Protecting Stored Data: The SAN Dilemma

Data security has become a far more complex proposition than it was a few years ago, thanks to the rise of storage area networks, or SANs. These networks allow users to store information anywhere within an enterprise and access it from any point as well, rather than tying storage to specific servers. Although such a model boosts storage efficiency, it also raises questions about the security of sensitive data that is accessed over a network.

Fortunately, companies in the storage vendor community are aware of this potential problem, and new technologies and strategies are becoming available to help CIOs maintain the integrity of corporate information. In fact, increased attention to data storage security reflects a wider trend toward a greater focus on security. The overall security market, including hardware, software and services, is expected to total more than US$45 billion by 2006, compared with $17 billion two years ago, according to research firm IDC.

Today, no standards exist for incorporating security technology directly into SAN devices, industry experts said. However, the American National Standards Institute (ANSI) has accepted submissions and is putting together a draft standard, according to Art Edmonds (*correction), senior director in the Office of the CTO at Hitachi Data Systems. Implementations will begin in 2004, he said.

“Hitachi’s end goal is to be as secure as possible from a SANs perspective,” Edmonds told the E-Commerce Times. “We want to influence our partners to be as secure as possible when it comes to intellectual property.”

In addition, he said, HDS and its partners in the ANSI are striving to make SAN security low-cost and easy to use, and vendors are educating customers about the need to focus on five areas: authentication, authorization, auditing, integrity and confidentiality. “My focus has been on the management interface,” Edmonds said, noting that this component of data storage systems represents the biggest threat to security.

New Approach

Startups, such as Milpitas, California-based NeoScale, also are addressing this vast market. The company develops appliances for SANs, including tape and virtual-tape storage. “We’re not running around and saying the sky is falling and SANs are insecure, but risk is inherent in any system,” NeoScale vice president of marketing Scott Gordon told the E-Commerce Times. “If you have a small SAN and closed doors, there’s not much risk there. [But] we don’t see many SANs that way.”

Many organizations already secure the host, according to Gordon. “We believe the back end is where people want to add protection,” he said. “When we talk to customers, they don’t want a FUD pitch. They want to be told about applications, not technology.”

On the Money

Although enterprises may not be able to purchase SAN solutions with embedded security technology at present, they can use existing security solutions — such as firewalls and encryption — to help safeguard sensitive data from internal and external threats.

“[Enterprises] can make sure their own existing security infrastructure … is secure and [that] their people know what they’re doing,” Edmonds said. “The SANs are not quite there yet, but we’re all pushing to make sure it happens sooner rather than later. Customers are asking for end-to-end security. The entire path has to be protected.”

Steinbach Credit Union, for example, depends on a Novell solution to secure financial information about its more than 53,000 members, who have total assets of more than $932 million, according to Lloyd Dueck, IT manager at the Manitoba, Canada-based credit union. When it came time to choose a SAN system, security “was extremely important,” he said. “Because we’re a financial institution, we have to abide by the laws of Canada to keep the information we have confidential.”

To achieve that goal, the credit union invested in a system that incorporates traditional firewall and encryption technology, Dueck told the E-Commerce Times.

“Novell has got a very secure network system and operating system. We use them as our standard. Our system has never been jeopardized,” he said. “We’ve had people try to break in, but they’ve not been successful.”

Internal Restructuring

One problem corporations often face is organizational, said Simon Robinson, analyst and head of the systems and storage practice at New York-based the451, an analysis firm that covers the business of emerging information technologies. In many cases, he told the E-Commerce Times, “security guys assumed the storage was safe, whereas the storage guys knew there were problems. [Companies must] have a clear policy in terms of who’s looking after each area of the network and absolutely enforcing that.”

Another challenge enterprises can encounter is vendor-related. Many traditional storage and security companies have not developed a clear strategy for safeguarding data, according to “Storage Security Market: Emerging Opportunities, Unseen Threats,” a report published in May by the451.

“[We] believe this will be an increasing problem companies will face going forward,” Robinson said.

On the Road

Although many SANs begin life within the data center of a company’s headquarters, they frequently expand to remote sites and require remote access.

Robinson said companies must secure two different types of data when locking down a SAN: “data at rest and data in transit.” Businesses cannot assume a firewall will protect their data from disgruntled employees, he noted, so they should ensure that confidential or proprietary information housed in a SAN is encrypted.

In addition, wireless connectivity places further strain on an enterprise’s overall security strategy, including the well-being of data housed in a SAN, said Edmonds.

Rules and Regulations

Not surprisingly, many organizations that have experienced SAN security breaches are unwilling to publicly disclose or discuss this fact. However, companies with customers in California will have to change their ways. On July 1st, California enacted S.B. 1386. Under this ruling, all organizations or individuals that conduct business online in the state and own or license computerized data must report security breaches to any California customers whose personal information has been compromised.

Even in states or countries without such laws, it is still sound business practice for enterprises to safeguard the invaluable data stored in their SANs. In doing so, they are protecting not only themselves, but also their clients, partners and reputations.

*Editor’s Correction Note: In the original version of this article, we incorrectly referred to the senior director in the Office of the CTO at Hitachi Data Systems as Art Gorman. In fact, his name is Art Edmonds.