Securing Storage a Sound Plan for Start-ups

Enterprise Storage Forum content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The beauty of storage area networks (SANs) is that employees can gather, store, and retrieve specific information from terabytes of data at a moment’s notice. But SANs can also be surprisingly vulnerable to attacks.

Storage experts say that major vendors such as EMC , IBM , HP , and Hitachi Data Systems have ignored security for too long and run the risk of leaving the customers who buy their pricey products vulnerable to attacks. This oversight could result in millions of dollars of damage in lost or misused information.

How big a problem is it? A recent PricewaterhouseCoopers report concluded that the top result of security breaches is the compromise or loss of stored data — not impacts to application or network availability — according to 30 percent of 7,500 surveyed IT professionals.

Disregard for storage security has created opportunities for a handful of firms. Companies like Decru, NeoScale, Vormetric, Kasten Chase, and Ingrian Networks have all developed unique software and/or hardware methods to help enterprises with SANs repel attackers.

The situation wasn’t always so serious, according to Hu Yoshida, a vice president and chief technologist at Hitachi Data Systems. Older direct-attached storage (DAS) methods don’t have the multiple access points.

Every SAN connection, though, whether it be to a host bus adapter, storage device, or Fibre Channel port, runs the risk of being infiltrated. Attackers may grab the network address and “spoof” a user, pretending they’re someone else. Yoshida says the architecture of a SAN is like the layers in an onion — once an attacker gets past one layer he can easily “peel away” the next.

Why a Problem Now?

Of course, SANs have been around for years, so what makes this such a problem now? The rules have changed, Enterprise Storage Group analyst Jon Oltsik told internetnews.com. “There are a lot more government regulations now that say we have to keep information for a certain period of time, and if a company can’t produce the files, they could face legal action.”

Oltsik says SANs offer “extremely preliminary security” in the form of zoning and partitioning logical unit numbers, or LUNs , which distinguish between devices that share the same bus . Using these techniques, the analyst explains, “my server can’t see into your disk partitions, even if they’re on the same device.”

But these features are not enough to stop a diligent hacker’s attempt to steal information or vandalize the system, according to Oltsik. Major vendors have tended to ignore security principles such as authorization, authentication, and other policy-based protocols, but they are getting more wise, protecting their SANs from being written over by another host.

HDS’ Yoshida admits this is true, but notes that HDS has taken steps to alleviate the security issues, including a feature in its Thunder and Lightning arrays that responds to a “checksum,” a basic error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message. The checksum is then processed to guarantee that what is written onto a disk was recorded without modification.

But most vendors don’t have such a system, which is why Yoshida and Oltsik both feel there is a solid market opportunity for start-ups like Decru, Vormetric, NeoScale, Kasten Chase, and Ingrian.

Page 2: Different Strokes for Securing Storage

Continued from Page 1

Different Strokes for Securing Storage

Oltisk says storage security companies employ distinct methods that ultimately secure stored data. Decru, NeoScale, and Kasten Chase make devices that intercept bits of data, while Vormetric secures both the server and the storage. Ingrian secures bits at the database and applications level, but not at the storage layer.

Dan Avida, CEO of Redwood City, Calif.’s Decru, believes that “hostile insiders” are more of a threat to stored data than outside hackers. That’s why his DataFort appliance is designed to encrypt data, making it accessible to only those with authorized access. Being entirely hardware-based, he adds, isn’t easy.

Avida says DataFort combines AES encryption, layered authentication, and key management with an architecture designed to protect data in SAN, NAS , DAS, and backup environments, and costs $30,000 to start for a file server, disk array, or tape implementation.

Mountain View, Calif.-based Vormetric goes about securing storage a different way, according to co-founder and vice president of partner development Phil Grasso, who positions his company’s CoreGuard security appliance as unique in that it combines host protection, data encryption, and access control to protect the network core.

“Our product has a mechanism to guarantee secure servers using storage encryption,” says cofounder, executive vice president, and CTO Duc Pham.

“The difference between our tech versus other [storage security vendors] is that we protect data in storage with a centralized security product and management. We offer enforcement that sits where the threat is and policy management, which is done by the security appliance,” Pham continues.

Grasso and Pham recommend users purchase two CoreGuard appliances to span heterogeneous environments for $39,500.

ESG’s Oltsik, who has studied products from all of the major storage security vendors, won’t claim a favorite. It’s partly because of this that he doesn’t see the market as being as lucrative as people might think. Also, many businesses don’t have the extra money to spend on security hardware that costs $30,000 to $40,000 for a platform.

Because of this, he anticipates a shakeout in the small sector, leaving the top one or two storage security vendors standing. The analyst says he imagines a scenario in which storage fabric vendors such as Brocade Communications Systems , McDATA , or Cisco Systems could scoop up any one of the companies.

Oltsik also says it’s feasible that security vendors such as Symantec or RSA might throw their hats into the ring because of the quality of encryption and authentication in their products.

After all, he continues, the products are of high quality, owing to the fact the companies were founded by security experts.

Feature courtesy of Internet News.

Back to Enterprise Storage Forum

Clint Boulton
Clint Boulton
Clint Boulton is an Enterprise Storage Forum contributor and a senior writer for CIO.com covering IT leadership, the CIO role, and digital transformation.

Get the Free Newsletter!

Subscribe to Cloud Insider for top news, trends, and analysis.

Latest Articles

15 Software Defined Storage Best Practices

Software Defined Storage (SDS) enables the use of commodity storage hardware. Learn 15 best practices for SDS implementation.

What is Fibre Channel over Ethernet (FCoE)?

Fibre Channel Over Ethernet (FCoE) is the encapsulation and transmission of Fibre Channel (FC) frames over enhanced Ethernet networks, combining the advantages of Ethernet...

9 Types of Computer Memory Defined (With Use Cases)

Computer memory is a term for all of the types of data storage technology that a computer may use. Learn more about the X types of computer memory.