Is encryption enough?


This article can also be found in the Premium Editorial Download "Storage magazine: What to do when storage capacity keeps growing."

Download it now to read this article plus other related content.

Management tools are accessed through servers that connect directly to the SAN. "The Achilles' heel of SAN security is that the management interfaces to the storage devices are sitting on the corporate LAN," says W. Curtis Preston, vice president of data protection at GlassHouse Technologies Inc., Framingham, MA. At a minimum, he says, managers should regularly change the passwords to management tools.

Establishing effective access control for storage is problematic at this point. "No one has strong role-based access control, the kind that will let you control access at the command line," says SNIA's Budnik. He expects such role-based security to emerge over the next two years.

In addition to access control is identity management. Storage managers, however, can't do much on their own about identity management. "The tools are mainly in the application stack," says TheInfoPro's Stevenson. "Storage people often see identity management as the responsibility of the DBA or application developers."

This kind of finger-pointing is typical of the breakdowns that lead to security breaches. The solution calls for storage, corporate security, network and application teams, and business managers to work out a set of policies and procedures together.

"What we've seen is that policies are the key to security," says Jot Gill, an information management consultant now building a strategic consulting practice at Network Appliance Inc. "This is not a

Requires Free Membership to View

device layer issue or an application layer issue--it is a business issue." Such a policy effort, he adds, should even include input from--heaven forbid--lawyers and accountants.

This requires cooperation among all players. "The struggle we're seeing with our customers is who drives the policy," says Forsythe's Arland. "The storage people can take some basic security measures, but you really need an overall security policy on the corporate level."

This was first published in June 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: