Until recently, asking an IT administrator about storage security often resulted in a puzzled look. IT security is generally thought of as a perimeter activity. Preventing unauthorized access to the network generally provides adequate protection to the contents of the network.
More-astute network administrators realize that there are other issues regarding storage security, the most pressing of which is making sure only the appropriate people have access to data. Because of various legal requirements regarding data storage--such as the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley (SOX) Act--securing stored data has become a much higher priority in many businesses.
Traditionally, one of the biggest obstacles to providing security for stored data was keeping track of where all the data resided. With servers, desktops, and notebooks scattered all over the enterprise, securing the data on all those user-accessible devices becomes quite a chore, and to a large degree, impossible unless you secure the data in a centralized way. Doing so involves locking down access to data, configuring user accounts so that data is stored on secure network devices, and limiting mobile users' access to data. The data-security process also needs to include provisions for secure, reliable data backup. It makes little sense to secure your network data, only to have the data backups stored somewhere in an unsecured place.
It also becomes critical that you configure your storage security so that not only users--but also applications and hardware that need access to storage--get the access they need. Improper security configuration can stop your applications from running correctly or at all, which could shut down your business workflow. And because many security parameters can be changed on the fly, having standardized security policies in place governing who can make changes becomes yet another important factor in your storage-security model.
Many administrators have looked to storage networking as the solution to their storage and security needs. Although SAN and NAS provide many advantages when they're correctly used, these technologies actually bring their own pitfalls in regard to securing data. SAN and NAS concentrate the data in what can be considered a single location but are often configured to rely on the same or similar perimeter security models to protect the data they contain.
Strong storage security requires a layered protection model that takes into account data location, user-access needs, system-access requirements, and data backup and protection. A layered approach to your storage-security needs, rather than a one-size-fits-all approach to securing your enterprise, will give you more-detailed control over data access and let you modify the security model as the business needs change and grow. Instead of ripping out your data-protection infrastructure wholesale, you should be able to modify those portions that are affected by your business needs while leaving the basic model intact. Draconian security measures that limit availability and flexibility of data access might be useful in a very static environment, but a dynamic business model requires a more carefully thought out, highly flexible approach to storage security.
