A recent survey by Enterprise Strategy Group (ESG) showed a major disconnect between the desire to secure storage and the willingness to buy products or trust vendors. Only one-third of the respondents reported that they have done a security audit of their storage assets. Yet two-thirds of respondents believed security is "extremely important." Almost half believe that their storage vendor's commitment to security is "weak."
Storage security has stayed in the middle of Michael Eller's mind because his network cannot be accessed from outside the company. Eller, a second vice president of worldwide technology at The Northern Trust Company, Chicago, Ill., said, "There's no reason to do it today, as our network isn't open to the outside world. There'd have to be a security violation internally."
Jon Oltsik, senior analyst at Enterprise Strategy Group (ESG), Milford, Mass., said that soon it won't be enough to protect the network from the outside world. "Companies need to protect their networks from everyone, including its own employees."
Oltsik also said that that protecting your servers does not mean that you are also protecting your storage. "Servers have access controllers for protection, but the methods for securing storage like zoning
Still, for many, adding security to a storage area network (SAN) is not considered necessary.
"We've got our own internal security and audit points. Our priority right now is finding good management tools," said Darren McNair, Associate Director, USB Securities LLC, New York.
"In our situation, it is overkill," said Keith Wichmann, principal systems engineer, Global Science & Technology Inc. "Currently, our SAN architecture is entirely controlled by us and is single-purpose." Wicheman believes that because most SANs today are in a controlled environment, he sees the "market potential for storage security products as relatively small."
Recent security products from vendors such as NeoScale Systems Inc. and Decru Inc. encrypt data on the disk or as it passes through a network. Neoscale's appliance, called CryptoStor SAN VPN, is designed to encrypt data as it moves across a long-distance storage network from one site to another.
Decru's appliance, Expeditionary Encrypted Data Store, makes hard drives impenetrable by not storing information as standard text. All information is encrypted and only accessible by authorized personnel.
Jesse Correll, manager of IT infrastructure, MetLife Investors Group Inc., Network Beach, Calif., has not implemented any encryption security on his SAN environment, nor does he plan to, because he's "not passing data from site to site very often, so encryption of all storage is not really needed." But Correll added that he could "see the need for storage security in a MAN or WAN environment where data is replicated and needs to be secured tighter."
Oltsik predicted that compliance regulations will continue to be a driver for security as will the number of security breaches that make it to the public. "We've seen recent breaches such as BJ's Wholesale Club having credit card information stolen from its network and the University of California at Berkeley having student records stolen."
Oltsik said more events like these will lead storage managers to do a technology and policy assessment of their storage to figure out where the holes are, with the most activity happening in highly-regulated industries like government and financial services.
"The thinking has been that storage is so far behind the firewall that it can be ignored, but I see that attitude changing in the next year."