The world of SAN security is complex, but there are some emerging ideas about how to approach the issue.
First, the Storage Networking Industry Association has a sub-group called the Storage Security Industry Forum, which offers a few resources to help get you started. An April 2003 white paper called "How to do a Storage Security Audit" (http://www.snia.org/apps/group_public/download.php/2400/SSIF%20security%20audit%202003-041.pdf) is a good first stop, because it offers a multiple-page checklist (toward the end) and some basic common-sense advice. Among the most important: "Storage security is not just about applying well-established IT security practices to a new area of technology.
You must also address security aspects that are unique to the storage infrastructure - the media, devices, networks and management applications."
Also on the SNIA's site, there's a quickie self-quiz that rates different areas of readiness, including confidentiality, integrity and availability. You can find the quiz at: http://www.snia.org/ssif/education/risk_assessment/.
It's important to remember that security is a policy more than it is a set of technologies, and that it's a company-wide endeavor. The problem is much broader and deeper than an IT-led initiative; business users and leaders must be involved too.
Randy Kerns, partner at the Evaluator Group, talks about four different levels of security issues regarding storage. One is access to the device itself, second is access to the data in transit to make sure the data can't be changed or stolen, encryption of the data, and access to tools that help manage the device. There are many ways into a storage system, he says, and probably the least understood is managing the data in transit.
Think in layers, Kerns and other experts advise. Just like there are multiple security mechanisms in a bank – alarm, human guard, panic buttons by each teller's station, vaults and assorted locks – different technologies are meant to safeguard different pieces of the storage puzzle.
The more you share your data - via a SAN or some other means - the more risk you've got. So it's important to get started - take the SNIA audit and start to understand where your biggest leaks may be, and then engage business folks in helping to figure out how to stop them through both policy and technology. It's never too late to lock the door.