Data is the currency of today's enterprises. Although loss of data access can often cost in the millions of dollars each time a company's systems are down, losing sensitive data to an attacker or losing business to a competitor can be catastrophic. That's why enterprise networks go to great lengths to ensure data security for their mission-critical information—especially for data on disks. Data centers typically maintain secure physical access to safeguard corporate information from outside penetration. In addition, conventional Direct Attached Storage (DAS) provides inherent security because parallel cabling binds storage arrays directly to servers. The introduction of Storage Area Networks (SANs), however, has changed this view of secure data storage. SANs provide networking between servers and storage to solve availability and storage-consolidation problems, but peer-to-peer networking technology has the potential for unsecured access.
Consequently, running storage data over SANs invariably raises the concern about security. First-generation fibre channel SANs have relied on the implicit security that data-center environments provide. When multiple departments share SAN resources, however, physical isolation of the SAN might not be sufficient. For instance, the human resources HR department and engineering might share a fibre channel fabric switch, with each department maintaining its own storage resources. To keep HR information private, it's logical to separate the SAN. In fibre channel fabric switches, zoning provides this function. Zoning can divide a single physical SAN into logical storage-access groups. In this example, HR would reside in one zone and engineering in another. The fibre channel fabric switches enforce separation of data traffic so that only zoned participants can communicate with their designated resources. Overlapping zones can group authorized resources for specific functions. Although HR and engineering servers are separate zones, a third access group can zone both departments to a common tape-backup subsystem.
Still, zoning doesn't address the security of data in transit over a link. Even with zoning, someone can sniff the link with an analyzer and capture data. This vulnerability is especially evident when storage data runs over longer, unsecured distances, such as a metropolitan link that a carrier provides. Native fibre channel and fibre channel extension using Dense Wavelength Division Multiplexing (DWDM) lack an integrated security option. Until recently, there hasn't been any means to encrypt the storage data before it leaves the premises.
Ironically, enhanced capabilities that a competing technology (IP SANs) introduces can resolve data security for fibre channel SANs. IP-based storage networking can leverage well-established security mechanisms such as IP Security (IPSec) to provide sophisticated data encryption for storage traffic. Newly introduced IP storage switches enable fibre channel hosts and storage devices to connect to Gigabit Ethernet switches and IP routers. Although some IP routers offer integrated IPSec capability, third-party encryption devices also provide security across untrusted links. These products use the Data Encryption Standard (DES) or the more rigorous Triple DES (3DES) algorithm to thoroughly encrypt sensitive data. Some products also provide gigabit interfaces for optimum throughput. By integrating fibre channel storage and servers with IP infrastructures, network administrators can ensure the security of storage data for any network segments that might be vulnerable to penetration.
Security for SANs is gaining increasing attention as enterprise networks expand their disaster-recovery and remote-backup strategies. In addition, SAN-based storage is gradually displacing DAS over time, thus widening the scope of security concerns. The introduction of IP-storage networking alleviates those concerns by bringing enhanced security features to traditional fibre channel SAN technology.
