Securing Storage a Sound Plan for Startups

The beauty of storage area networks is that employees can gather, store and retrieve specific information from terabytes of data at a moment’s notice. But SANs can also be surprisingly vulnerable to attacks.

Storage experts say that major vendors, such as EMC , IBM , HP and Hitachi Data Systems , have ignored security for too long and run the risk of leaving the customers who buy their pricey products vulnerable to attacks. This oversight could result in millions of dollars of damage in lost or misused information.

How big a problem is it? A recent PricewaterhouseCoopers report concluded that the top result of security breaches is the compromise or loss of stored data — not impacts to application or network availability, according to 30 percent of 7,500 surveyed IT professionals.

Disregard for storage security has created opportunities for a handful of companies. Companies like Decru, NeoScale, Vormetric, Kasten Chase and Ingrian Networks have all developed unique software and/or hardware methods to help enterprises with SANs repel attackers.

The situation wasn’t always so serious, according to Hu Yoshida, a vice president and chief technologist at Hitachi Data Systems. Older direct-attached storage methods don’t have the multiple access points.

Every connection, whether it be to a host bus adapter, storage devices or fibre channel port, runs the risk of being infiltrated. Attackers may grab the network address and “spoof” a user, pretending they’re someone else. Yoshida said the architecture of SAN is like layers in an onion; once an attacker gets past one layer he may “peel away” the next.

Of course, SANs have been around for years, so what makes this such a problem now? Rules have changed, Enterprise Storage Group analyst Jon Oltsik told “There are a lot more government regulations now that say we have to keep information for a certain period of time and if a company can’t produce the files, they could be face legal action.”

Oltsik said SANs offer “extremely preliminary security” in the form of zoning and partitioning logical unit numbers, or LUNs,
, which distinguish between devices that share the same bus . Using these techniques, the analyst said, “my server can’t see into your disk partitions, even if they’re on the same device.”

But these features are not enough to stop a diligent hacker’s attempt to steal information or vandalize the system, Oltsik said. Major vendors have tended to ignore security principles such as authorization, authentication and other policy-based protocols, but they are getting more wise, protecting their SANs from being written over by another host.

HDS’ Yoshida admitted this is true, but noted that HDS has taken steps to alleviate the security issues, including a feature in its Thunder and Lightning arrays that responds to a “checksum,” a basic error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message. The checksum is then processed to guarantee that what is written on to a disk was recorded without modification.

But most vendors don’t have such a system, which is why Yoshida and Oltsik both say there is a solid market opportunity for startups like Decru, Vormetric, NeoScale, Kasten Chase and Ingrian.

Oltisk said the companies employ distinct methods that ultimately secure stored data. Decru, NeoScale and Kasten Chase make devices that intercept bits of data, while Vormetric secures both the server and the storage. Ingrian secures bits at the database and applications level, but not the storage layer.

Dan Avida, CEO of Redwood City, Calif.’s Decru, believes that “hostile insiders” are more of a threat to stored data than outside hackers. That’s why his DataFort appliance is designed to encrypt data, making it accessible to only those with authorized access. Being entirely hardware-based, he said, isn’t easy.

Avida said DataFort combines AES encryption, layered authentication, and key management with an architecture designed to protect data in SAN, NAS, DAS and backup environments and costs $30,000 to start for a file server, disk array or tape implementation.

Mountain View, Calif.’s Vormetric goes about securing storage a different way, according to co-founder and vice president of partner development Phil Grasso, who positions his company’s CoreGuard security appliance as unique in that it combines host protection, data encryption and access control to protect the network core.

“Our product has a mechanism to guarantee secure servers using storage encryption,” added cofounder, executive vice president and CTO Duc Pham.

“The difference between our tech versus other [storage security vendors] is that we protect data in storage with a centralized security product and management. We offer enforcement that sits where the threat is and policy management, which is done by the security appliance.”

Grasso and Pham recommend users purchase two CoreGuard appliances to span heterogeneous environments for $39,500.

ESG’s Oltsik, who has studied products from all of the major storage security vendors, won’t claim a favorite. It is partly because of this that he doesn’t see the market as being as lucrative as people might think. Also, many businesses don’t have the extra money to spend on security hardware that costs $30,000 to $40,000 for a platform.

Because of this, he anticipates a shakeout in the small sector, leaving the top one or two storage security vendors standing. The analyst said he imagines storage fabric vendors such as Brocade Communications Systems, McData or Cisco Systems could scoop up any one of the companies.

Oltsik also said it’s feasible that security vendors such as Symantec or RSA might throw their hats into the ring because of the quality of encryption and authentication in the products.

After all, he said, the products are of high quality, owing to the fact the companies were founded by security experts.

News Around the Web