Storage Vendors Grapple With Security
Ever since Symantec entered the world of storage with the acquisition of backup king Veritas, storage vendors have been casting an uneasy eye upon the distant shores of security. How should they approach this thorny subject? Should they evolve more comprehensive products that address all security concerns? Should they charge more for such features, or will customers expect them free as part of the cost of doing business?
"Symantec's strategy is to marry up storage and security," says Natalie Lambert, an analyst with Forrester Research. "Symantec believes that with the Veritas acquisition, they are now 'closest to the data,' and they want to be the vendor to protect that data. So their solutions are really beginning to cater to this market."
And the user community has been quick on the uptake. Many have realized that storage needs to be protected a point driven home in the last 18 months by numerous lost data tapes and other data security breaches and this means securing the storage infrastructure and the data. In terms of infrastructure, this means addressing vulnerabilities and configuring storage in a secure manner. In terms of data, the easiest thing to do is encrypt, but this is only a layer in a true defense-in-depth security architecture. Data security also means classification first, then assigning protection schemes to each class.
Enterprise Strategy Group senior analyst Jon Oltsik says an executive at one of the big storage companies put it best. One of his largest customers said, "We gave you guys a free pass on security forever, but that free pass has expired."
"In other words, storage equipment must come equipped with security protection or it won't be considered," says Oltsik. "Security is now a cost of doing business."
EMC Gets Religion
EMC, for one, recently unveiled an elaborate security strategy. Rob Sadowski, senior manager for product marketing and information security at EMC, admits that customer demand was a major driver for the announcement.
"Companies are starting to realize that what they consider to be their greatest asset, their information, can also be a tremendous liability," says Sadowski. "In the U.S. alone, more than 55 million pieces of sensitive information were lost or compromised last year, and less than one in five companies feel that all their confidential data is adequately protected."
He characterizes this as a security wave that is sweeping over storage, as a natural consequence of it having earlier swept across the networking, operating system and database markets in recent years. As an industry, he says, storage has an obligation to make sure its products are "good security citizens" that they aren't a potential source of vulnerabilities and that they fit in and can work with all of the security safeguards that companies have already deployed.
Rob Sadowski, EMC
He is strongly of the opinion that users don't want to buy a box to secure a box, since that gives them more boxes to buy, manage and secure. Companies don't want security from a new third party, he claims, they want it built in to what they already have. Obviously, then, EMC has no plans to release encryption appliances based on the model of Decru, a company acquired by rival NetApp last year. Once EMC fully integrates encryption technology into its product line, it could pose a challenge for storage security vendors such as Vormetric and NeoScale.
Sadowski also touts the value of EMC's Documentum Digital Rights Management software. This can be used to protect many types of unstructured content, from documents, to images, to files, to e-mails. It leverages a single policy engine to apply use rights and restrictions across all those content types, and works both inside and outside the firewall.
Other Vendors Step Up
EMC is far from alone in responding to the security threat. Sun Microsystems' storage security strategy is to help customers take a holistic, systems view and enable them to protect data at three key points in its lifecycle: at creation, in transit and at rest on a device.
"Sun is helping customers addresses how, and by whom, data is accessed across its lifecycle," says Nigel Dessau, vice president for tape in Sun's Storage Group. "The challenge today is not how to simply capture, store and retrieve data, but how to architect it as a shared and protected resource across complex network computing environments to effectively solve problems of cost, complexity, risk and compliance."
Sun is responding via a range of higher security storage products. The Solaris 10 OS, for instance, combines performance and security via Solaris Containers, Process/User Rights Management, and the Solaris Cryptographic Framework. UltraSPARC T1 processors have public key encryption (RSA/DSA cryptographic engines) built in. And the Sun Cryptographic Accelerator 6000 card provides a secure, tamper-resistant key store (resistant to physical and software-based attacks).
"We've integrated our identity management software into the Sun StorageTek Enterprise Storage Manager software, making it easier and faster for organizations to securely access and manage their data," says Dessau. "Later this year, we will deliver the first device-level encryption in the Sun StorageTek T10000 tape drive, and a key management suite that protects your data on tape against theft and fraud."
MaXXan, meanwhile, has released CipherMax, a storage security solution based on its MXV line of Secure Storage Application Platforms (SSAPs). CipherMax comprises an ILC1612 Intelligent Line Card with integrated, hardware-based cryptographic acceleration, and a security administration interface for both MaXXan SANCruiser SAN Management System and the CLI-based MXV management. By integrating high-speed encryption into a centralized platform for running storage applications, CipherMax allows enterprise users to scale the deployment of encryption services throughout a widespread, multi-tiered storage environment.
"Users can look forward to an increased integration of security functions at various locations within the SAN," says Greg Farris, vice president of marketing at MaXXan. "Depending on the threat model they are trying to address, as well as requirements for performance, scalability and reliability, users will be able to deploy security functions at the host, fabric or storage device levels. For organizations where performance, scalability and transparency are paramount, we believe that users will choose fabric-level encryption."
Another company with a strong storage security portfolio is CA. While Symantec and EMC have been garnering all the headlines in recent months, CA has had enterprise class security, storage and backup products for years and it is probably ahead of everyone else in terms of integration. BrightStor SRM, for example, is tightly integrated with corporate IT security infrastructures. Such integration is key to quickly understanding who owns the data, if it is being used and how often. With this information, you can define tiers of data not only based on business value, but also include the security requirements. Once defined, you can make sure the data is placed on the appropriate tier of storage with the right security to meet the ever-changing needs of the business.
"CA is enhancing security throughout our complete product line," says Eric Pitcher, vice president of product management at CA Storage. "Whether you are using BrightStor, eTrust or Unicenter solutions separately or integrated together; your administrative staff security rights will be identified and enforced automatically."
He believes that storage security is but a single layer of a total security solution, and that good security is not defined by a product, but with the right security plan. CA, he says, has the required storage, security and IT infrastructure management technology and expertise to help customers implement a complete system in their business that provides them with a complete systemic approach to protecting, managing and securely aligning business information across the enterprise.
Free or Not?
It appears certain, therefore, that security will be built more and more into storage products. But that begs the question should it be free or an add-on cost? Sadowski feels that baseline security features such as basic authentication, access control, authorization and auditing should come free.
"Aside from this baseline level of security functionality, there are some features that go above and beyond the basics, which may not be of interest to all users, or only suitable for use in the most secure environments," he says. "These features, to the customers who need them, are usually seen as worth paying extra for."
Oltsik, too, firmly believes that basic protection should be built into the products. Routers, for example, are shipped with packet filtering and ACLs. That said, he doesn't see storage vendors having to evolve each and every facet of security there will always be built-in security and add-on security.
Take the case of security management tools like log file aggregation. Oltsik thinks they will always be extra, particularly in a heterogeneous storage infrastructure with Brocade and McData switches, EMC and HP disk, and IBM and STK tape.
"If all of these devices are logging events, something needs to aggregate, parse, analyze and store the log files," says Oltsik. "I can't see this function being free any time soon."
For more storage features, visit Enterprise Storage Forum Special Reports