Turning the security lens on storage

The Storage Networking World conference in Orlando last week was bustling with scores of vendors and buyers talking about everything from storage security to storage resource management.

In fact, SRM – the ability to centrally manage and provision multivendor, multitechnology storage resources – seems to have eclipsed virtualization as the Holy Grail of storage. But vendors define SRM differently, so it will be some time before we can agree on an end point and start to map out how to get there.

I was at the show – sponsored by sister publication Computerworld in conjunction with the Storage Networking Industry Association (SNIA) – to chair a vendor panel on storage security. As storage resources are networked and we adopt technologies such as iSCSI to move storage data around IP networks, sometimes over distance, it becomes clear we need to start adopting traditional network security thinking.

I asked the panel – which included representatives from Decru, Iron Mountain, Kasten Chase, Nortel and Vormetric – if storage is a feature or a product.

Bill Schroeder, president and CEO of Vormetric, argued that storage security is complex so it is best addressed in stand-alone products offered by companies like his that are focused on the task. Maybe with time it gets absorbed into other products, he said.

While you would expect him to say that, Dan Avida, president and CEO of Decru, pointed out that everyone thought Check Point Software Technologies Ltd. wouldn’t get off the ground because of Cisco, but look at it today. “The need for high performance dictates use of stand-alone products,” he said.

Asked whether it was more important to secure primary or secondary storage – given secondary is often transported and sometimes ends up off site – Avida argued for primary. “If you encrypt that, everything you back up will already be secured.”

But some of the panelists said you don’t need to secure everything. Focus on the applications that are the most sensitive.

There was some disagreement about key management. Schroeder said it isn’t much of an issue because the systems use the same key in the encryption process as they do in decryption. But Avida says that key rotation was important. You want to make sure your key management system can unlock data that has been locked away for years.

If nothing else, the panel highlighted that storage security is an emerging and important field that deserves study.