Security Looms Large at Storage Networking World

Oct. 22, 2007
Security of data storage a top concern for tradeshow attendees

DALLAS -- Security may not be top of mind for every storage professional, but attendees at this week's Storage Networking World were told that it may soon become a big part of their daily operations.

With another data tape loss as a backdrop, this time involving Iron Mountain and the Louisiana Office of Student Financial Assistance, attendees got a sense of just how far-reaching storage vulnerabilities are and the steps that are needed to control them.

Keynote speaker Frank Abagnale, known to many in attendance from the movie "Catch Me If You Can," set the stage for security considerations with his humorous yet sobering story of how a teenager could assume the role of an airline pilot and pediatrician in lax security environments. Abagnale maintained that fraud and identity theft continue to be major issues that should not be dismissed by organizations.

A number of users concurred that storage security issues often get overlooked, and a session by TD Ameritrade put forth the premise that they could be bigger than traditional operating system or network security issues. First steps to storage security include examining a variety of vulnerability points, securing how individuals legally access data, and combining those activities with support of network protocols, storage devices and the operating systems they run on.

An Introduction to Storage Security session presented by Andrew Nielsen of Hitachi drew a room full of attendees, who concurred that data center security concerns include ongoing attacks from internal and external sources, concentration of information in high-density storage devices, increased use of automation, and data protection and privacy regulations.

Nielsen said security requires auditability and accountability, access control, integrity and asset availability, and a comprehensive and integrated approach. The first steps are balancing security with compliance, leveraging security frameworks provided by ISO, CoBIT, and NIST, and ITIL, and following best current practices. Those practices include identifying and assessing all storage interfaces, creating risk domains, monitoring and controlling physical access, avoiding failure due to common mistakes, implementing disaster recovery and business continuity, and aligning storage and policies.

Security is a people problem, and the most significant security risks in storage networks may not be the obvious ones, he said. Nielsen challenged attendees to look for insider attacks, protect critical and regulated data, and have a detailed plan to deal with data security incidents.

Arthur Coviello of EMC said security implementation should be part of a risk management strategy, a system where storage professionals audit behavior, use that knowledge to craft a risk management strategy, streamline implementation, and implement an IT security policy. Discovery, classification, monitoring, enforcement and audit are elements of a policy that results in a goal of information sharing, he said.

Identity and access management are storage and security professional concerns, said Ken Male, CEO of TheInfoPro, a market research firm. Security technologies moving up on the research and evaluation list include end point authentication, data encryption, and security information and event management. Disaster recovery, business continuity and security are also driving networking concerns, he said.

Attendees also investigated specific storage security topics like encryption and key management presented in Storage Networking Industry Association education sessions.

The ABCs of data encryption traced the growth of cryptography since the days of the Greeks and Romans to today's data encryption storage products. Roger Cummings of Symantec outlined step by step tasks to effectively implement at-rest data (sitting on servers and storage systems) encryption, including classifying and inventory of data assets, and choosing points of encryption at the application, file system, network and device level.

Developing a framework to address a key management structure also drew user interest. Walt Hubis of LSI presented best practices for key management that include: limiting the use of keys, separating key-encrypting keys from data-encrypting keys, and keeping keys secure through distribution and operations and disposition. Labs at SNW also let users obtain hands-on understanding of laptop security issues.

Information management functions like long term archiving also play a role in storage security, and vendors such as CipherMax and Spectra Logic demonstrated solutions that combined encryption and key management options for a cost-effective means of migrating to an integrated storage encryption solution. Also at the conference, Seagate, LSI and IBM partnered on enterprise-class drive encryption, and NeoScale and Reconnex showcased their security offerings too.