Tip

For compliance, neither SAN nor NAS are a slam dunk

At issue: Compliance regulations are forcing companies to make tough choices in order to guarantee the security and reliability of their data, but which storage architecture to choose -- SAN or NAS -- may not be one of them.


Whether it's HIPAA in healthcare or SEC regulations for publicly traded companies, compliance regulations often include a security component. And while the specifics may not be spelled out, the gist of the requirement is usually that the organization can't just blame security lapses, hack attacks, or lost data on equipment problems or inadequate security practices -- they've got to demonstrate a commitment to adopt adequate if not perhaps "best available" technology based on what's in the market.

So where does that leave someone trying select between

    Requires Free Membership to View

NAS or SAN as the basis for a compliance-oriented storage strategy? Serge Plotkin, Chief Technology Officer, at Decru Inc., a company that provides encryption appliances for networked storage, says the selection of SAN or NAS may depend in part on the specific mandates a company must meet, since each of the choices presents its own set of costs and benefits.

Although there's been a traditional division of territories between SAN and NAS, he notes, the latter has been favored for requirements such as supporting large databases and the latter for less demanding, file-oriented storage. But Plotkin says that's changing, with NAS often adopted for more demanding roles.

The specifics of the compliance challenge and the infrastructure requirements may be what's key, he suggests. For instance, most Fibre Channel networks tend to be closed which is handy from a security perspective. What's more, FC requires more specialized technical knowledge making it less likely to be the victim of a hack. By contrast, IP-based NAS tends to have more connection points, potentially increasing their vulnerability. Of course on the other hand, there tend to be more tools available for an IP environment that can add security while Fibre Channel has very few.

Of course, points out Plotkin, installing a new SAN network from scratch requires specialized IT expertise. Training your staff to build a SAN is time-consuming, he warns; thus, a new SAN network should be built only if you can get IT support with SAN experience.

Jon Oltsik, senior analyst at Enterprise Strategy Group (ESG) agrees with Plotkin's analysis as far as it goes -- neither SAN nor NAS is automatically a better choice. What's needed is a good understanding of your business need and a full awareness of the security challenge. And, the storage field as a whole, he predicts, is about to get greater levels of security capabilities to match the kinds of concerns raised by compliance mandates. "Storage has been moving slowly on this but regulatory pressure like Sarbanes-Oxley and the California Database Protection Act will finally motivate people to do something," he says.

Oltsik says a chronic problem to date, identified in ESG's research, is that the storage people don't talk to (or understand) the security people and vice versa.

One positive step for both SAN and NAS environments is that vendors are starting to provide templates designed to simplify compliance for specific environments such as Sarbanes-Oxley. For example, if a document needs to be archived under SEC Rule 17a-4, the template automatically points it toward a specific medium and already knows that it must be retained for at least seven years, he says. "All of this is starting to move into the whole information lifecycle management (ILM) approach to things," he says.

However, he warns, to date, ILM has been moving ahead with little focus on security. "Without security, ILM is dead on arrival," he adds.

For more information:

Tip: Dueling SAN technologies: NAS vs. iSCSI

Tip: How to decide between Fibre and iSCSI SANs

Tip: Spotlight on SAN/NAS convergence

About the author: Alan Earls is a freelance writer in Franklin, Mass.

This was first published in December 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.