Two become one: Making sense of storage and security convergence

The tipping point that gave rise to storage security is the changing nature of the threat to companies of all sizes. Hacker attacks on network availability, such as denial-of-service and site defacing, have given way to less obvious but much more dangerous activity.

The target is the information itself, either for corporate espionage, large-scale identity theft or other types of fraud. The perpetrators are organised criminal groups who don’t bother to leave a calling card, so the victims may read about the theft first in the newspapers or never find out.

A large number of criminal attacks are coming out of Eastern Europe, according to the Storage Networking Industry Association (SNIA). US identities costs US$3.50 each in lots of a hundred, with higher credit limits sold for higher prices.

“The nature of the threat has changed from external attack to insider attack so the response has changed from perimeter sector security to information sector security,” says Hoffman. “The storage part of the IT stack is in the spotlight for the first time, because that is where all the information resides.”

The security of information is also the main subject of the latest compliance regulations in the US. The Sarbanes-Oxley act and breach notification laws are forcing US companies and their subsidiaries overseas to be accountable for their data in ways that were previously unimaginable.

Current Australian regulations are nowhere near as onerous but Australian companies will be forced to comply to stricter standards as the international bar is raised by the US and also Japan. However, this also raises the possibility of conflicts between Australian and US requirements.

“The biggest challenge in Australia around the compliance issue is that there is no uniform body for legislation and regulatory environment for storage and information security,” says Tim Smith, senior marketing manager, A/NZ, Hitachi Data Systems. He says Australia has at least 83 pieces of legislation on retaining and destroying information.

Some US regulations extend even to the partners of US companies, which introduces governance risks. Just ask Stat Oil, the Norwegian oil company that was fined under the US’ Foreign Corrupt Practices Act for off-book payments related to its business development activities in Iran.

In many cases these compliancy requirements are stretching the technological limits. With jail terms hanging over their heads for serious compliancy failures, boards of directors throughout the US are ordering their IT departments to identify, catalogue and secure every piece of data in their organisations.

For most companies, that is a Herculean task.

IDC's Penn

“Organisations today encounter a storage problem and their first reaction is to go and buy more,” says Graham Penn, analyst, IDC.

However, simply buying more storage often results in data scattered across the company in various offices and on different media and formats with no one person able to know what data the company has, who has it or where it is.
And without control of the data, there is no security.

“The pin is going to drop one day that the cost is not in acquiring the hardware but mapping the data on the hardware,” says Penn.

And this is the real crunch for storage security – centrally managing every scrap of data within a consistent security framework.

emchdsidcrsasecuritystorage