Whether it's HIPAA in healthcare or SEC regulations for publicly traded companies, compliance regulations often include a security component. And while the specifics may not be spelled out, the gist of the requirement is usually that the organization can't just blame security lapses, hack attacks, or lost data on equipment problems or inadequate security practices -- they've got to demonstrate a commitment to adopt adequate if not perhaps "best available" technology based on what's in the market.
So where does that leave someone trying select between NAS or SAN as the basis for a compliance-oriented storage strategy? Serge Plotkin, Chief Technology Officer, at Decru Inc., a company that provides encryption appliances for networked storage, says the selection of SAN or NAS may depend in part on the specific mandates a company must meet, since each of the choices presents its own set of costs and benefits.
Although there's been a traditional division of territories between SAN and NAS, he notes, the latter has been favored for requirements such as supporting large databases and the latter for less demanding, file-oriented storage. But Plotkin says that's changing, with NAS often adopted for more demanding roles.
The specifics of the compliance challenge and the infrastructure requirements may be what's key, he suggests. For instance, most Fibre Channel networks tend to be closed which is handy from a security perspective. What's more, FC requires more specialized technical knowledge making it less likely to be the victim of a hack. By contrast, IP-based NAS tends to have more connection points, potentially increasing their vulnerability. Of course on the other hand, there tend to be more tools available for an IP environment that can add security while Fibre Channel has very few.
Of course, points out Plotkin, installing a new SAN network from scratch requires specialized IT expertise. Training your staff to build a SAN is time-consuming, he warns; thus, a new SAN network should be built only if you can get IT support with SAN experience.
Jon Oltsik, senior analyst at Enterprise Strategy Group (ESG) agrees with Plotkin's analysis as far as it goes -- neither SAN nor NAS is automatically a better choice. What's needed is a good understanding of your business need and a full awareness of the security challenge. And, the storage field as a whole, he predicts, is about to get greater levels of security capabilities to match the kinds of concerns raised by compliance mandates. "Storage has been moving slowly on this but regulatory pressure like Sarbanes-Oxley and the California Database Protection Act will finally motivate people to do something," he says.
Oltsik says a chronic problem to date, identified in ESG's research, is that the storage people don't talk to (or understand) the security people and vice versa.
One positive step for both SAN and NAS environments is that vendors are starting to provide templates designed to simplify compliance for specific environments such as Sarbanes-Oxley. For example, if a document needs to be archived under SEC Rule 17a-4, the template automatically points it toward a specific medium and already knows that it must be retained for at least seven years, he says. "All of this is starting to move into the whole information lifecycle management (ILM) approach to things," he says.
However, he warns, to date, ILM has been moving ahead with little focus on security. "Without security, ILM is dead on arrival," he adds.
For more information:
About the author: Alan Earls is a freelance writer in Franklin, Mass.