Opinion: What has happened to storage security?
Beyond the SAN, there has been limited awareness of storage-related security threats
It would be an overstatement to suggest that the state of storage security has declined in the past year, but it's fair to say that it's lost some momentum. While everyone on the planet is now aware of privacy concerns and specifically the widely publicized risk of off-site tape loss, only a relatively small number of companies have acted to mitigate the situation.
Certainly there have been technology advances, including the availability of tape drive encryption (e.g. LTO-4, IBM TS1130, STK T10000), tape library encryption (e.g., SpectraLogic), and, to a more limited extent, key management enhancements to backup products (e.g., IBM TSM, Symantec NetBackup). We've also seen progress on the standardization front with the adoption of the disk and tape encryption sections of IEEE P1619. So, given that solutions are available, what's preventing broader adoption?
To some degree, the problem relates to organizational, policy, and process limitations. Storage and security have traditionally been disparate functional silos within IT, and have typically had limited interaction except when a high-visibility event, such as the loss of a tape, occurs. While security provides comprehensive oversight of networks and endpoints, the storage environment, and particularly the SAN, operates with much autonomy. The perception is that SANs, primarily based on Fibre Channel, rather than TCP/IP, are inherently more secure -- what some have termed "security by obscurity ". As a result, security audits of storage infrastructure and operations focusing on SAN security and related internal threats tend to be the exception.
Beyond the SAN, there has been limited awareness of storage-related security threats. How many security groups really appreciate the fact that the backup application is "all powerful" touching every piece of information within the infrastructure? Are there any role-based restrictions, or audits of who accesses this information?
Given the emphasis on external data loss, organizations have struggled with the challenge of establishing an effective and reliable key management capability. In fact, some have chosen to head in a completely different direction, seeking to address their off-site data problem not through encryption but instead by simply eliminating the need for third-party services that off-site data storage. Technologies such as de-duplication and WAN optimization systems, as well as the increasing affordability of broadband pipes, are causing some to move to backup data replication strategies, thereby sidestepping the off-site problem. For organizations with multiple data centers, this option is becoming increasingly feasible.
In the meantime, others seem to have decided either that they can live with the risk of off-site data loss or are maintaining a wait-and-see attitude, hoping for further key management and encryption advances.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts