This article can also be found in the Premium Editorial Download "Storage magazine: Storage managers give thumbs up to IP storage."
Download it now to read this article plus other related content.
In the past, limited storage security was acceptable when applications and data lived within the four corporate walls--but this is no longer the case. Since the mid-1990s, companies have opened their systems to outsiders via the Internet in order to exploit revenue opportunities, improve business efficiencies and reduce costs.
In addition to Internet-based threats, corporate employees also present a distinct security risk. According to the 2003 Computer Security Institute/Federal Bureau of Investigation survey, 77% of respondents believe that disgruntled employees are a likely source of attack.
As security concerns increase, storage security laissez faire is no longer acceptable. Storage vendors must enhance security to address:
- Enterprise security policies. To meet the security challenge, many companies are adopting standards for things such as password management, secure communications and delegation of administrative tasks. Storage products that can't be configured to meet these standards will be eliminated in favor of those that can.
- Regulatory compliance. Government mandates such as California SB 1386, Graham-Leach-Bliley,
- HIPAA and Sarbanes-Oxley have an implied or explicit security component.
- Existing storage security woes. Problems include insecure Fibre Channel (FC) switch configurations, open-management interfaces, clear text data in flight and at rest and a lack of authentication.
- Future storage initiatives. Over the next few years, storage innovations such as information life cycle management (ILM) and iSCSI will intertwine storage and IP networks. New processes will automate the movement of information over the Internet, exposing storage to worms and viruses. To take advantage of storage innovations, companies must improve storage security. After all, if an ILM implementation is attacked, critical data could be compromised or lost, resulting in noncompliance and business interruption.
Demand storage security
Storage vendors have traditionally eschewed security because users never asked for it. Why? Until recently, most storage was configured as direct-attached storage (DAS), therefore users could rely on server security to address any storage concerns. Now, however, storage networks are introducing numerous security vulnerabilities that warrant user attention. Because storage area networks (SANs) house vital information, storage managers should include security as a must-have purchasing criteria. In addition, these security demands should go beyond product features/functions and include vendor security knowledge and support.
Beginning immediately, users should include security functionality in their storage hardware, software and networking vendor qualifications. Security demands should focus on three areas: storage architecture, storage management software and security processes.
This was first published in April 2004