Securing Storage a Sound Plan for Start-ups

The beauty of storage area networks (SANs) is that employees can gather, store, and retrieve specific information from terabytes of data at a moment’s notice. But SANs can also be surprisingly vulnerable to attacks.

Storage experts say that major vendors such as EMC , IBM , HP , and Hitachi Data Systems have ignored security for too long and run the risk of leaving the customers who buy their pricey products vulnerable to attacks. This oversight could result in millions of dollars of damage in lost or misused information.

How big a problem is it? A recent PricewaterhouseCoopers report concluded that the top result of security breaches is the compromise or loss of stored data — not impacts to application or network availability — according to 30 percent of 7,500 surveyed IT professionals.

Disregard for storage security has created opportunities for a handful of firms. Companies like Decru, NeoScale, Vormetric, Kasten Chase, and Ingrian Networks have all developed unique software and/or hardware methods to help enterprises with SANs repel attackers.

The situation wasn’t always so serious, according to Hu Yoshida, a vice president and chief technologist at Hitachi Data Systems. Older direct-attached storage (DAS) methods don’t have the multiple access points.

Every SAN connection, though, whether it be to a host bus adapter, storage device, or Fibre Channel port, runs the risk of being infiltrated. Attackers may grab the network address and “spoof” a user, pretending they’re someone else. Yoshida says the architecture of a SAN is like the layers in an onion — once an attacker gets past one layer he can easily “peel away” the next.

Why a Problem Now?

Of course, SANs have been around for years, so what makes this such a problem now? The rules have changed, Enterprise Storage Group analyst Jon Oltsik told “There are a lot more government regulations now that say we have to keep information for a certain period of time, and if a company can’t produce the files, they could face legal action.”

Oltsik says SANs offer “extremely preliminary security” in the form of zoning and partitioning logical unit numbers, or LUNs , which distinguish between devices that share the same bus . Using these techniques, the analyst explains, “my server can’t see into your disk partitions, even if they’re on the same device.”

But these features are not enough to stop a diligent hacker’s attempt to steal information or vandalize the system, according to Oltsik. Major vendors have tended to ignore security principles such as authorization, authentication, and other policy-based protocols, but they are getting more wise, protecting their SANs from being written over by another host.

HDS’ Yoshida admits this is true, but notes that HDS has taken steps to alleviate the security issues, including a feature in its Thunder and Lightning arrays that responds to a “checksum,” a basic error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message. The checksum is then processed to guarantee that what is written onto a disk was recorded without modification.

But most vendors don’t have such a system, which is why Yoshida and Oltsik both feel there is a solid market opportunity for start-ups like Decru, Vormetric, NeoScale, Kasten Chase, and Ingrian.

Page 2: Different Strokes for Securing Storage

Continued from Page 1

Different Strokes for Securing Storage

Oltisk says storage security companies employ distinct methods that ultimately secure stored data. Decru, NeoScale, and Kasten Chase make devices that intercept bits of data, while Vormetric secures both the server and the storage. Ingrian secures bits at the database and applications level, but not at the storage layer.

Dan Avida, CEO of Redwood City, Calif.’s Decru, believes that “hostile insiders” are more of a threat to stored data than outside hackers. That’s why his DataFort appliance is designed to encrypt data, making it accessible to only those with authorized access. Being entirely hardware-based, he adds, isn’t easy.

Avida says DataFort combines AES encryption, layered authentication, and key management with an architecture designed to protect data in SAN, NAS , DAS, and backup environments, and costs $30,000 to start for a file server, disk array, or tape implementation.

Mountain View, Calif.-based Vormetric goes about securing storage a different way, according to co-founder and vice president of partner development Phil Grasso, who positions his company’s CoreGuard security appliance as unique in that it combines host protection, data encryption, and access control to protect the network core.

“Our product has a mechanism to guarantee secure servers using storage encryption,” says cofounder, executive vice president, and CTO Duc Pham.

“The difference between our tech versus other [storage security vendors] is that we protect data in storage with a centralized security product and management. We offer enforcement that sits where the threat is and policy management, which is done by the security appliance,” Pham continues.

Grasso and Pham recommend users purchase two CoreGuard appliances to span heterogeneous environments for $39,500.

ESG’s Oltsik, who has studied products from all of the major storage security vendors, won’t claim a favorite. It’s partly because of this that he doesn’t see the market as being as lucrative as people might think. Also, many businesses don’t have the extra money to spend on security hardware that costs $30,000 to $40,000 for a platform.

Because of this, he anticipates a shakeout in the small sector, leaving the top one or two storage security vendors standing. The analyst says he imagines a scenario in which storage fabric vendors such as Brocade Communications Systems , McDATA , or Cisco Systems could scoop up any one of the companies.

Oltsik also says it’s feasible that security vendors such as Symantec or RSA might throw their hats into the ring because of the quality of encryption and authentication in their products.

After all, he continues, the products are of high quality, owing to the fact the companies were founded by security experts.

Feature courtesy of

Back to Enterprise Storage Forum

Clint Boulton
Clint Boulton is an Enterprise Storage Forum contributor and a senior writer for covering IT leadership, the CIO role, and digital transformation.

Latest Articles

How Tape Storage is Used by Banco Bradesco, Treasury of Puerto Rico, Computational Medicine Center, Calgary Police Department, and Franklin Pierce University: Case Studies

Most technologies eventually outlive their own usefulness, but a rare few withstand the passage of time. While floppy discs vanish beyond the horizon, taking...

How Servers are Used by Ducati, Dashen Bank, Vivo Energy, Skyhawk Chemicals, and Feinberg School of Medicine

Out-of-date legacy systems can act as the weak link in an organization’s push for innovation. This is particularly true of legacy servers attempting to...

How Flash Storage is Used by BDO Unibank, Cerium Networks, British Army, University of Pittsburgh Medical Center, and School District of Palm Beach County:...

Flash storage is a solid-state technology that uses non-volatile memory, meaning data is never lost when the power is turned off. It can be...