Opinion: What has happened to storage security?
Beyond the SAN, there has been limited awareness of storage-related security threats
It would be an overstatement to suggest that the state of storage security has declined in the past year, but it's fair to say that it's lost some momentum. While everyone on the planet is now aware of privacy concerns and specifically the widely publicized risk of off-site tape loss, only a relatively small number of companies have acted to mitigate the situation.
Certainly there have been technology advances, including the availability of tape drive encryption (e.g. LTO-4, IBM TS1130, STK T10000), tape library encryption (e.g., SpectraLogic), and, to a more limited extent, key management enhancements to backup products (e.g., IBM TSM, Symantec NetBackup). We've also seen progress on the standardization front with the adoption of the disk and tape encryption sections of IEEE P1619. So, given that solutions are available, what's preventing broader adoption?
To some degree, the problem relates to organizational, policy, and process limitations. Storage and security have traditionally been disparate functional silos within IT, and have typically had limited interaction except when a high-visibility event, such as the loss of a tape, occurs. While security provides comprehensive oversight of networks and endpoints, the storage environment, and particularly the SAN, operates with much autonomy. The perception is that SANs, primarily based on Fibre Channel, rather than TCP/IP, are inherently more secure -- what some have termed "security by obscurity ". As a result, security audits of storage infrastructure and operations focusing on SAN security and related internal threats tend to be the exception.
Beyond the SAN, there has been limited awareness of storage-related security threats. How many security groups really appreciate the fact that the backup application is "all powerful" touching every piece of information within the infrastructure? Are there any role-based restrictions, or audits of who accesses this information?
Given the emphasis on external data loss, organizations have struggled with the challenge of establishing an effective and reliable key management capability. In fact, some have chosen to head in a completely different direction, seeking to address their off-site data problem not through encryption but instead by simply eliminating the need for third-party services that off-site data storage. Technologies such as de-duplication and WAN optimization systems, as well as the increasing affordability of broadband pipes, are causing some to move to backup data replication strategies, thereby sidestepping the off-site problem. For organizations with multiple data centers, this option is becoming increasingly feasible.
In the meantime, others seem to have decided either that they can live with the risk of off-site data loss or are maintaining a wait-and-see attitude, hoping for further key management and encryption advances.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!