In-Depth

Storage and Security: How Real is the Threat?

Partially at the behest of a reader, we take a look at the storage-security nexus.

• By Jon William Toigo
• 06/12/2003

The company in question reported difficulties when seeking to return defective disk drives to their manufacturer for replacement under warranty. According to legal eagles, if the possibility existed for privileged data to remain intact on the media, then the disks could not be passed along to a third party.

The storage administrator in the article suggested several approaches for rectifying the problem, including the erasure of the media using a high power electromagnet. He needed to find a way to render the media unreadable in order to fulfill the privacy requirement while not deliberately damaging the media and nullifying his warranty.

Lawyers found that all of the suggested solutions ran afoul of requirements to test the drives—which were non-functioning in the first place—to ensure that the erasure had succeeded. In the final analysis, it appeared that one side effect of HIPAA was that it had absolved disk drive manufacturers of their warranty obligation to provide free replacements for defective wares.

One reader, Warren Avery, who is the president and founder of solution integrator Promethean Data Solutions, Inc. of Phoenix, AZ (http://www.prometheandatasolutions.com), offered another suggestion—one apparently overlooked by both the IT manager and this columnist.

Avery offered that if the data on the drives had been encrypted securely in the first place, its possible disclosure would not have been an issue.

He observed that encrypting data prior to its storage could provide a graceful resolution to both of the problem scenarios discussed in the column, as well as the threats posed by internal and external sources. “Both of the examples happen to be HIPAA-related, but pay attention to the California Law SB1386, the Sarbanes-Oxley Act of 2002 and the Gramm-Leach-Bliley Act if you want to see the writing on the wall. Your data is sitting on your disks for the most part in clear text—do you know who is getting access?”

Going further, Avery offered, “Most of the money today is spent keeping the fox out of the hen house. Fifty to eighty percent of the time the fox is already in the hen house. Data losses for external attacks total about $50,000 per incident, the cost for an internal attack averages around $2.5M. Willing to bet $2.5M against a $60,000 encryption solution?”

Avery’s note was innovative and on point. We tend to frame issues of storage security in terms of protection from hackers and other malcontents who would seek to access, disclose, and potentially destroy data. When asked recently about known hacker attacks on SANs, a panel of industry insiders responded that they were unaware of any specific incidents. For many trade press pundits, this response was enough to invalidate the preceding hour of discussion about the need for security in storage.

However, if you consider Avery’s point of view, the best case for data protection may be less the avoidance of hacker attacks than the need to comply with legal mandates in a way that won’t sabotage the typical econometrics of storage operations. If encryption also keeps the hackers out, that’s just added value.

It remains to be seen how encryption can be delivered efficiently in a FC fabric storage setting. Fibre Channel itself does us no favors, since it offers no services for in-band security. However, products such as NeoScale’s CryptoStor FC appliance (http://www.neoscale.com), Decru’s DataFort, which Avery’s company resells (http://www.decru.com), and others are on the leading edge of on-the-fly encryption approaches, and Hitachi Data Systems and EMC are just two of the many storage array providers that are adding software for security and encryption into their storage platforms directly.

Looking forward, many observers claim that the threat to storage will increase as storage itself becomes more and more networked. IP SANs hold the potential to open a Pandora’s box of security exposures because of the widespread familiarity with the protocol among those who would seek to do harm. Conversely, we have substantially more experience with security in IP networks than we ever had in Fibre Channel, and there are services in the TCP/IP network protocol suite that will enable security to be delivered in more robust and in-band ways.

The time to begin thinking about storage security is now. Thanks for the note and the perspective, Mr. Avery.