This article can also be found in the Premium Editorial Download "Storage magazine: What to do when storage capacity keeps growing."
Download it now to read this article plus other related content.
Encrypting data at rest is a reliable security measure, but it's only one component of an effective storage security plan.
Attend a storage conference these days, and you might think encryption solves all of your storage security woes. It seems as if one "expert" after another is singing the praises of storage encryption for both data in transit and data at rest. But don't believe them.
Encryption is part of the SAN security solution, but it has its limitations. "Encryption is an interesting option, but mainly for tape," says Tim Arland, principal consultant at Forsythe, a Skokie, IL-based storage systems integrator. "Real-time encryption of everything at line speed is very rare," adds Arland, yet that's ultimately what you would need if you want encryption to solve all of your SAN security problems.
And even then, it might not work. What happens if a host bus adapter (HBA) spoofs an authorized system? More than encryption will be needed. The storage security problem transcends storage alone, which makes it unlikely that storage professionals can solve it by themselves. "Storage professionals are waiting to work with other corporate security teams," says Robert Stevenson, managing director, storage practice at TheInfoPro Inc., a New York City-based research firm. But Stevenson notes that in a survey conducted by TheInfoPro, some respondents also complained about corporate security intruding into storage operations.
At one time, storage
SANs today are vulnerable to myriad internal and external threats that require improved security. Various regulatory mandates are also forcing storage teams to adopt greater security measures, such as classifying data, monitoring its access and securing it in different ways depending on how the data is classified. With no single action likely to make the problem go away, storage managers must begin implementing Budnik's recommendations, ranging from requiring vendors to immediately inform them of changes in their support staff to locking down the security identifier on Windows servers to prevent spoofing.
The list of things to do is long, and the storage team can't do it all alone. Multiple types of threats expose different vulnerabilities and require various lines of defense. Ultimately, storage managers will have to do what the network people have been trying to do for years--implement a strategy called "defense in-depth." For storage, that means a minimum of three lines of defense: access, identity and policy control; securing servers and hosts; and securing storage devices, components, switches and their communications links.
This was first published in June 2006