This article can also be found in the Premium Editorial Download "Storage magazine: How to distance your data from disaster."
Download it now to read this article plus other related content.
Focus areas for 2006
Storage managers and vendors need to expand their horizons in 2006 for the sake of protecting mission-critical data. Alas, the real estate of this column is too dear for an exhaustive list of security topics, so allow me to elaborate on four important storage security focus areas that professionals and vendors should pay attention to:
- Storage security standards. The biggie here is the Fibre Channel Security Protocol (FC-SP), which is set to be ratified by the American National Standards Institute's (ANSI) T11 working group any day now. FC-SP is kind of the FC equivalent of IPsec, a set of standard algorithms and protocols providing authentication, confidentiality, integrity checking and non-replay protection for IP packets. Granted, the first version of FC-SP has a long way to go, but you have to start somewhere. FC-SP will eventually provide ample protection for SAN-based data in flight as the standard gets baked into host bus adapters, switches and storage systems.
- Security by default. Historically, configuring devices for security demanded an "opt-in" model. IT technologies were shipped in an unsecured state by default, so securing them meant extra configuration steps. Given the growing number of digital threats, the technology industry is quickly morphing to an opt-out paradigm. The best example of this change is Windows XP Service Pack 2, which turns on a firewall upon installation.
Storage won't move to an opt-out security model overnight, but you can certainly expect more security configuration and installation options. Examples of this change will consist of things like ACLs on management interfaces, forced changes to default passwords, removal of unnecessary TCP services and role-based administration. When you're configuring your brand-new storage system in October, you'll see messages like, "You have not changed the default administration password, which may present a security risk. Are you sure you want to proceed?"
- Logging. Storage devices either don't log events, don't log enough events or log events in some proprietary format. As Lyndon Johnson might have said, "That dog don't hunt." Logging fits under the "you can't manage what you can't measure" category--especially when it comes to regulatory compliance and keeping the auditors happy. In other words, ever-increasing regulations move logging storage to the "gotta have" list.
- Key management. This area isn't well understood by most storage people. Heck, even a lot of security folks don't understand key management and its application. I'll probably dedicate an entire column to key management in the future, so I'll spare Storage readers from a crypto-geek explanation for now, but here's a simple explanation for the burgeoning key management requirement. Key management goes hand in hand with encryption. Encryption keys can be seen as random numbers used to encrypt data--no keys, no data. Because of this, keys must be protected, backed up, rotated offsite, etc. Now suppose you have six separate storage devices (disks, tapes or appliances) that do encryption. That means you have six key management systems to operate. This means that in the event of a disaster, you have six systems that must be restored before the data is useful. Does anyone else see an operations nightmare approaching? Centralizing key management can help you avoid these issues and is why Enterprise Strategy Group advocates a proactive plan.
This was first published in May 2006