This article can also be found in the Premium Editorial Download "Storage magazine: Lessons learned from creating and managing a scalable SAN."
Download it now to read this article plus other related content.
First steps to security Fast forward to today, and there's an obvious change in the market. More than ever, users get it--CIOs, storage executives, compliance officers and legal teams are pushing their storage vendors to add security features to products. The refreshing thing is that vendors get it, too--they're adding security features to all kinds of storage products. Storage industry leaders like Computer Associates, EMC, Hewlett-Packard, IBM and Symantec have introduced professional service offerings focused on storage security. These include a variety of assessment services, data classification, storage infrastructure security and security implementation. System vendors are actively partnering with security firms like CipherOptics, Decru and NeoScale, while others like Quantum and Spectra Logic are adding cryptographic capabilities to their technologies.
These are extremely worthwhile, albeit long overdue, developments in my view, and a logical first step to finally addressing security. If you were going to secure your house, it would certainly be prudent to start by inspecting the condition of all the windows, doors and locks before installing motion detectors and alarms. I applaud this essential effort, but I'm here to tell you that it's just not enough anymore.
What's the problem? Basic storage security presumes that the storage environment is relatively static. By focusing on storage security, we tend to view storage in isolation as a basic
Today's storage is intelligent, distributed and intertwined with all the other layers of the IT infrastructure. As an industry, we've even defined a new term--information lifecycle management (ILM)--to describe how intelligent storage systems can add value to the business. This is precisely the leap of faith now needed regarding information security. With that in mind, ESG believes storage security as a concept is obsolete and should be replaced with a new discipline called information lifecycle security (ILS).
I know this sounds like analyst mumbo jumbo, but bear with me as there's a fundamental difference here. While storage security concentrates on physical devices and discrete infrastructure, ILS focuses on the information itself. Furthermore, as the name implies, ILS defenses change over time as information ages and its value decreases.
This was first published in July 2006