For most of IT history, information security was considered a minor issue within the overall IT scheme. Security was the domain of super geeks--cryptographers, network jocks and whiz kids. Storage people didn't need to pay attention to security paranoia because they managed captive devices connected to dedicated hosts over SCSI cables. Storage had its own sandbox with a particular language, technology and protection. Life was good.
Fast forward to today. More and more storage is connected over growing networks. Yes, we still have our own nerdy technology, such as Fibre Channel (FC), but IP networks--along with their associated security risks--continue their constant ascent in the storage world.
Want some examples? Today, most backups occur over private storage subnets. Remember all the hoopla about backing up over the storage area network (SAN)? That turned out to be a joke. Storage management interfaces are exposed through standard Ethernet interfaces and are often connected to the production LAN. Ethernet and IP are gaining popularity in remote mirroring applications for disaster recovery.
These are relatively slow and minor developments, but we may be on the verge of a storage network revolution as FC is under a direct attack. The iSCSI protocol has made astounding advances over the past few years. Only a fool would continue to dismiss this technology upstart or claim that it's only a niche technology for the small to medium-sized businesses or a remote office space. As iSCSI SANs grow to thousands of geographically distributed devices, storage security becomes a huge can of worms.
This isn't the only security trend that will impact the storage environment. After many years, information security has finally arrived in the boardroom. Not that the people in suits want to care, but they have to. Regulations such as Gramm-Leach-Bliley, HIPAA and Sarbanes-Oxley demand security policies and procedures as part of IT audits. California's SB 1386 is a wide measure that mandates public disclosure of security breaches where confidential information of any California resident may have been compromised. There's even talk of a similar legislation at the federal level.
Bad press, lawsuits and liabilities: That's what gets board of directors all lathered up. As a consequence, CEOs are hiring chief information security officers (CISOs) as quickly as they can. CISOs are in turn reviewing enterprise security and mandating change across the entire IT infrastructure--including storage.
Now here's the predicament. Because storage people never had to care about information security, they don't have the knowledge and skills to define policies, design secure architectures and operate a secure storage infrastructure. What's more, storage vendors are of little help because they are still fixated on performance, availability and management GUIs. That's important stuff for sure, but it's no longer enough.
Educate your staff
So, what's the vice president of storage to do? In the words of consultant and author Stephen Covey, "An empowered organization is one in which individuals have the knowledge, skill, desire and opportunity to personally succeed in a way that leads to collective organizational success." In other words, when seeking knowledge, start with your own staff.
The entire storage organization should be encouraged to learn as much as they can about security. Proceed down this road by persuading the storage staff to:
- Find internal experts. Chances are good that there are several security gurus at your company who would love to share security knowledge with their peers. These people can not only teach the storage staff about security concepts such as authentication, encryption and non-repudiation, they can do so in the context of your industry and company. What better method than to take abstract security concepts and apply them to familiar business processes?
- Provide information about external training. Assign a junior person to find all available security training resources in your immediate area. There are probably many of them. Universities, community colleges and training organizations now offer a number of rapid or semester-based programs. Do your homework here. Find out which curriculums are the most appropriate to your needs, then pass on this information to your staff.
- Encourage certifications. There are many worthwhile certifications that provide a well-rounded security education. Two popular certification programs are the ISC2 Certified Information Systems Security Professional (CISSP) and the SANS Institute Global Information Assurance Certification (GIAC). If possible, pay for courseware and boot camps. Create study groups. Remember to communicate the value of this training because security skills are in high demand.
Quiz your vendors
As you implement these programs and policies, keep in mind that you shouldn't have to travel down the storage security road alone. It's time to read your vendors the riot act: Support storage security or find another customer. This is no joke. Find out from your storage vendors that when it comes to storage security, you want to understand what they are doing with their:
- People. Is your vendor training field technicians on information security best practices? Do they understand particular industry security concerns? Do your vendor's sales people ever consider security concerns? Do the developers at your storage management vendor know how to write or test code for security?
- Processes. Your vendor's security processes will say a lot about how well it can offer security support to its customers. For example, does the vendor do background checks on new hires? Does the company actively participate in industry-based security forums? Does the vendor have a good bug tracking, alerting and patch distribution methodology for its own code? Does the vendor consider security in design, implementation and documentation?
- Technology. Your vendor needs to design strong security into its products. Many vendors will talk in generalities here. Get specific. How does your vendor handle data confidentiality and integrity? How do they ensure trust between devices? Do they support a security-centric installation process? Can they support any type of encryption? (Note: native FC doesn't exist yet, so vendors will either use some proprietary mechanism or work with a third party; iSCSI vendors will default to IPsec).
The benefits of Internet-based business processes come with information security risks. Storage professionals and vendors can no longer shrug this concern off as someone else's issue. Savvy IT storage professionals will recognize this by getting their own houses in order through training and certification, then work with progressive vendors that take storage security seriously. Start this process soon before you find the new CISO breathing down your neck or your mission-critical information for sale on the Internet.