Is Your SAN Safe?

Until recently, few people lost much sleep wondering whether their data storage was secure the disks themselves were locked up in the data center. But with the shift from direct-attached to networked storage, danger seems to be lurking behind every corner, and the monsters under the bed have been multiplying.

Storage administrators have every reason to worry. In January of this year, for instance, IBM Information Systems Management, a subsidiary of IBM Corp. (NYSE: IBM), lost a hard drive belonging to one of Canada's largest insurance companies. The 30 Gbyte-drive, which has since been recovered, contained the personal files of at least 180,000 Co-operators Life Insurance Co. clients (see IBM Loses Insurer's Data).

One month later, online intruders got into the system of an Omaha-based company that handles credit card transactions for retailers and financial institutions, making off with as many as 8 million Visa, MasterCard, American Express, and Discover credit card numbers. Then, in March, the University of Texas had to inform more than 55,000 of its students and faculty that a hacker had got hold of their personal information, including social security numbers, names, addresses, and email addresses.

These are just a few of the security breaches that have actually been reported. Most are not.

There's a new class of storage encryption appliances that are designed to ward off nightmare scenarios like those described above. As the vendors in this emerging space are quick to point out, if the institutions whose data was compromised had encrypted the information resting on their disks and servers, they would not have had to worry about it being stolen.Of course, thieves have been getting their hands on sensitive information since way before Mata Hari was caught spying for the Germans during the World War I. But in today’s world, where companies’ ballooning amount of data is their most valuable asset, the stakes keep getting higher. According to the 2003 Computer Crime and Security Survey, published by Computer Security Institute (CSI) and the FBI in May this year, companies reporting theft of proprietary information reported an average loss of $2.7 million.

Back in the day when all storage was direct attached, companies could fairly easily control who had access to what, keeping sensitive data safely hidden from prying eyes. But as a growing number of companies have joined the rush to network their storage, they’ve often naïvely held onto the belief that throwing a firewall or two up in front of their stored data is enough to keep it safely tucked away.

"The bottom line is that the way network security is done today, companies tend to protect against external intrusion – but well over half of all data theft is done internally," says Enterprise Storage Group Inc. analyst Nancy Marrone. "Firewalls are great, but they’re not going to protect you against more than 50 percent of all attacks."

These trends and more are explored in Byte and Switch's new report on SAN security. To read the full report, click here.

— Eugénie Larson, Senior Editor, Byte and Switch