Mitigating SAN security risks

The world of SAN security is complex, but there are some emerging ideas about how to approach the issue.

First, the Storage Networking Industry Association has a sub-group called the Storage Security Industry Forum, which offers a few resources to help get you started. An April 2003 white paper called "How to do a Storage Security Audit" (http://www.snia.org/apps/group_public/download.php/2400/SSIF%20security%20audit%202003-041.pdf) is a good first stop, because it offers a multiple-page checklist (toward the end) and some basic common-sense advice. Among the most important: "Storage security is not just about applying well-established IT security practices to a new area of technology.

You must also address security aspects that are unique to the storage infrastructure - the media, devices, networks and management applications."

Also on the SNIA's site, there's a quickie self-quiz that rates different areas of readiness, including confidentiality, integrity and availability. You can find the quiz at: http://www.snia.org/ssif/education/risk_assessment/.

It's important to remember that security is a policy more than it is a set of technologies, and that it's a company-wide endeavor. The problem is much broader and deeper than an IT-led initiative; business users and leaders must be involved too.

Randy Kerns, partner at the Evaluator Group, talks about four different levels of security issues regarding storage. One is access to the device itself, second is access to the data in transit to make sure the data can't be changed or stolen, encryption of the data, and access to tools that help manage the device. There are many ways into a storage system, he says, and probably the least understood is managing the data in transit.

Think in layers, Kerns and other experts advise. Just like there are multiple security mechanisms in a bank – alarm, human guard, panic buttons by each teller's station, vaults and assorted locks – different technologies are meant to safeguard different pieces of the storage puzzle.

The more you share your data - via a SAN or some other means - the more risk you've got. So it's important to get started - take the SNIA audit and start to understand where your biggest leaks may be, and then engage business folks in helping to figure out how to stop them through both policy and technology. It's never too late to lock the door.

More about: Evaluator Group, Storage Networking Industry Association

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/171/gadwin-web-snapshot/

Gadwin Web Snapshot

Gadwin Web Snapshot will effectively capture the entire page including all design elements when capturing web pages. It makes an image of the browser’s content ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia