Two become one: Making sense of storage and security convergence

The merging of two IT industries always leads to the formation of a new buzzword, followed by a period of furious head-scratching as to what exactly it means. Integrators and their customers are best advised to wait on the sidelines until the dust settles, standards are set and commodification, that harbinger of good value, arrives.

The latest amalgamations between storage and security vendors are no exception. The commotion has given rise to the inventive term “storage security”, and players from both sides are yelling over each other to provide the definitive definition.

Predictably, sellers of anti-virus and email applications say it’s all about securing communications, sellers of storage arrays are concerned about authentication and sellers of security appliances believe that nothing’s secure unless it is encrypted to military standards, and then some.

Behind the hype, most of what vendors are saying about storage security is nothing more than the standard security practices and services already encouraged and ignored.

The actual process of integrating security into storage appliances has already been occurring for some years, but vendors are indicating that it will now pick up speed. Security will eventually be subsumed into storage as an essential feature, as were reliability and compatibility.

Each part of a storage system – an array, controller, hard drive – will have integrated security features as cost options, such as encryption, authentication and authorisation.

There are several trends at work which have made security an indispensable requirement of storage.

One trend is the evolution of e-commerce and the interdependent relationships between customers, vendors and partners that it creates. Before e-commerce became commonplace, every company used to fortify its storage behind a firewall that was assumed to be as secure as the Iron Curtain, with very little traffic passing into the insecure outside world.

But now that firewall is regularly penetrated by partners accessing product databases and event calendars, VPNs set up by roaming sales staff and executives, and customers making online payments.

Dennis Hoffman, vice president of information security

“The perimeter is gone because Web-based interactions with partners and customers are such that many companies’ internal applications are being opened up to the world,” says Dennis Hoffman, vice president of information security, EMC. “So it’s hard for an IT manager to step back and say, that’s my perimeter.”

The perimeter, while still protected, must now be assumed to be compromised. Storage, now managed through an IP interface, requires the same level of protection as other elements of the network.

Hoffman gives the example of EMC’s Powerlink application, which once served as a database behind the perimeter for the internal sales force. Now it straddles the perimeter as EMC’s partner portal and customer knowledge base portal as well.

The tipping point that gave rise to storage security is the changing nature of the threat to companies of all sizes. Hacker attacks on network availability, such as denial-of-service and site defacing, have given way to less obvious but much more dangerous activity.

The target is the information itself, either for corporate espionage, large-scale identity theft or other types of fraud. The perpetrators are organised criminal groups who don’t bother to leave a calling card, so the victims may read about the theft first in the newspapers or never find out.

A large number of criminal attacks are coming out of Eastern Europe, according to the Storage Networking Industry Association (SNIA). US identities costs US$3.50 each in lots of a hundred, with higher credit limits sold for higher prices.

“The nature of the threat has changed from external attack to insider attack so the response has changed from perimeter sector security to information sector security,” says Hoffman. “The storage part of the IT stack is in the spotlight for the first time, because that is where all the information resides.”

The security of information is also the main subject of the latest compliance regulations in the US. The Sarbanes-Oxley act and breach notification laws are forcing US companies and their subsidiaries overseas to be accountable for their data in ways that were previously unimaginable.

Current Australian regulations are nowhere near as onerous but Australian companies will be forced to comply to stricter standards as the international bar is raised by the US and also Japan. However, this also raises the possibility of conflicts between Australian and US requirements.

“The biggest challenge in Australia around the compliance issue is that there is no uniform body for legislation and regulatory environment for storage and information security,” says Tim Smith, senior marketing manager, A/NZ, Hitachi Data Systems. He says Australia has at least 83 pieces of legislation on retaining and destroying information.

Some US regulations extend even to the partners of US companies, which introduces governance risks. Just ask Stat Oil, the Norwegian oil company that was fined under the US’ Foreign Corrupt Practices Act for off-book payments related to its business development activities in Iran.

In many cases these compliancy requirements are stretching the technological limits. With jail terms hanging over their heads for serious compliancy failures, boards of directors throughout the US are ordering their IT departments to identify, catalogue and secure every piece of data in their organisations.

For most companies, that is a Herculean task.

IDC's Penn

“Organisations today encounter a storage problem and their first reaction is to go and buy more,” says Graham Penn, analyst, IDC.

However, simply buying more storage often results in data scattered across the company in various offices and on different media and formats with no one person able to know what data the company has, who has it or where it is.
And without control of the data, there is no security.

“The pin is going to drop one day that the cost is not in acquiring the hardware but mapping the data on the hardware,” says Penn.

And this is the real crunch for storage security – centrally managing every scrap of data within a consistent security framework.

Locking down each drive to an individual password can result in overwhelming complexity, such as with a disk array of 1000 disks that represent 8000 virtual disks.

SNIA is “fairly sensitive” to password overload, says LeRoy Budnik, CEO of Knowledge Transfer and chairman of SNIA’s Storage Security Forum. “It’s all a question of the implementation. They key word is authentication.”

So what do companies need to do to achieve storage security?

There is no need to rush out and buy new appliances yet. Firstly, the integrated fruits of the most recent mergers are yet to arrive – look out for secure storage products in the next quarter.

Secondly, companies with low-risk information may not need the latest in security. Encryption is now commodified and available for data in-flight – while in transmission between storage array and a tape library backup, for example – or data at-rest, such as on backup tapes or on hard drives.

However, encryption can add a level of complexity that may prove too much hassle for companies that don’t require high levels of data protection, says Sam Srinivasan, partner sales manager, Sun Microsystems. “Not every customer needs to encrypt storage, not every customer needs to encrypt a system or a user – different people have different requirements.”

Standards for encryption are yet to be finalised and until a clear standard is in place it is potentially a waste of money, according to HDS’ Smith. A company would have to refresh its storage environment and re-encrypt all data to the new standard, says Smith.

Another issue is that storage security is often best supplied by best-of-breed security appliances rather than an integrated storage device. Decru, which operates as an independent unit within NetApp, produces appliances that deliver wire-speed encryption without compromising network performance.

“Most of security has been how to encrypt between two sites using technologies such as VPN but the concept of encrypting data when it comes to rest is fairly new,” Steve Bracken, business development manager, Decru.

In the future, when the term storage security has been rendered obsolete, automated administrative applications will be able to quickly categorise data into sets with differing levels of availability, protection and backup, matched to user accounts with specific levels of access, password protocols and termination procedures.

But for the moment no one vendor holds all the various pieces of the puzzle. The major players are submitting their own ideas to SNIA, which is working to harmonise the elements into a proof of concept for automation.

Compliance will remain the biggest driver for information management and security. The first step companies need to do is network all their storage together and place it under the control of one person who can sign off on data security, says IDC’s Penn. Otherwise there is no way a company can guarantee that it is complying with regulations.

And it’s worth getting started now, as sorting out your information is a complicated and time-consuming process. “It’s a five year journey from where we are now to full compliance,” says Penn. US-style compliance is inevitable in Australia, says Penn, “and if you don’t start to prepare for it, you are going to run out of time.”

emchdsidcrsasecuritystorage