SAN Security Steps Out

Startup NeoScale Systems announced today that it has begun shipping its storage security appliance -- an area likely to get plenty of air in the light of events like the data security breach at IBM Corp.'s (NYSE: IBM) hosting center in Canada (see NeoScale Ships SAN Security and IBM Loses Insurer's Data).

Had IBM encrypted the data on the disk that was stolen, the severity of the incident would have been greatly reduced, as the thief could not have read the data. At least, not without James Bond-like code cracking devices.

As storage networks grow beyond the confines of the data center and the IT outsourcing trend continues, the need to protect important company information is escalating. Besides NeoScale, another startup, Decru Inc., is aiming at protecting data that resides in SANs (see Decru, Nishan Test Together).

Still, SAN security technology is its infancy, and the market for standalone products, from a pair of startups, will be tough to define.

At least one analyst thinks approaches like Decru's and NeoScale's have a decent chance. "Current encryption methods only address data in transit, but data is most vulnerable when it is stored," notes Nancy Marrone, analyst at Enterprise Storage Group Inc. "Security appliances like NeoScale's encrypt the data at rest, so that if a hacker were to break into a zone -- or worse, steal a disk -- they can't read the stored data."NeoScale has developed two in-band appliance products: one for protecting primary storage in Fibre Channel storage arrays, and another that encrypts data residing in secondary storage, or tape-based systems.

The downside to this approach is that NeoScale's appliances reside in the data path, next to the storage, which may cause bottlenecks and further scaleability issues down the line. At this point, however, Marrone says it's the only way to encrypt storage. NeoScale "will be using caching to alleviate as much latency as possible, but for the time being this is the price a user has to pay for the extra level of security," she says. Marrone adds that users can set policies so that only certain types of data get encrypted, thus ensuring that not all data will suffer the latency hit.

Eventually, Marrone believes the software on these appliances could reside on SAN switches -- particularly next-generation switches that have the power to run intelligent applications without introducing a lot of latency. Brocade Communications Systems Inc. (Nasdaq: BRCD) appears to be keeping an eye on this opportunity (see Brocade, Kasten Chase Secure SANs, Brocade Joins SNIA's Security Forum, and Brocade Reupholsters Rhapsody).

Kasten Chase, another provider of SAN security technologies, has identified at least three weak spots in today's storage networks that end users should consider:

It's clear that as more and more users begin to network their storage, there are significantly more entry points and possible points of compromise. At the same time, more crucial company information is being kept in electronic form, and there are strict penalties if data is lost (see Storage Admins Fear Regs and Feds Prep Disaster Recovery Regs).Many companies may want to take the additional step of encrypting the data at rest. Time will tell how many of them are willing to shell out the extra dollars to do so.

Ian Galbraith, VP of sales and marketing at SymTech Canada Ltd.