Problem solve Get help with specific problems with your technologies, process and projects.

Security benefits of storage area networks

Jeff Boles explains some of the security benefits of storage area networks (SANs) in this Ask the Expert question.

What are some of the security benefits of storage area networks (SANs)?
You can think about security in a number of different dimensions when it comes to storage, and availability is one. However, I'll talk specifically about the data loss prevention (DLP) and intrusion prevention aspects of a storage area network (SAN). I'll use SAN to refer to both Fibre Channel (FC) and iSCSI SANs. While there are some differences between the two, in general, you find similar security benefits from both approaches. Some may argue that Fibre Channel requires a higher intrusion effort, but without segregating an Fibre Channel SAN from all outside attachments, which would also be possible with iSCSI, it is actually fairly easy to tap or break into the Fibre environment these days.

At the most basic level, storage area networks are more capable of seeing and controlling access to storage resources. First, there are a couple of basic barriers to accessing the SAN that must be dealt with, i.e., configuring access at the fabric and/or array level. At first, you might be tempted to consider this a point of exposure. After all, if all of the crown jewels are stored in one location, you more likely know where to focus your energies. But in fact, it gives you an opportunity to better control and track how your storage is accessed and utilized.

Second, the consolidation inherent in SANs often give you better access to security features that are built into an array. Today, many arrays come with drive-level encryption features, and there are some advanced network-based technologies available for authentication and in-flight data encryption. It is simply impossible to get these levels of features in direct-attached storage (DAS) today.

So, in a nutshell, for data loss prevention, when you turn to a SAN, you're getting better visibility of who is accessing what, and you will likely have better capabilities for in-flight and at rest encryption of data. For intrusion prevention, some of the authentication and in-flight mechanisms can help as well. But keep in mind, a SAN isn't the whole pie for either aspect. Real DLP and security takes a comprehensive approach that focuses on the edge, the server OS, the SAN, other points of ingress/egress and end-user nodes. The SAN can help you augment your practices, but it is just one layer in a multilayer and in-depth defense data security strategy.

Dig Deeper on SAN technology and arrays