Enterprise Strategy Group
Published: 12 Jan 2006
No more dodging storage security
It may have taken a while to get everyone's attention, but security should now be at the top of every storage manager's to-do list.
It's January and you know what that means. No more end-of-year parties, office decorations or easy work weeks. January is all about setting annual goals and living up to New Year's resolutions. In other words, it's time to knuckle down and figure out your storage priorities for the upcoming year.
Last month, I predicted that one of the dominant trends we'll see in storage in 2006 is a greater focus on security [see "Storage predictions for 2006 (Part one)," Storage, December 2005]. This is an issue near and dear to my heart because I've been one of the few storage security voices over the past few years. But now it seems like everyone is jumping on the storage security bandwagon--end users, vendors, service providers, etc. Heck, even other storage analysts are starting to take notice.
Beyond the basics
As security gains visibility and momentum this year, the Enterprise Strategy Group (ESG) believes the storage community will move beyond security basics and close the year with a new set of acronyms, buzzwords and--most importantly--security knowledge. In this context, in 2006 my previous high-level prediction of "storage meets security" will be eclipsed; this will be the year when the storage security rubber finally meets the road.
I know what you're thinking. What should we anticipate when storage security becomes commonplace? Because the year is still quite young, allow me to elaborate with a list of three specific storage security trends for 2006.
- ENCRYPTION BECOMES UBIQUITOUS. Last year was a harbinger of things to come on the encryption front. Early in 2005, storage encryption was synonymous with appliance vendors like Decru, Kasten Chase and NeoScale Systems; but by December, encryption technology was introduced throughout the storage infrastructure. Nexsan Technologies added encryption to its storage systems. Maxxan supplemented its intelligent storage switches by adding encryption capabilities at the port level. Atempo bolstered its backup software with information lifecycle managementcentric encryption capabilities. And some leading tape drive providers such as IBM, Quantum and Spectra Logic articulated roadmaps that contained encryption and other security enhancements.
Storage encryption momentum will pick up more speed and gain greater focus in 2006 as technologies from host bus adapters, switches and storage systems add cryptographic capabilities. To further muddy the waters, encryption will move to the mainstream in file systems and databases. Every IT manager will have to decide where and how often they should scramble the bits.
All of this encryption commotion means two things: Storage managers must curb their enthusiasm and work with their peers in security to determine the best way to protect confidential data, and omnipresent encryption will make key management the next "killer app" in security.
- STORAGE SECURITY SERVICES WILL TAKE OFF. ESG's storage security research in 2004 revealed that only 37% of organizations had conducted a security audit on their storage infrastructure. It's likely that some of the remaining 63% have followed suit and performed audits since then, but ESG believes that the vast majority of organizations have yet to carry out this type of risk analysis. Why? Storage folks simply don't have the right skill sets and because security knowledge remains foreign, many storage professionals have no idea where to look for help.
To date, several companies, such as Computer Associates, GlassHouse Technologies and Kasten Chase, have taken advantage of user demand and the gaps in storage security skills by offering assessment services. Look for the storage security services pool to get a tad more crowded in 2006. Some of the big players like EMC, Hewlett-Packard, Hitachi Data Systems, IBM and StorageTek/Sun are already experimenting with storage security services in limited markets. We can anticipate new service announcements all year long. Consulting shops such as Accenture, Capgemini and Ernst & Young will also address storage security under bigger umbrellas like risk management or compliance. Sensing high demand, regional momand-pop storage VARS will develop security practices, and don't be surprised if security services leaders like Symantec and Unisys also get into the game.
Storage professionals should ensure that their service providers have the skills and staff to thoroughly assess every storage process and technology to uncover the entire gamut of threats and vulnerabilities. Smart storage managers will include the chief information security officer (CISO) in this exercise. These security honchos should be able to help you assess security skills while making the storage security audit a part of their overall enterprise security picture.
- STORAGE SECURITY WILL BE INTEGRATED INTO THE EXISTING INFRASTRUCTURE. When storage software vendors first offered asynchronous mirroring over IP, it was a chance for storage and networking professionals to find ways for their technology piece parts to talk. After some initial hiccups, the storage team grew comfortable with a potpourri of networking concepts like Gigabit Ethernet switches, wavelength-division multiplexing and WAN services.
Storage security will lead to another cross-functional IT experience. More enterprise-class storage technologies will offer security features like role-based access control and logging. To get the most out of these enhancements, security officers will demand that these features be integrated with existing authentication, authorization and auditing (AAA) technologies such as Active Directory, RADIUS and identity management software, as well as log-file aggregators. The integration frenzy will also be driven by the introduction of storage products that adhere to the InterNational Committee for Information Technology Standards (INCITS) T11 committee's Fibre Channel-Security Protocols (FC-SP) storage security standards due out in early 2006.
To avoid any surprises, storage managers should plan for this integration as part of their storage security implementation. Yes, this will add time and money to each project, but it will also deliver faster ROI and better security.
Security seeking storage
There's one final trend worth discussing, although it doesn't fit into the storage security category. Ironically, security professionals will seek out their storage brethren for help in dealing with massive storage capacity growth in 2006.
Unbeknownst to the storage universe, security is crossing its own chasm. Security vendors are getting better at capturing and consolidating myriad security data from vulnerability scanners, log files and even surveillance cameras. As a result, security investigation is moving from real-time reaction to historical analysis--much like databases evolved from transaction processing to data warehousing. This storage-centric security movement was recently illustrated by a joint announcement from security analysis software leader SenSage Inc. and EMC's Centera. This is just the tip of the iceberg.
Gray-haired storage professionals remember the capacity explosion caused by the data warehouse boom of the mid-1990s, so they should know what to expect with security data as we enter the last half of the decade. Storage chiefs should seek out the CISO and offer the storage group's help as soon as it's needed. This will make the storage team look like heroes and help to anticipate storage management problems that are sure to arise by the time we welcome in 2007.
The combination of data growth, intelligent storage networking and global connectivity are all the necessary ingredients for a security nightmare cocktail. Forget about adding just a bit of security into the storage infrastructure. In 2006, we'll see layered defenses introduced into the storage infrastructure as storage teams quickly educate themselves on advanced security concepts.
What does this mean? Storage professionals must look beyond the storage infrastructure and figure out how to fit into overall enterprise security policies, defenses and data management. The functional walls between storage and security will crumble. It's going to be a busy year!