Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Storage security is complex with no simple solution

Bits & Bytes: Expert Randy Kerns lists four security elements that should be considered when planning a storage security strategy.

Randy Kerns
Partner, the Evaluator Group
Randy Kerns is a partner at the Evaluator Group and is responsible for storage area networks (SAN) and network-attached storage (NAS) analysis and education as well as company and product strategies. He has over twenty-eight years storage product development, including work for IBM, Fujitsu, Vice President of Engineering at the Array Technology subsidiary of Tandem Computers and Director of Engineering for Enterprise Disk at Storage Technology Corporation.

There have been a few announcements recently that have included security enhancements.. The typical security for the storage devices is addressing controlling access to the device. In reality, there are multiple elements to security for storage that need to be considered:

1. Access to the device -- to make sure unauthorized or inadvertent access to data can't occur

2. Access to the data in transit -- data in transit is moving across a network or interface that can't be captured or modified

3. Data protection through encryption -- even if the data is accessed only with the proper keys can it be meaningfully used

4. Management access to a device -- access to tools, protecting configuration, and other access controls

Storage systems usually have some type of control of access to devices that is done by LUN management. The LUN management includes functions such as LUN masking where only a specific host interface (World Wide Name of an HBA in a server for example) can access particular devices through a specific port on the storage system and an allegiance of a LUN to a server. Storage devices don't usually address data in transit protection or encryption of the data at rest. Management controls security and is usually implemented on most storage systems.

Switches and directors have additional protection capabilities added to them. The Brocade Secure Fabric OS, for example, has features to provide for "trusted switches" to be able to allow for management between switches, binding of HBA ports to switch ports to prevent spoofing, digital certificate exchange using keys for switch linkage and restricted management access among other standard security features.

Encrypting data is a very complex operational consideration. Who manages the keys, how they are exchanged and the degree of standardization between the different solutions can have a major impact on how business is done and how much administrative overhead is required. Doing encryption in a storage system has not been seen to be the best solution up to this point. There are some start-up companies working toward encrypting devices (or appliances). Taking a step back and looking at the data access problem, it would seem that the best place would be at the application level which would solve both the data in transit and data at rest problems. Since the application created it and is the access point for the data, it might be the best place to perform the encryption as well as the authentication and authorization for access.

All of the security announcements show improvements in control of access to storage devices. None really address data in transit. The problem is, security is not just a single solution and not a totally technology-based solution. It has to be a layered set of protections that are part of an overall storage strategy. Security is strategic and needs to be planned and administered with people who have the responsibility and the resources. Only a comprehensive solution will work. The features on the products will be a part of that solution but only a part. Without a comprehensive plan, they can't be effectively utilized.

Dig Deeper on Data storage strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.