According to legend, when bank robber Willie Sutton was asked why he robbed banks he replied “because that’s where the money is.” In his autobiography, Sutton denies ever having made that statement, but the quote nevertheless persists.
Regardless of its truth, this story has important security implications for enterprise storage managers. Widely distributed storage such as traditional direct attached storage (DAS) doesn’t present much of an attraction to hackers, since it requires too much work for a low chance of return.
But with server consolidation, Network Attached Security (NAS) and Storage Area Networks (SANs) bringing a corporation’s intellectual assets into one location (virtual or otherwise), these attractive data depositories must be protected like Fort Knox. Unfortunately, organizations have been slow to realize this.
“Direct attached storage has good security, but NAS has definite security issues and weaknesses,” says Brandon Hoff, McData Corp.’s (Broomfield, Colo.) advisor to the Storage Networking Industry Association’s (SNIA) Storage Security Industry Forum (SSIF). “Centralizing and globalizing storage means that it is exposed on the network.”
Perimeter defenses such as firewalls and honey pots (sometimes) keep out hackers and intrusion detection systems (hopefully) catch invaders before they do too much damage. At least that is the theory. Ninety percent of respondents to the FBI/Computer Security Institute’s 2002 Computer Crime and Security Survey, however, reported that they had detected computer security breaches within the previous 12 months. We don’t know whether the other 10% had adequate security protection, or lacked adequate means of detecting the breaches which were happening.
While most of these attacks are small scale, some make the headlines such as the incident in early February where someone hacked into a database containing 8 million Visa, Mastercard and American Express credit card account numbers.
Then there are all the internal jobs, such as the employee of credit report processing firm Teledata who last year was arrested for accessing the credit reports on more than 30,000 people and selling them to criminals for $60 each, or the employee of ISM Canada who is accused of stealing a hard drive containing personal information on more than one million customers.
“Consolidation of resources opens storage up to a number of security risks that did not exist in the past,” says Nancy Marrone, senior analyst for the Enterprise Storage Group (Milford, Mass.). “Administrators now need to make sure each client is secure and, and that each portal to the storage itself cannot be breached.”
Although companies have their own business reasons for protecting storage assets from destruction or illegal access, these days there is now outside pressure to ensure they do so. At least two of the above incidents, for example, have resulting in the filing of class-action lawsuits.
In addition, there are a growing number of laws regulating the field. Companies doing business in Europe must comply with the EU Data Privacy Directive which lays out strict rules regarding the gathering, storage and transmission of personal data.
In the United States, there is the Health Insurance Portability and Accountability Act (HIPAA) which similarly sets data privacy standards and the Gramm-Leach-Bliley Act which applies specifically to financial records.
Further, the State of California last September passed Senate Bill 1386, which mandates that, beginning July 1, 2003, companies must notify California residents whenever there is a security breach resulting in their personal data being acquired by an unauthorized person. This applies whether or not the data is stored in California. Such announcements could have severe implications on stockholder as well as public confidence.
“CEOs and CFOs have recently become far more interested in storage security,” says Hari Venkatacharya, senior vice president of Secure Networked Storage for Mississauga, Ontario-based data security firm Kasten Chase, “since they have to sign off on it for regulations such as HIPAA.”
Storage Security Scramble
According to analysts, there is no quick fix that will instantly protect enterprise storage assets. Instead, it requires a comprehensive, end-to-end enterprise solution.
“Companies need to assess the vulnerability of storage from multiple perspectives,” says Marrone. “After assessing, the need to make sure they have every access point secured and, if they have particularly sensitive data, they should look into further protecting it through encryption of the data at rest.”
Several companies have released appliances specifically designed to do this type of encryption, including NeoScale Systems, Inc.’s (Milpitas, Calif.) CryptoStor FC, Vormetric, Inc.’s (San Jose, Calif.) CoreGuard, and Decru, Inc.’s (Redwood City, Calif.) DataFort.
Kasten Chase Applied Research, meanwhile takes a non-appliance approach with its Assurency Secured Network Storage.
“The vulnerability in using an appliance is that it doesn’t scale as well,” says Venkatacharya. “In addition, an encryption appliance can affect LUN masking [Logical Unit Number — identifier used on a SCSI bus to distinguish between devices sharing that bus].”
New Standards
In addition to the new storage security software and devices which are coming out, SNIA has also been working with the industry to formulate much needed standards for security.
“The Storage Security Industry Forum is working to establish best practices and to educate customers,” says Hoff. “Security is 80% planning and 20% implementation.”
The American National Standards Institute (ANSI), too, is addressing the area of security standards through the Fibre Channel Security Project (FC-SP). FC-SP operates under ANSI’s Technical Committee T11, the body which works in the fields of Fibre Channel and storage network management.
The Internet Engineering Task Force (IETF) is also involving itself in the issue through its IP Storage Group (IPS). IPS is not developing its own standards so much as it is adapting those set for by T11 and T10 (SCSI) for use in transmitting storage blocks over an IP network, rather than over Fibre Channel or SCSI. In particular it is addressing the areas of security, naming, discovery and configuration.
“The industry wants to establish one standard for security,” Hoff continues. “We want to take the established networking best practices and adapt them to storage since network administrators already understand those standards.”
With all these new standards, devices and software hitting the market, security then comes down to that final 20% Hoff spoke of — putting it in place on individual storage systems.
As the SQL Slammer worm illustrated, getting people to keep their systems secure is still a weak point. But if you don’t, the Willie Sutton’s IT progeny are standing by to pay your storage a visit.
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2020
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Anticipating The Coming Wave Of AI Enhanced PCs
FEATURE | By Rob Enderle,
September 05, 2020
The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
August 14, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.