This article can also be found in the Premium Editorial Download "Storage magazine: How to distance your data from disaster."
Download it now to read this article plus other related content.
User plan for 2006
Each of these focus areas demands security knowledge and an action plan. Storage professionals should:
- Assess SAN configuration and administration against FC-SP. In many shops, SAN deployment is limited to specific data centers and trusted members of the storage team, so authenticating storage devices and encrypting FC communications might be overkill. On the other hand, enterprise SANs can have hundreds of FC ports and distributed devices crossing data centers and public networks. Storage managers need to assess risks and SAN topology strategies, and then map FC-SP accordingly.
- Understand the ramifications of "secure" configurations. Examine the tradeoffs between security and operational processes. For example, if storage administrators log into devices from their homes, assigning ACLs associated with internal IP addresses alone won't work. In other words, it's important to look at all existing processes, procedures and technology needs before simply locking down storage boxes.
- Map storage security with compliance obligations. This is true with regard to access controls as well as logging, where log files can eat up a lot of storage. Grab the compliance auditors and determine what data they need, in what format and how often they need it. Because this is a new activity, expect several iterations before you get it right.
- Approach encryption with
- your eyes open. Scrambling bits on backup tapes is just the tip of the iceberg. As vendors pitch encrypted storage devices, make sure you understand what they provide for key lifecycle management. Do they have Federal Information Processing Standards (FIPS) certification? Do they adhere to standards? Can their products be integrated into a centralized service? Upfront work here will prevent a serious operational headache down the line.
Security isn't industry rhetoric--it's serious business. Given the increased emphasis on security, every vendor is bound to have a story, so it's incumbent upon storage professionals to be knowledgeable enough to spot a phony. As you increase your knowledge, make sure to include chief information security officers or other security people with a keen eye for security smoke and mirrors.
One other note: It's one thing to offer secure products, it's a completely different thing to embrace security. Does your vendor have security included in its software development process? Are its field engineers trained in storage security? Is the company providing secure remote support? If the answer to any of these questions is "No," you should immediately find out when they will address these shortcomings. It's best to avoid equivocating vendors that lack definitive roadmaps and schedules.
This was first published in May 2006