Storage security is complex with no simple solution

Randy Kerns

Requires Free Membership to View

the Evaluator Group
Randy Kerns is a partner at the Evaluator Group and is responsible for storage area networks (SAN) and network-attached storage (NAS) analysis and education as well as company and product strategies. He has over twenty-eight years storage product development, including work for IBM, Fujitsu, Vice President of Engineering at the Array Technology subsidiary of Tandem Computers and Director of Engineering for Enterprise Disk at Storage Technology Corporation.

There have been a few announcements recently that have included security enhancements.. The typical security for the storage devices is addressing controlling access to the device. In reality, there are multiple elements to security for storage that need to be considered:

1. Access to the device -- to make sure unauthorized or inadvertent access to data can't occur

2. Access to the data in transit -- data in transit is moving across a network or interface that can't be captured or modified

3. Data protection through encryption -- even if the data is accessed only with the proper keys can it be meaningfully used

4. Management access to a device -- access to tools, protecting configuration, and other access controls

Storage systems usually have some type of control of access to devices that is done by LUN management. The LUN management includes functions such as LUN masking where only a specific host interface (World Wide Name of an HBA in a server for example) can access particular devices through a specific port on the storage system and an allegiance of a LUN to a server. Storage devices don't usually address data in transit protection or encryption of the data at rest. Management controls security and is usually implemented on most storage systems.

Switches and directors have additional protection capabilities added to them. The Brocade Secure Fabric OS, for example, has features to provide for "trusted switches" to be able to allow for management between switches, binding of HBA ports to switch ports to prevent spoofing, digital certificate exchange using keys for switch linkage and restricted management access among other standard security features.

Encrypting data is a very complex operational consideration. Who manages the keys, how they are exchanged and the degree of standardization between the different solutions can have a major impact on how business is done and how much administrative overhead is required. Doing encryption in a storage system has not been seen to be the best solution up to this point. There are some start-up companies working toward encrypting devices (or appliances). Taking a step back and looking at the data access problem, it would seem that the best place would be at the application level which would solve both the data in transit and data at rest problems. Since the application created it and is the access point for the data, it might be the best place to perform the encryption as well as the authentication and authorization for access.

All of the security announcements show improvements in control of access to storage devices. None really address data in transit. The problem is, security is not just a single solution and not a totally technology-based solution. It has to be a layered set of protections that are part of an overall storage strategy. Security is strategic and needs to be planned and administered with people who have the responsibility and the resources. Only a comprehensive solution will work. The features on the products will be a part of that solution but only a part. Without a comprehensive plan, they can't be effectively utilized.

This was first published in June 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.