There have been a few announcements recently that have included security enhancements.. The typical security for the storage devices is addressing controlling access to the device. In reality, there are multiple elements to security for storage that need to be considered:
1. Access to the device -- to make sure unauthorized or inadvertent access to data can't occur2. Access to the data in transit -- data in transit is moving across a network or interface that can't be captured or modified 3. Data protection through encryption -- even if the data is accessed only with the proper keys can it be meaningfully used 4. Management access to a device -- access to tools, protecting configuration, and other access controls
Storage systems usually have some type of control of access to devices that is done by LUN management. The LUN management includes functions such as LUN masking where only a specific host interface (World Wide Name of an HBA in a server for example) can access particular devices through a specific port on the storage system and an allegiance of a LUN to a server. Storage devices don't usually address data in transit protection or encryption of the data at rest. Management controls security and is usually implemented on most storage systems.Switches and directors have additional protection capabilities added to them. The Brocade Secure Fabric OS, for example, has features to provide for "trusted switches" to be able to allow for management between switches, binding of HBA ports to switch ports to prevent spoofing, digital certificate exchange using keys for switch linkage and restricted management access among other standard security features. Encrypting data is a very complex operational consideration. Who manages the keys, how they are exchanged and the degree of standardization between the different solutions can have a major impact on how business is done and how much administrative overhead is required. Doing encryption in a storage system has not been seen to be the best solution up to this point. There are some start-up companies working toward encrypting devices (or appliances). Taking a step back and looking at the data access problem, it would seem that the best place would be at the application level which would solve both the data in transit and data at rest problems. Since the application created it and is the access point for the data, it might be the best place to perform the encryption as well as the authentication and authorization for access.
All of the security announcements show improvements in control of access to storage devices. None really address data in transit. The problem is, security is not just a single solution and not a totally technology-based solution. It has to be a layered set of protections that are part of an overall storage strategy. Security is strategic and needs to be planned and administered with people who have the responsibility and the resources. Only a comprehensive solution will work. The features on the products will be a part of that solution but only a part. Without a comprehensive plan, they can't be effectively utilized.
This was first published in June 2003