After several years of hearing about security breaches that have rocked the corporate world, storage vendors are just beginning to realize that preventing disaster means applying security measures to the storage infrastructure as well the rest of the network.
One major factor turning the spotlight onto storage security is greater awareness and persistence by customers, who have seen the results of high-profile security breaches at companies like Bank of America, Ameritrade Inc. and ChoicePoint Inc., and who want to avoid similar fiascos at their organizations.
“Companies are being exposed, and its showing that there isnt good enough protection in place,” said Dore Rosenblum, vice president of marketing at NeoScale Systems Inc., a vendor of enterprise storage security solutions for networked and distributed storage in Milpitas, Calif.
Advances in storage technology have actually increased the security problem, Rosenblum said.
“Organizations have taken smaller pools of storage that lived as direct-attached and jammed them into one big basket of networked storage. So if anyone gets through your 100T storage array, you lose everything,” he said.
Aware of these issues, IT managers at larger companies have begun taking storage security to heart, starting, at the very least, to encrypt their backup tapes, but much more has to be done—especially by storage vendors themselves, said Kevin Brown, vice president of marketing at Decru Inc., a storage security vendor in Redwood City, Calif.
Addressing the issue isnt rocket science, and the technology to do so exists today, experts say.
“You just have to follow what other industries do in terms of security, like application security development or network security,” said Himanshu Dwivedi, a principal partner at iSec Partners LLC, a digital security consulting firm based in San Francisco. “Follow a good form of authentication thats trusted, make sure the right authorization is in place, and consider some type of encryption if your data will be in the hands of any third party.”
But none of these methods alone—especially storage encryption—is a silver bullet, said Arthur B. Edmonds Jr., chief security officer of Second Star Group, a network storage security consulting firm in Piedmont, Calif.
“Many feel the panacea is to encrypt everything, but thats not practical or always necessary. It can give you a false sense of security,” he said.
Before implementing any storage security scheme, understand and measure your risk, Dwivedi said.
“Know what youre storing on your storage devices, and what will happen to your data if its compromised,” he said. “Once you assess the risk and understand how large it is, you can start taking security actions to mitigate your issues.”
But common sense may be the most important first step, Edmonds said.
“When a company puts a security policy-and-procedures document into place, users all the way up to the executive staff should follow it—things like stronger password control and a two- or three-factor authentication,” he said.
Storage vendors are making headway in solving the storage security puzzle by understanding the importance of end-to-end security and a provable audit process. Before long, many will offer security features on every storage product sold, from switches to storage controllers, Brown said.
“They will work toward bundling it all into a solution, much like cars,” he said. “When the Model T came out, it didnt have locks or alarms, and today you cant buy a car without those things. Storage vendors will do the same thing—essentially sell us a lock and alarm system on top of a storage device.”