SAN Security Steps Out

Storage security startups are peddling their wares, but is the market ready for this technology?

March 4, 2003

4 Min Read
Network Computing logo

Startup NeoScale Systems announced today that it has begun shipping its storage security appliance -- an area likely to get plenty of air in the light of events like the data security breach at IBM Corp.'s (NYSE: IBM) hosting center in Canada (see NeoScale Ships SAN Security and IBM Loses Insurer's Data).

Had IBM encrypted the data on the disk that was stolen, the severity of the incident would have been greatly reduced, as the thief could not have read the data. At least, not without James Bond-like code cracking devices.

As storage networks grow beyond the confines of the data center and the IT outsourcing trend continues, the need to protect important company information is escalating. Besides NeoScale, another startup, Decru Inc., is aiming at protecting data that resides in SANs (see Decru, Nishan Test Together).

Still, SAN security technology is its infancy, and the market for standalone products, from a pair of startups, will be tough to define.

At least one analyst thinks approaches like Decru's and NeoScale's have a decent chance. "Current encryption methods only address data in transit, but data is most vulnerable when it is stored," notes Nancy Marrone, analyst at Enterprise Storage Group Inc. "Security appliances like NeoScale's encrypt the data at rest, so that if a hacker were to break into a zone -- or worse, steal a disk -- they can't read the stored data."NeoScale has developed two in-band appliance products: one for protecting primary storage in Fibre Channel storage arrays, and another that encrypts data residing in secondary storage, or tape-based systems.

The downside to this approach is that NeoScale's appliances reside in the data path, next to the storage, which may cause bottlenecks and further scaleability issues down the line. At this point, however, Marrone says it's the only way to encrypt storage. NeoScale "will be using caching to alleviate as much latency as possible, but for the time being this is the price a user has to pay for the extra level of security," she says. Marrone adds that users can set policies so that only certain types of data get encrypted, thus ensuring that not all data will suffer the latency hit.

Eventually, Marrone believes the software on these appliances could reside on SAN switches -- particularly next-generation switches that have the power to run intelligent applications without introducing a lot of latency. Brocade Communications Systems Inc. (Nasdaq: BRCD) appears to be keeping an eye on this opportunity (see Brocade, Kasten Chase Secure SANs, Brocade Joins SNIA's Security Forum, and Brocade Reupholsters Rhapsody).

Kasten Chase, another provider of SAN security technologies, has identified at least three weak spots in today's storage networks that end users should consider:

  • Theft of Stored Data (High Risk): Security surveys indicate that rogue employees are a frequent source of security breaches. Insiders can steal tape backups of stored data from on- or off-site libraries, or seize data in transit during remote backup operations.

  • Attack from an IP Gateway (Medium Risk): Fibre Channel connections are typically short and contained within the data center and its strong physical security. However, storage networks often have an IP connection for system administration purposes and are thus open to attack from other IP networks.

  • Sniffing Connections (Low Risk): Sophisticated adversaries can sniff Fibre Channel connections to steal data in transit within the SAN fabric. This is a relatively unknown phenomenon today, but it is happening, security experts say. Highly valuable corporate data is of considerable interest to unscrupulous foreign and domestic competitors and organized crime syndicates.

It's clear that as more and more users begin to network their storage, there are significantly more entry points and possible points of compromise. At the same time, more crucial company information is being kept in electronic form, and there are strict penalties if data is lost (see Storage Admins Fear Regs and Feds Prep Disaster Recovery Regs).Many companies may want to take the additional step of encrypting the data at rest. Time will tell how many of them are willing to shell out the extra dollars to do so.

Ian Galbraith, VP of sales and marketing at SymTech Canada Ltd.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights