Data security is a must for Transend Business Services, a provider of Web-based managed business transaction services located in Chicago and Ottawa.

As part of its services, the company stores and archives massive amounts of sensitive data regarding its clients' customer transactions. The company defends itself with multiple layers of firewall security, as well as VPN tunneling for data replicated between the company's data centers.

Recently, however, Transend and its customers have grown increasingly concerned about the potential for security breaches on the data storage side, especially after several well-publicized cases in Canada where companies lost control of sensitive data when employees walked out with disk drives.

Transend is not alone in this concern. In a survey published last July, Enterprise Strategy Group (ESG) in Milford, Mass., asked 388 storage professionals where they thought their company was most vulnerable to a storage security breach. Forty-two percent cited a deliberate attack by an IT employee, 33% mentioned human error, 11% said technology flaws, and only 4% said an attack from the outside.

One answer: Encryption
Transend has responded in the same way as an increasing number of companies: by deploying encryption technology for data that is housed on its SANs. Having spent a huge amount of time and money shoring up their outer defenses, many enterprises are beginning to guard their stored data against insider attacks, disgruntled employees, unprincipled contractors and visiting clients.

Another reason for the heightened interest in encryption is the advent of government regulations like HIPAA, Sarbanes-Oxley and PHIPA in Canada.

"Transend customers who are liable for the security of their own customers' information pass that liability onto us," says Brent Luckman, CEO at Transend. To avoid potentially crippling litigation, and to protect its clients' information, Transend needed a way to secure not just data traveling between storage devices but also data at rest.

To do so, Transend chose NeoScale's Cryptostor FC, a network appliance that sits on the SAN, intercepting data between attached hosts and storage resources, and applying AES256 block-level data encryption. This assures customers that their sensitive data will not be shared with another company, Luckman says.

"By implementing the Cryptostor Solution, Transend cut its product and services liability with one of the major Canadian banks from $1 million down to $100,000," Luckman notes.

Mounting costs
According to Gartner research director Rich Mogul, companies that don't encrypt stored sensitive data will spend 50% more than enterprises that do, because they will fail to comply with regulatory or contractual data protection requirements. By year-end 2007, he predicts, 80% of Fortune 1000 companies will encrypt most of their critical data residing on networked storage devices.

Dartmouth College's Center for Evaluative Clinical Studies (CECS) is another organization that has already taken the step. The center, which conducts studies on medical issues such as the quality of Medicare in various states, currently has 7 terabytes of medical data on tape.

Vin Fusca, operations director at CECS, explains that it was a constant worry when his organization received tapes from organizations like the Center for Medicare Services that come under HIPAA security regulations. "We were constantly worrying about a tape disappearing or being mislaid," he says. "Furthermore, if a server drive failed, and we sent it back under warranty for replacement, we'd have to destroy all the data on the drive."

CECS deployed Decru's Data Fort network appliance, which now encrypts all data at rest on tape, as well as data in transit to researchers' workstations. As a result, "It would take the NSA to break into one of our drives, so we can just send them out for repair," says Fusca. "I sleep 100% better at night."

Filling the gaps
Network encryption appliances fill a crucial security gap, securing data both at rest in storage devices and on the SAN itself. For instance, "IP Sniffers can break into an iSCSI network, and oscilloscopes can intercept data on an FC SAN," says Jon Oltsik, a senior analyst at ESG.

To fill that gap, Neoscale recently announced Cryptostor SAN VPN, which provides IPSec encryption at 2G bit/sec. between two Fibre Channel ports. This enables users to encrypt data over synchronized backup connections across a metropolitan-area network connection, a Neoscale spokesman says.

However, encryption is only one component of an effective data-level security strategy, Mogul emphasizes. "A big part of it depends on basics, notably access controls that are built into virtually all file systems, operating systems and storage network devices," he says. "If I compromise a server and make use of its user credentials, I can get into files despite encryption."

Administrative access rights is a particularly thorny area. "A lot of storage management software products use insecure protocols that are accessible via HTTP, another insecure protocol," notes Oltsik.

"In a normal SAN set-up, anyone can use a Web-based management tool from any console, if they know the password to log onto the fabric," agrees Jay Kidd, CTO at Brocade. Administrators' privileges allow users to reconfigure zones or ID privileges to grant themselves carte blanche access to stored records.

Defense strategy
Leading network and storage vendors have been steadily strengthening their products' defenses against such incursions.

IP-based storage network vendors employ long-established IP-based security mechanisms, says Keith Brown, director of technology and strategy at Network Appliances. "For example, all of the major router companies provide protection against IP address spoofing." iSCSI and iFCP protocols include authentication and encryption.

Brocade's SAN operating system has a built-in feature that secures the administration path by encrypting it from the management station to the fabric, preventing snooping for passwords, Kidd notes.

More recently, vendors began introducing integrated security management tools and platforms to help customers monitor, pinpoint and address the weaknesses in their storage infrastructures.

A separate Brocade product, Secure Fabric OS, uses access control to lock down what console and which Fibre Channel switch can be used to make changes to the fabric. Administrators can also use the product to lock down a SAN configuration in terms of which user devices can attach to a given port, and which ports and Fibre Channel switches a given worldwide name can use to gain access to the fabric. This guards against both intentional Worldwide Name spoofing and accidental misconfigurations, Kidd says. "If someone plugs the wrong server into a port, you've got a security hole," he adds.

Market is proprietary, fragmented
Like most young markets, the storage network security industry is fragmented and largely proprietary, forcing IT administrators to use different software tools and interfaces to manage different product brands and areas of security.

Vendors say they're working to change this. "Security has to be an end-to-end proposition," says Decru's Brown. "The bad guys go for the weak links."

"Security solutions need to apply to multi-vendor, multi-protocol storage network environments," says Brandon Hoff, security business manager at McData.

Symantec recently announced its Information Integrity Strategy, which calls for uniting all of its recently acquired security and availability management products in a single, integrated platform. "It will keep all nodes in the organization protected and conforming with security policy," says Don Kleinschnitz, the vendor's vice president of product delivery. Symantec's pending merger with Veritas will enable Symantec to extend its strategy to storage systems, he adds.

Meanwhile, networked storage vendors are beginning to provide integrated security management through support of industry standards, such as Fibre Channel Security Protocol.

"FC-SP is converging the storage industry on a single set of security mechanisms, regardless of whether the storage transport is based on iSCSI, FCIP or FC," a Cisco spokesman says.

At the October 2003 Storage Networking World conference, Cisco, Qlogic, Emulex and Microsoft demonstrated an end-to-end security solution using FC-SP and Radius.

Netapp's Data Fabric Manager can simultaneously manage configurations and security on SAN, NAS and iSCSI storage networks, Brown says. "For the IP SANs we predominantly use Kerberos; on the NAS side, we work with Secure NFS. On the SAN side, we can configure zoning and pathing," he says. However, the platform only manages Netapp products.

McData's recently introduced SANtegrity Security Center can potentially manage any SAN that adheres to industry standards such as FC-SP and iSCSI, Hoff says. It currently manages SANs from Brocade and Qlogic. Through a common interface, an administrator can see what's configured correctly or incorrectly, and set up traps and thresholds. For example, an alert would be sent if a device or server changed its worldwide name and tried to log back into the SAN.

Notes Hoff, "Our goal is to help customers build a trusted infrastructure with an authorization model that determines who gets to see what, from a user, device and server point of view."

Users just getting started
Most enterprises are just starting to build a cohesive data security strategy. Between 84% and 91% of customers polled by McData last year had no written storage security policy. Nearly a third of respondents to ESG's recent survey said their current security policies and procedures don't take storage into account.

On the other hand, 53% of respondents said they either have conducted a security audit or plan to. "While market demand for storage security systems is still at a trickle, I think this is the year it will pick up," says Oltsik.

Corporate security professionals are starting to recognize that they can no longer afford to ignore storage, he indicates. Asked if their company had ever experienced a storage security breach, 27% of the 388 storage professionals said either, "Yes," "I don't know" or "We can't tell."

"A security professional would consider that 27% a huge risk," says Oltsik, "particularly when you're dealing with customer databases, intellectual property and credit card records."

Elisabeth Horwitt is a freelance writer in Waban, Mass. She can be reached at [email protected]