Opinion: What has happened to storage security?
Beyond the SAN, there has been limited awareness of storage-related security threats
It would be an overstatement to suggest that the state of storage security has declined in the past year, but it's fair to say that it's lost some momentum. While everyone on the planet is now aware of privacy concerns and specifically the widely publicized risk of off-site tape loss, only a relatively small number of companies have acted to mitigate the situation.
Certainly there have been technology advances, including the availability of tape drive encryption (e.g. LTO-4, IBM TS1130, STK T10000), tape library encryption (e.g., SpectraLogic), and, to a more limited extent, key management enhancements to backup products (e.g., IBM TSM, Symantec NetBackup). We've also seen progress on the standardization front with the adoption of the disk and tape encryption sections of IEEE P1619. So, given that solutions are available, what's preventing broader adoption?
To some degree, the problem relates to organizational, policy, and process limitations. Storage and security have traditionally been disparate functional silos within IT, and have typically had limited interaction except when a high-visibility event, such as the loss of a tape, occurs. While security provides comprehensive oversight of networks and endpoints, the storage environment, and particularly the SAN, operates with much autonomy. The perception is that SANs, primarily based on Fibre Channel, rather than TCP/IP, are inherently more secure -- what some have termed "security by obscurity ". As a result, security audits of storage infrastructure and operations focusing on SAN security and related internal threats tend to be the exception.
Beyond the SAN, there has been limited awareness of storage-related security threats. How many security groups really appreciate the fact that the backup application is "all powerful" touching every piece of information within the infrastructure? Are there any role-based restrictions, or audits of who accesses this information?
Given the emphasis on external data loss, organizations have struggled with the challenge of establishing an effective and reliable key management capability. In fact, some have chosen to head in a completely different direction, seeking to address their off-site data problem not through encryption but instead by simply eliminating the need for third-party services that off-site data storage. Technologies such as de-duplication and WAN optimization systems, as well as the increasing affordability of broadband pipes, are causing some to move to backup data replication strategies, thereby sidestepping the off-site problem. For organizations with multiple data centers, this option is becoming increasingly feasible.
In the meantime, others seem to have decided either that they can live with the risk of off-site data loss or are maintaining a wait-and-see attitude, hoping for further key management and encryption advances.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!