Management tools are accessed through servers that connect directly to the SAN. "The Achilles' heel of SAN security is that the management interfaces to the storage devices are sitting on the corporate LAN," says W. Curtis Preston, vice president of data protection at GlassHouse Technologies Inc., Framingham, MA. At a minimum, he says, managers should regularly change the passwords to management tools.

Establishing effective access control for storage is problematic at this point. "No one has strong role-based access control, the kind that will let you control access at the command line," says SNIA's Budnik. He expects such role-based security to emerge over the next two years.

In addition to access control is identity management. Storage managers, however, can't do much on their own about identity management. "The tools are mainly in the application stack," says TheInfoPro's Stevenson. "Storage people often see identity management as the re...

This kind of finger-pointing is typical of the breakdowns that lead to security breaches. The solution calls for storage, corporate security, network and application teams, and business managers to work out a set of policies and procedures together.

"What we've seen is that policies are the key to security," says Jot Gill, an information management consultant now building a strategic consulting practice at Network Appliance Inc. "This is not a device layer issue or an application layer issue--it is a business issue." Such a policy effort, he adds, should even include input from--heaven forbid--lawyers and accountants.

This requires cooperation among all players. "The struggle we're seeing with our customers is who drives the policy," says Forsythe's Arland. "The storage people can take some basic security measures, but you really need an overall security policy on the corporate level."

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >