Scared Stupid

Scared Stupid Is the threat of security breaches on SANs enough to make you spend millions securing them?

March 8, 2003

3 Min Read
Network Computing logo

It's a nuisance to have to unlace our shoes and shuffle through the metal detector at the airport in our socks. But we endure this treatment, along with random security searches at museums and public events, because we've become accustomed to the mantra, "It keeps us safe."

Encouraged by the government's incessant reminder that we are in more danger now than ever before in the history of the world, technology vendors have figured out there's a juicy market in this homeland security business.

The result? Two reports out this week by Infonetics Research Inc. that show network security spending is soaring (see IDS Revenue Hit $382M in 2002, VPN/Firewall Market Still Growing, and Report: IDS Takes Flight).

Can we expect the same urge to buy in order to alleviate these fears in the storage networking market? Of course. Check out the number of companies that have popped up touting storage security wares over the past year, including Cavium Networks Inc., Cylink Corp., Decru Inc., Hifn Inc. (Nasdaq: HIFN), Kasten Chase Applied Research Ltd., NeoScale Systems, and Vormetric Inc.

Not yet convinced? Then browse through these previous stories on the subject:

The bottom line is, corporate data "at rest" that is, the point at which it's physically located on SANs, NAS, or direct-attached storage – has always been at risk. Tapes get lost, or stolen, or corrupted all the time. Would it be a good idea to encrypt this data, or certain data that is particularly sensitive? Sure.

But that's not enough for some people, who say the storage network itself also needs to be secured. Vendors touting storage security products argue that as both SANs and NAS grow beyond the boundaries of the data center, there are many more entry points to the key data stores than there were in the past – and each entry point produces a risk. But how big a risk, though? This isn't clear.

The concept of spoofing Fibre Channel-based world wide names (WWNs) in order to gain entry into a specific zone within a SAN isn't new, and it doesn't appear to be an issue. We couldn't find a single example of a SAN that had been hacked through WWN spoofing. There's bound to have been a couple. But once again, how big a risk is this really?

We need more information. Probably the only thing a storage admin can do at this point is ask vendors pushing this gear for examples of situations where storage networks have been hacked in the past. Then go talk to those people.

One thing's for sure with the hacker community, however: Challenge them a little, and you really turn them on.Just be careful you don't end up on Privacy International's list of most stupid security measures ever implemented. Check it out. Until March 15, 2003, PI is running an international competition

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights