Brocade, for example, in March took a big step toward securing its switches by rolling out its Secure Fabric Operating System software which, among other things, lets administrators bind storage devices to specific ports and introduces authentication of devices attaching to its switches via a public-key encryption (PKI) scheme. Competitors such as McData and Cisco, however, are holding out for what they see as a more standard approach, based on the Challenge Handshake Authentication Protocol.
Chap is likely to emerge as the winning approach. The dominant storage security standards body, ANSI's T-11 committee, is creating a set of SAN security standards called Fibre Channel Security Protocol. At the end of last year, the committee formally adopted Chap as the first mandatory authentication approach for SANs. At this point, however, the committee also recognizes a PKI-based approach called Fibre Channel Authentication Protocol as well as a password-based approach, the Fibre Channel Password Authentication Protocol, as optional authentication mechanisms.
McData has demonstrated Chap authentication with its switch products, and Cisco has said its switches will support Chap authentication by the end of the year. A final formal standard and true authentication interoperability, however, won't come until 2004 at the earliest, however, predicts Cisco's Gai.
In the meantime, enterprises with heterogeneous networked-storage environments will have to understand and manage multiple authentication schemes.
IT managers can begin to get a jump on improving storage security. A good first step, say experts, is to apply to storage many of the same practices already used to secure other parts of the IT infrastructure. That means first developing a storage-security risk assessment that looks at both vulnerabilities and potential losses should those vulnerabilities be exploited.
