As the E-Commerce Times detailed in a recent story on data storage, the last few years have seen a significant revolution toward networked storage and away from disk drives and tape loaders attached directly to corporate servers. In fact, research firm IDC has estimated that by 2006, more than 70 percent of storage will be networked via fibre channel or Ethernet, rather than attached locally to a server via SCSI or another conventional type of disk connection.
But the vendors making this shift to networked storage possible — EMC, Veritas and IBM, among others — so far have done little to ensure that stored data will be protected from the threats that often beset networks. In fact, most out-of-the-box storage area network (SAN) and network-attached storage (NAS) products currently offer few or no security mechanisms. When we asked several well-known vendors about their provisions for security of stored data, their collective response was, essentially, “We don’t really handle the security part.”
In the breach, startups have begun to provide encryption and authentication appliances that can be installed at various points within a SAN, rather than being tied to particular servers or disk arrays. These vendors’ first steps suggest that data storage security could evolve as its own industry, apart from the storage networking proper.
What Is It Good For?
Despite a lack of large vendor focus on the issue, security has emerged as a concern as networks have eliminated the physical security once imposed by traditional direct-attached storage. SCSI technology limited access by creating small islands of servers and disk drives. With storage networks, those limitations on who can access data have vanished.
“There are all sorts of things that can be done when storage is networked, as opposed to being a local peripheral,” said Dan Tanner, formerly director of storage networking at Aberdeen Group and now a private consultant on storage. “People can spy on what you’ve got remotely, or rewrite the contents of a disk maliciously, without your ever knowing it.”
As such, storage security is less about viruses and worms — the typical culprits in corporate security breaches — and more about protecting large amounts of data from unauthorized access as it travels across a network.
Just Like a Firewall
An important distinction also must be made between primary and secondary storage in a data network. Primary storage holds live production data that is updated throughout the day by employees and customers as transactions occur. Secondary storage, such as tape drives or slow, inexpensive disks, is used for backup and archiving of older data.
Scott Gordon, head of marketing at startup Neoscale Systems, told the E-Commerce Times that primary and secondary storage applications should be kept distinct because “you don’t want to introduce a new piece of equipment into the primary storage of your production network just to protect secondary, archival storage.” He noted, of course, that Neoscale sells security appliances for both types of storage.
The company’s Cryptostor FC (short for “fibre channel”) is used for primary storage. Its main job is to reside between the server requesting data on behalf of a user and the disk from which that data is pulled, encrypting data and acting as a firewall to prevent or permit access by individuals to specific pieces of data.
In contrast, the company’s secondary storage product, Cryptostor Tape, compresses data before it encrypts it and then uses authentication to validate requests from the tape. Both devices can be placed at various points within a SAN, and pricing starts at US$35,000.
Salad Bar of Security
Neoscale is not the only security appliance vendor targeting the enterprise market. Decru of Redwood City, California, sells the DataFort, which performs 256-bit encryption based on the AES algorithm and ties into Microsoft’s Active Directory and other authentication means to authorize data fetches. Venture-backed Vormetric of San Jose, which began life last January as Sotera Networks and is still in stealth mode, reportedly will release a similar product in the future. Other stealth-mode outfits include Orano and Permabit, the latter of which reveals only that it has been contributing to the open-source BEEP standard for network protocols as part of its work on storage software.
Galen Schreck, an analyst on the infrastructure and telecom team at Forrester Research, said that while new companies and their products have yet to prove themselves, they are a welcome alternative to what has come down the pike so far. “All the other security approaches have been proprietary,” he told the E-Commerce Times. “This is the first approach to use standard technology.”
To illustrate his point, Schreck contrasted the Neoscale, Vormetric and Decru boxes with two other approaches: LUN-masking, or storage-based zoning, in which access to logical drives is limited to particular Web servers; and HBA-based authentication, in which requests for data are checked against the host bus adapter of a server — the piece of hardware on the motherboard or PCI bus that connects the server to the fibre channel network. He explained that these two technologies ship as part of a server or disk array, not as security components that can be deployed throughout a storage network.
There is some indication that SAN equipment providers are starting to wake up to the issue of security. Brocade, the leading vendor of fibre channel switch hardware, on Monday introduced new features for the operating system that runs its switches, including public key infrastructure for authentication and encryption of digital signatures. Analysts suggest the company may be trying to head off a flood of security products that will hit the storage market once the iSCSI protocol makes it possible to run storage networks over the Internet Protocol (IP) instead of fibre channel.
Right now, though, rapid proliferation of networked storage has left storage vendors — and their enterprise customers — largely unprepared to deal with threats to data moving across a wire. “The storage companies have all been coming from different backgrounds,” Tanner said. “EMC has been focused on the storage array. Veritas focused on managing storage on the host. NetApp focused on files exclusively. If you put security on the array or the host, or at a file level, you can’t see the security issues that arise in between, in the network.”
For that reason, storage security will probably continue to evolve as its own specialty as networking worms its way deeper into the data storage world. It also will remain a pressing concern, so enterprises would do well to get up to speed, even if their main storage vendor has not yet done so.