This article can also be found in the Premium Editorial Download "Storage magazine: Should you consolidate your direct-attached storage (DAS)?."
Download it now to read this article plus other related content.
Also make sure you have well thought out standard operating procedures (SOPs) for handling tapes in a secure manner. Some backup products can encrypt the data being sent to tape, too, but the encryption schemes aren't necessarily very strong, and aren't widely used.
In a recent study documented in the IEEE's new
Don't assume your employees can be trusted to maintain security, either. According to Activis, a U.K. security firm, just 6% of security breaches are perpetrated by strangers. Employees are responsible for 81%, and ex-employees for the rest. Auditing, role-based access control and backup copies are needed to safeguard data from the people with the keys. Many storage devices and software can send a log of their use to a secure system through the syslog protocol, ensuring a record of access. More and more storage management products are being designed to limit access based on assigned roles, which can help keep data safe. But only secure backup copies can ensure that data can be recovered in the event of a breach.
The storage security crystal ball
One of the more interesting aspects of my job is giving new companies feedback on the latest storage products in development. I'm seeing a great deal of attention being paid to storage products with security applications, from a replication engine with built-in encryption to business process automation with auditing. Even non-security products such as storage resource management (SRM) are adding role-based access controls and availability features.
A recent study by us pointed out that although few organizations currently focus on storage security, most said they saw it as a major concern for the coming year. They see that, as their SANs grow, more vulnerabilities arise and the potential for damage increases dramatically. The loss of a single FC switch might only affect a few systems. But the loss of a diverse, consolidated SAN would affect every attached host, and would undermine confidence in the storage organization.
Although I am bullish on iSCSI, it could pose major security headaches. Right now, the obscurity and limited size of FC hardware limits access to fabrics. But with iSCSI built into Windows, SAN knowledge can't be assumed to be limited to the high priests of storage. Although a best practice for iSCSI looks to be limiting it to a private Ethernet network, it seems likely that these networks will often be bridged to the production LAN. How will you feel about security when anyone with a laptop can be part of your SAN? Storage security will be a major concern in the coming years, and now is the time to start thinking about it. One final note: In April, I asked folks to e-mail me so I could help collect and summarize their utilization data. The offer is still open and in a few months, I'll be revisiting the storage utilization topic with updated data.
This was first published in June 2003