Compliance Calls for Security

Besides expanding storage capacity requirements, compliance regulations are shining the light on possible SAN security holes that have been largely overlooked.

Security appliance vendors, service providers, and consultants are rushing in to address the issue. Just this month weve seen:

Neither compliance nor security services and products are new (see Insider Assesses Compliance Impact). They’re just becoming more closely linked. Jim Damoulakis, CTO of GlassHouse Technologies Inc., says security is a major part of his consultant firm’s compliance service -- but it’s not the first thing clients think of.

“To a large extent, most people are focused on the data retention piece when hit with compliance issues –- how to store data long term, how to retain it,” he says. “Storage as a whole has been kind of a forgotten area in security. Obviously, because of recent news, there’s a heightened level of awareness.”

The recent news focuses on lost tapes, which came to light because compliance regulations forced the companies involved to admit the gaffes (see Diskers Enjoying Tape Woes).Compliance regulations add to security requirements in a number of ways. First, they force companies to retain certain sensitive personal information for decades while making sure the data remains private. Tape isn't the only vulnerable point -- there are plenty of security risks around data stored on disk as well. For instance, SAN management interfaces provide a malicious insider with a single view to all data in the data center. Also, each switch or HBA on a SAN provides potential points of inside attack.

“Storage organizations are built on models of growth and cost reduction, not on security,” says David de la Plante, Kasten Chase’s SVP for business solutions. “So there are good reasons why security has not been looked at in any detailed way in the storage world, and compliance is driving people to look at it that way.”

Damoulakis of GlassHouse says many IT people are just now getting around to providing the same security policies for storage as for their networks. “Changing passwords is something people are finally doing, but for a number of years the feeling was the SAN is its own entity. Security people were not focused on it,” he says.

At its second summit last week, the Storage Networking Industry Association (SNIA) Storage Security Industry Forum listed compliance as a major security concern.

The forum’s chairman, LeRoy Budnik, managing partner of systems integrator Knowledge Transfer, says administrators can close back doors to storage systems by setting up roles-based password accounts immediately after implementing a storage array or connection device.“At minimum, three roles are presented -- administrator, security, and audit,” he says. “There is an association between the role and the named account. Only the security role can direct the placement of activity logs to a security server. Actions taken by the admin are logged. And this is only the start.”

— Dave Raffo, Senior Editor, Byte and Switch