Vendors, users tackle storage networking security

Working with the Storage Networking Industry Association (SNIA), IT storage professionals can influence the development of security technology.

By Mark Diamond

Storage networking is emerging as the leading technology for managing data. Soon, the majority of large corporations will have networked storage systems, primarily storage area networks (SANs) and network-attached storage (NAS). As storage networking goes mainstream, the challenge moves from simply installing devices to ensuring that all the information they store is kept secure.

Often, the security aspects of new technologies are scrutinized only after these technologies have made inroads into organizations. Relational databases, WANs, and Internet browsers are all examples of technologies that gained momentum before security vulnerabilities were explored. Only after going through technology refinements where effective security measures were incorporated did these technologies gain widespread adoption.

The Storage Networking Industry Association (SNIA) has a proactive approach to bringing together vendors and users to understand potential security risks and to develop best practices. To address these needs, SNIA recently created two committees:

  • The SNIA Storage Industry Forum (SSIF) is a group of storage vendors focused on increasing the availability of storage security solutions. The SSIF will fulfill this mission by identifying best practices in building secure storage networks and by promoting standards-based solutions.
  • The SSIF Customer Advisory Council is composed of end users. The mission of this council—which is currently seeking members—is to provide direction and feedback to the SSIF.

Effective security incorporates both well-designed products and best practices. One cannot be achieved without the other. Security must be designed into products in such a way to be effective while still ensuring storage administrators can accomplish their jobs. Users need to follow best practices to ensure security features are used effectively. The goal is to achieve the appropriate level of security without impacting functionality or productivity.

One of the largest challenges around data security is the dynamic nature of storage data. Data is growing. Systems are changing. Businesses are evolving. Today's perfect storage solution can quickly become underpowered, misconfigured, or inadequate tomorrow. For example, many organizations discover their backups are misconfigured only after they experience a failure: They try to recover data only to find the data is not there. Sometimes the changes occur slowly, over months and quarters. Some of the changes happen overnight. What worked yesterday may not work today. Good storage management requires continual testing, monitoring, and assessment simply because the underlying data is so dynamic.

The SSIF is getting vendors together to discuss best practices in developing secure products. The forum will strive to ensure customers' requirements are being met with solutions and standards. It will conduct research and compile a database of features, benefits, cost justification, and ROI calculation methods, as well as best practices for storage security—important tools needed to meet security requirements.

An effective approach to addressing security requirements works across two axes: understanding threats and the level of data security required, and understanding how appropriate security is achieved in complex storage architectures. Often, different individuals within an organization are responsible for these roles and skills. The corporate information security officer may not understand the complexities of storage networking infrastructure, operational practices, and devices. Likewise, storage administrators may not understand the best practices required in evaluating risks and applying storage policies.

Complementing the efforts of the forum is the development of the Customer Advisory Council, which will consist of individuals from the end-user community. Particular emphasis will be on individuals with real-world exposure for storage security needs and implementation. Its members fall into four categories:

  • Industry representatives—Four individuals who work in and understand the needs of specific industries. Targeted industries include financial services, government, manufacturing, and telecommunications.
  • Storage deployments—Four individuals who understand the issues surrounding storage design and deployment. Ideally, these council members have responsibility for deploying storage in their own companies or come from third-party service organizations.
  • Security experts—Four individuals who understand information security—both current security best practices and emerging security standards—as it relates to storage.
  • International representatives—Four individuals from outside the United States who will bring an international storage and security perspective to the forum.

The Customer Advisory Council will meet for half a day semi-annually at the Storage Networking World conferences. The council is currently seeking qualified members who can represent the users of storage systems. If you are interested in being an advisor, contact Mark Diamond at mark@contoural.com.

Mark Diamond is chair of the SSIF Advisory Board. He is founder and CEO of Contoural Inc., an independent provider of storage consulting, education, and incident management services.

This article was originally published on December 01, 2002