Skip the navigation

Opinion: What has happened to storage security?

Beyond the SAN, there has been limited awareness of storage-related security threats

By Jim Damoulakis
November 17, 2008 12:00 PM ET

It would be an overstatement to suggest that the state of storage security has declined in the past year, but it's fair to say that it's lost some momentum. While everyone on the planet is now aware of privacy concerns and specifically the widely publicized risk of off-site tape loss, only a relatively small number of companies have acted to mitigate the situation.

Certainly there have been technology advances, including the availability of tape drive encryption (e.g. LTO-4, IBM TS1130, STK T10000), tape library encryption (e.g., SpectraLogic), and, to a more limited extent, key management enhancements to backup products (e.g., IBM TSM, Symantec NetBackup). We've also seen progress on the standardization front with the adoption of the disk and tape encryption sections of IEEE P1619. So, given that solutions are available, what's preventing broader adoption?

To some degree, the problem relates to organizational, policy, and process limitations. Storage and security have traditionally been disparate functional silos within IT, and have typically had limited interaction except when a high-visibility event, such as the loss of a tape, occurs. While security provides comprehensive oversight of networks and endpoints, the storage environment, and particularly the SAN, operates with much autonomy. The perception is that SANs, primarily based on Fibre Channel, rather than TCP/IP, are inherently more secure -- what some have termed "security by obscurity ". As a result, security audits of storage infrastructure and operations focusing on SAN security and related internal threats tend to be the exception.

Beyond the SAN, there has been limited awareness of storage-related security threats. How many security groups really appreciate the fact that the backup application is "all powerful" touching every piece of information within the infrastructure? Are there any role-based restrictions, or audits of who accesses this information?

Given the emphasis on external data loss, organizations have struggled with the challenge of establishing an effective and reliable key management capability. In fact, some have chosen to head in a completely different direction, seeking to address their off-site data problem not through encryption but instead by simply eliminating the need for third-party services that off-site data storage. Technologies such as de-duplication and WAN optimization systems, as well as the increasing affordability of broadband pipes, are causing some to move to backup data replication strategies, thereby sidestepping the off-site problem. For organizations with multiple data centers, this option is becoming increasingly feasible.

In the meantime, others seem to have decided either that they can live with the risk of off-site data loss or are maintaining a wait-and-see attitude, hoping for further key management and encryption advances.

Jim Damoulakis is chief technology officer at GlassHouse Technologies Inc., a leading provider of independent storage services. He can be reached at

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!