Networked storage not yet secure

Even companies with medium-sized networks are employing NAS appliances or constructing intelligent network-based filing systems with SAN characteristics. That's great, but I'm not convinced that storage vendors are innovating when it comes to security, much less that central storage systems are safe in the first place.

SAN/NAS security is troublingly vague. What does exist, including a few dedicated products and one IETF edict acting as a standard, is still evolving. That's a trouble spot for IT managers calculating a storage budget for the coming year. If these folks can't fully define the security question, then the dollar-cost question will be similarly problematic. Tack on implementation and staffing costs, and it's a good bet that customers won't accept the technology until it's mature enough to behave predictably in a budgeting spreadsheet.

The good news is that it's not complete bedlam out there. On the one hand you've got appliance-style SAN security products from companies like Decru and Neoscale, both of which sell rack boxes capable of layering wire-speed encryption onto your storage architecture. You've also got services from companies like Iron Mountain that manage security for both electronic and hard-copy archives. And finally, there are industry standards bodies, which in this case means the IETF's Internet Engineering Steering Group (IESG).

Last fall the IESG issued an edict that will require future IP storage devices and their related networking components to contain IPSec authentication and encryption in order to maintain standards compliance. Basically, any storage product, controlling device, or host bus adapter, as well as their related software, is required to contain IPSec-compliant security.

Sounds like we should be really safe. But what if we're using a NAS device from Cisco, a security appliance from Decru, and related network cards and host bus adapters from Compaq/HP? Are we to mix and match encryption from one vendor with standards-based authentication from multiple vendors--how would that work day to day? I foresee an awful lot of tweaking by storage administrators--which should never be done with something as critical as a central data store.

And naturally, this tweaking could impact performance. "Wire-speed security" sounds great on paper, but no encryption comes without some overhead cost. If you layer that encryption onto a network resource under constant user load, you have to continually monitor and massage that resource to maintain proper service levels.

Bandwidth issues are only part of the problem here. Managing key rotations between host (SAN) devices and an ever-changing, ever-hungry user environment is another. And what about security measures already embedded into hardware, such iSCSI or InfiniBand? Finally, IPSec authentication, access control, and related event log monitoring also will need to be integrated with an existing domain- or directory-based authentication infrastructure. This can be a real difficulty no matter which directory/operating system you 're using.

The bottom line is that regardless of whether you choose a standalone SAN security product or build your own standards-based solution, securing centralized network storage is still complex. At the moment, this is more of an art than a science. You'll need guru-level architects and lots of man-hours for maintenance and monitoring--not something I want to put on this year's IT budget. If SAN vendors want us to invest in centralized storage, they need to address security. And to do that, they need definitive answers and procedures that won't blow your budget.

Do you think networked storage is a big security risk? TalkBack below or e-mail us.