Think Tank Bemoans Sad State Of Storage Security

Storage system security is getting little attention on many levels, according to a recent report from research firm The451
Storage system security is getting short shrift by everyone from vendors to users, research firm The451 stated in a recently released report. And that's definitely not a good thing.

Most large organizations have at least one Fibre Channel-based storage area network (SAN) in their main data center, The451 report said. With the attention on Internet-based technologies for transporting critical data, storage security is becoming an increasingly crucial component of a company's overall security framework.

Additionally, according to the "Storage Security Market: Emerging Opportunities, Unseen Threats" report, calls by consumer groups and lawmakers to ensure data privacy have put even more pressure to keep storage systems safe from outside threats and unscrupulous employees.

"This growing requirement will force more organizations to take security more seriously," wrote the report's authors, analysts Simon Robinson and Rob Deane. "But this will not happen quickly or easily."

Part of the problem, said Robinson, is that administrators wonder why security specific to storage is even necessary. "I've just spent a tidy sum protecting my overall organization," Robinson said, "so why do I need security for only storage?"

The answer comes in two parts. The sheer complexity of a SAN, in terms of size and scale, can create topologies and scenarios where faults in the SAN design can trigger the equivalent of denial of service attack, leaving applications unable to access data from sophisticated storage systems that might have multiple core switches, lots of edge switches, and a hundred or more storage servers.

And the move to route data over less-expensive IP channels opens up a new can of worms. "Storage is increasingly being exposed to the Internet," Robinson said. "Such things as iSCSI and other standards offer companies greater efficiencies by linking disparate SAN islands, but there's a potential vulnerability there."

Even SAN management tools, which typically operate outside the storage network but accumulate metadata on the SANs' workings, can expose data to outsiders, Robinson said.

More problems arise because of the way security and storage are administered in most enterprises. "In the past, security administrators have kind of assumed that storage is safe, even while the storage administrator knows that it's not," Robinson said.

Companies can take steps to ensure that their data, including that outside the perimeter of the normal network, is secure. "There needs to be a storage security policy," said Robinson, "that integrates with the overall security plan." That means security and storage administrators--who in many companies are in two different departments--must put their heads together and communicate.

Companies should evaluate their data, and decide just what amount is mission critical, and must be protected, Robinson recommended, to create a layered approach to data and its security. And any storage security plan must take into account all the pieces and parts of the SAN, from host bus adapters and switches to the storage arrays themselves. "Don't assume [the SAN] is safe just because it's sitting behind a secure perimeter," Robinson urged.

Plugging security holes isn't solely a matter of coming up with a coherent security plan, but also requires that enterprises deploy security software and secure SAN hardware. And that's another rub for the enterprise.

"Storage system security is in a classic early stage market mode," said Robinson. "Startups do have products out there, but those products are in their first generation. And the big guys don't seem to be on board at all."

Both in his report, and in a follow-up interview, Robinson urged enterprise IT managers to carefully evaluate the players in the storage system security market before committing to a purchase.

Among his recommendations:

* Demand reference sites from startups and smaller vendors that can demonstrate the ability of their products to integrate with existing storage systems.

* Steer toward vendors whose products offer interoperability. "Ask about the standards their products follow," Robinson said. IT managers and executives should closely keep tabs on the emerging storage security standards (including those in development by the Storage Networking Industry Association) and give preference to vendors that support these standards.

* Check out the viability of any startup and investigate the partnerships vendors have formed, or will form.

* Evaluate the ease of use and ease of installation of any security product for the storage infrastructure. "There's no point in doing this if it makes your environment more complex than it already is," Robinson said.

Of the vendors that The451 report spotlighted, several were targeted as heading in the right direction in storage security. Robinson's report identified Ingrian Networks and NeoScale among startups, Brocade Communications in the storage networking market, Hitachi Data Systems among storage system sellers, and Computer Associates on the software side as security leaders in their areas.