Opinion: What has happened to storage security?
Beyond the SAN, there has been limited awareness of storage-related security threats
It would be an overstatement to suggest that the state of storage security has declined in the past year, but it's fair to say that it's lost some momentum. While everyone on the planet is now aware of privacy concerns and specifically the widely publicized risk of off-site tape loss, only a relatively small number of companies have acted to mitigate the situation.
Certainly there have been technology advances, including the availability of tape drive encryption (e.g. LTO-4, IBM TS1130, STK T10000), tape library encryption (e.g., SpectraLogic), and, to a more limited extent, key management enhancements to backup products (e.g., IBM TSM, Symantec NetBackup). We've also seen progress on the standardization front with the adoption of the disk and tape encryption sections of IEEE P1619. So, given that solutions are available, what's preventing broader adoption?
To some degree, the problem relates to organizational, policy, and process limitations. Storage and security have traditionally been disparate functional silos within IT, and have typically had limited interaction except when a high-visibility event, such as the loss of a tape, occurs. While security provides comprehensive oversight of networks and endpoints, the storage environment, and particularly the SAN, operates with much autonomy. The perception is that SANs, primarily based on Fibre Channel, rather than TCP/IP, are inherently more secure -- what some have termed "security by obscurity ". As a result, security audits of storage infrastructure and operations focusing on SAN security and related internal threats tend to be the exception.
Beyond the SAN, there has been limited awareness of storage-related security threats. How many security groups really appreciate the fact that the backup application is "all powerful" touching every piece of information within the infrastructure? Are there any role-based restrictions, or audits of who accesses this information?
Given the emphasis on external data loss, organizations have struggled with the challenge of establishing an effective and reliable key management capability. In fact, some have chosen to head in a completely different direction, seeking to address their off-site data problem not through encryption but instead by simply eliminating the need for third-party services that off-site data storage. Technologies such as de-duplication and WAN optimization systems, as well as the increasing affordability of broadband pipes, are causing some to move to backup data replication strategies, thereby sidestepping the off-site problem. For organizations with multiple data centers, this option is becoming increasingly feasible.
In the meantime, others seem to have decided either that they can live with the risk of off-site data loss or are maintaining a wait-and-see attitude, hoping for further key management and encryption advances.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!