Look Both Ways: SAN Safety Precautions Page 2
Protecting Data, Both 'In Flight' and 'At Rest'
The general high level of network vulnerability, both physical and electronic, means all data must be encrypted. Thus, even if a tape or a storage server is stolen, the data cannot be read. SAN security differs pointedly from other areas of security because it involves two distinct tasks: protecting data that is being transmitted (called data in flight) and data that is sitting idle (called data at rest).
To further complicate things, the type of encryption necessary for data in flight and data at rest are different. The main requirement of data in flight encryption is that it operates at "wire speed" — the speed at which the data is traveling. Conversely, such high-processing speeds are not as vital for data at rest. The key here is that data at rest will sit for a long time. For this reason, it must be protected in a bulletproof manner. Exceptionally strong encryption algorithms, such as military grade AES 256, are often used.
Ultimately, this complexity calls for a centralized hardware device, which has come to be known as a storage security appliance. NeoScale's Gordon says these appliances centralize security functions. Storage security appliances tend to operate transparently, use standards-based approaches, employ high-level encryption, and secure key management procedures. Decru's Brown agrees that a separate device is necessary: "If you try to do it in software, you're toast," he says. "It can't be fast enough."
Port zoning and logical unit number (LUN) masking are two key SAN management tools. At the highest level, these procedures control access to the stored data. Both relate to limiting the ability of outsiders to "see" and gain access to the entire storage network. Port zoning, according to Gordon, involves creating a physical association between the storage device and a particular physical port. If the device is moved, the zone map must be redrawn. LUN masking controls whether a storage device (e.g., a disk array or tape drive) is visible to a host.
SAN security is moving quickly, as it seeks to keep pace with the exploding amount of available data. The task is steep, however. "Most network security is at the perimeter of the network, such as a firewall, VPN, or intrusion detection system," says Brown. "They are guarding just the fence. However, according to the FBI, 50 percent to 80 percent of [security breaches] happen inside the firewall. The problem with stored data is that there are many, many different ways to reach it."
Feature courtesy of ServerWatch.
Back to Enterprise Storage Forum