Published: 03 Jun 2002
Storage security. It's not just for breakfast anymore. It's about to become a big deal, a very big deal
No one ever thought about security from a storage perspective because you really didn't need to. In a direct-attached world, the only way to get to the storage data was through that server, so we protected the server, and the network leading to the server, and that was enough. The new world that we live in now - a world where storage is networked behind servers - presents a new collection of security problems.
Can't IPSec or any of the other security measures take care of it? No way, San Jose. Transmitted data out on the wire represents just a fraction of the crown jewels we call our corporate data. At any given time, maybe a small percentage is ever in transit - the bulk is at our data storage repository. We've worried about the transit part, but we've never really considered the back end where all the good stuff really sits. We've protect the LAN, because that's where all of our data access and transit occurred, but we rarely considered the implications of how else some evil character might access and defile our most valuable asset. It really didn't matter since all of our data was secured within our own walls.
The reality of tomorrow is that our data will not be exclusively housed and accessed within the confines of our tight security building. We'll be using our data to enhance our overall business processes both inside and outside of our building. We'll be accessing data via the metropolitan area network (MAN), the wide area network (WAN) and that little thing called the Web. Our people use Palms, Blackberrys and laptops. I use a service from a company called GoToMyPC.com (which is just about the coolest thing going, mind you) in order to use my computer from wherever the heck I am. If I can connect to the Web, I can, in essence, work as though I'm sitting at my spacious office desk in my spacious office cube. I have access to everything.
And let's now consider the fact that storage will become virtual. It has to. The good news is that virtualizing storage will let our IT guys manage a ton more of it. The bad news is how the heck are you going to protect virtual storage? The brilliance of storage networking (and I mean that) has left a security hole that by all measure will be bigger than anything we've ever had to deal with. A VPN protects the access layer in IP. Zoning protects the access layer of the SAN (storage area network). We really need a foundation layer of protection for the physical storage backend itself.
Oh, yeah, did I mention that half of corporate data will probably exist on PDAs in a few years? We probably want to consider that little potential time bomb as well.
So the real issue in my opinion is not data in flight. That tends to be small, and tough to steal anyhow. That, however, is where we are spending our thought processes. We're worried about protecting the data in flight, yet 99% of the data we should care about sits in one large pool, like a big fat rhino out on the open desert. It's easy to see, and it's a very big target. I also read somewhere that 70+% of all security attacks are internal - not external.
So how are we going to protect our rhino? We want to make sure that simple things - such as not letting marketing see HR information - occur, not just protection against an external hack attack. If marketing does grab HR information, shouldn't we make sure that we know about it, and the information is garbled and useless to their prying eyes? I think so.
Disaster recovery is a great thing, but doesn't that really replicate our rhino, providing multiple potential attack points? As we unify our storage pools, we are in essence creating a bigger rhino and making it easier to see and hit. Core/edge technologies are necessary to improve user experience, but create new attack points.
Here are some issues to consider:
Performance. No matter what we do, we can't slow things down. All security implementations must run at wire speed or they will not be adopted.
Encryption. We need this all the way to the device. But we can't rely on only one schema - different encryption schemas by line of business or application are needed so that if someone does crack the algorithm, they can't decode an entire company's data.
Transparency. You don't want to change your applications or policies to incorporate any of this stuff.
Centralized management. The corporation owns the keys, the policies and the data. Let's not give the users the ability to do bad things.
Scale. Don't tell me that this stuff won't work as I grow from small to gigantic.
I also want to know who's trying to get at what. Intrusion detection is critical if we believe that most problems will come from inside our enterprise. Shut them down, and then let me know exactly who is attempting to get at things I've decided they shouldn't be able to access. Finally, I want to be able to protect all of my remote data from the data center.
Seems like it should be easy enough (mockery). Only now are people starting to look at this problem, but I suggest you start looking soon. I advocate building an internal utility operation for IT, and clearly the ability to deliver these services securely is paramount. I only know of a few companies whose aim it is to solve these problems. Mangosoft, Westborough, MA, is someone who's been around for a while, and security is an offshoot of their core being, but they do offer some cool features/functions for that remote class of user. San Jose, CA-based Vormetric (formerly Sotera) is the only company I've seen that has a legitimate shot at solving the problem from a data center perspective.
In the end, someone is going to make a lot of money in storage security. I think this area could be explosive (no pun intended) as networked storage continues to take off. Ask your vendors what they have in mind to protect you and the corporate jewels - and if the answer is stupid, keep looking.
Now for something completely different...
Rhapsody announced a platform switch that Veritas has ported its software to. Veritas' Volume Manager will run volume manager directly on the switch on a per port basis, eliminating the need to run it at the host. Cool. I also love valley companies Z-force and Agile Storage. Both are nouveau NAS (network-attached storage) players that do things completely differently from the traditional methods. Finally, CreekPath, Longmont, CO, is gaining a ton of OEM attention, as they have one of the most complete enterprise storage management plays I've seen to date.