SNIA is “fairly sensitive” to password overload, says LeRoy Budnik, CEO of Knowledge Transfer and chairman of SNIA’s Storage Security Forum. “It’s all a question of the implementation. They key word is authentication.”
So what do companies need to do to achieve storage security?
There is no need to rush out and buy new appliances yet. Firstly, the integrated fruits of the most recent mergers are yet to arrive – look out for secure storage products in the next quarter.
Secondly, companies with low-risk information may not need the latest in security. Encryption is now commodified and available for data in-flight – while in transmission between storage array and a tape library backup, for example – or data at-rest, such as on backup tapes or on hard drives.
However, encryption can add a level of complexity that may prove too much hassle for companies that don’t require high levels of data protection, says Sam Srinivasan, partner sales manager, Sun Microsystems. “Not every customer needs to encrypt storage, not every customer needs to encrypt a system or a user – different people have different requirements.”
Standards for encryption are yet to be finalised and until a clear standard is in place it is potentially a waste of money, according to HDS’ Smith. A company would have to refresh its storage environment and re-encrypt all data to the new standard, says Smith.
Another issue is that storage security is often best supplied by best-of-breed security appliances rather than an integrated storage device. Decru, which operates as an independent unit within NetApp, produces appliances that deliver wire-speed encryption without compromising network performance.
“Most of security has been how to encrypt between two sites using technologies such as VPN but the concept of encrypting data when it comes to rest is fairly new,” Steve Bracken, business development manager, Decru.
In the future, when the term storage security has been rendered obsolete, automated administrative applications will be able to quickly categorise data into sets with differing levels of availability, protection and backup, matched to user accounts with specific levels of access, password protocols and termination procedures.
But for the moment no one vendor holds all the various pieces of the puzzle. The major players are submitting their own ideas to SNIA, which is working to harmonise the elements into a proof of concept for automation.
Compliance will remain the biggest driver for information management and security. The first step companies need to do is network all their storage together and place it under the control of one person who can sign off on data security, says IDC’s Penn. Otherwise there is no way a company can guarantee that it is complying with regulations.
And it’s worth getting started now, as sorting out your information is a complicated and time-consuming process. “It’s a five year journey from where we are now to full compliance,” says Penn. US-style compliance is inevitable in Australia, says Penn, “and if you don’t start to prepare for it, you are going to run out of time.”