This article can also be found in the Premium Editorial Download "Storage magazine: Tips for lowering the cost of storage support contracts."
Download it now to read this article plus other related content.
Is anyone in the storage industry even close to pulling this off? I do see a number of leading indicators that the industry is moving in this direction. For example:
- NetApp/Decru is championing an effort around key management, building a development community and pushing industry standards.
- IBM extended mainframe security functionality such as its encryption facility, Integrated Cryptographic Services Facility (ICSF) and Resource Access Control Facility (RACF) to storage management software and devices.
- In a model similar to Microsoft's, EMC has instituted its Common Security Platform (CSP), a set of security requirements for all EMC products. CSP covers everything from the way products are built to access controls to logging.
- Hitachi has embraced the ISO/IEC 21827:2002 Systems Security Engineering–Capability Maturity Model (SSE-CCM) to introduce security best practices in product development projects. Security testing has also transitioned from an ad hoc process to a formal phase in the QA cycle.
The bottom line
Security is neither a product feature nor a sound bite for marketing pitches. It's a cradle-to-grave commitment that spans products, processes and personnel. Microsoft proved you can turn on a dime if you want to, and several leading storage vendors are following its example. Storage professionals should be wary of any vendor that hasn't made this transition.
This was first published in May 2007