tend to push security responsibilities on other people,” he says.
A lack of awareness or action around storage security is also evident when you look at how IT shops are allocating their budgets. For example, 85% of the respondents in TIP’s survey plan to spend less than 10% of their storage budget on security technologies (with about half of those spending less than 5%).
Several problems arise when storage and security teams start rubbing elbows in the data center. For example, storage and security teams are battling each other for budget dollars; most storage professionals believe that security is something that vendors have to build into their products; and storage teams are not training storage security experts within their groups, according to Stevenson.
But there is hope. Storage-specific security products are trickling into the market and some are beginning to address internal data security issues that are not addressed by the Fibre Channel protocol itself.
Stevenson says there are a variety of security vulnerabilities inherent to the Fibre Channel protocol. “Developers ignored many basic security protocols because they envisioned Fibre Channel SANs as closed environments that would not be accessible to anyone outside of the internal data-center team,” says Stevenson. However, he adds that standards bodies are addressing some of the security issues with the Fibre Channel protocol.
Savvy security and storage professionals have begun to look beyond the external security provided by products such as firewalls and intrusion protection tools to shore up internal data security.
“The technologies that are best-suited to address internal storage security are data encryption, strong user authentication, and identity management,” says Henry Nissenbaum, TheInfoPro’s managing director for security research (see figure).
Strong user-authentication tools verify that a user is who he or she claims to be, and that identity management is the process of granting access rights to applications, systems, and data.
As technologies evolve, so will the organizational structure in many enterprises. Nissenbaum and Stevenson predict that storage security experts will eventually start appearing as ILM permeates IT organizations and augments their responsibilities.
“The storage team is moving up the stack in terms of being responsible for more records and document management and application knowledge,” says Stevenson. “As the ILM message starts spreading, so will storage security.”
Most of today’s storage security products have taken the form of purpose-built appliances that reside in the SAN fabric and provide wire-speed encryption, access controls, and authentication. These products include Decru’s DataFort appliance, NeoScale Systems’ CryptoStor, the Assurency SecureData appliance from Kasten Chase, and Nexsan Technologies’ Assureon security appliance.
However, despite the plethora of appliance choices, only about 6% of the respondents in the TIP survey currently use storage security appliances, although another 14% plan to deploy security appliances this year. About 41% of the respondents have no plans for storage security appliances.
When asked which vendors they were using, or planning to use, for securing storage, the top four were Network Appliance (which acquired Decru), EMC, Symantec, and NeoScale.
To join the TIP Peer Benchmarking Network, go to www.theinfopro.net/pn.html.