Exclusive perspective: Neglected Storage security issues

If people's focus on storage security has started to fade, that's not true, but to be honest, storage security does lose a lot of momentum. When everyone is focused on privacy issues, especially the widely publicized risk of offsite tape loss, only a relatively small number of companies are taking action to improve storage security.

We see a lot of technology evolving, including tape drive cryptography (such as LTO-4,IBM TS1130,STK T10000), tape library encryption (such as Spectralogic), and, more limited, the enhanced Backup product Key Management technology ( For example, IBM Tsm,symantec NetBackup, etc.), we also see the application of the standardized front-end IEEE P1619 disk and tape encryption section. So, with so many advanced technologies and solutions, what limits the development of storage security?

In some ways, this problem is related to the organization of business, policy, and workflow constraints. Within the IT department, storage and security have always been part of two completely fragmented, and there is little interaction between the two, only if a major incident occurs, such as the loss of a disk. Although security provides comprehensive monitoring for networks, terminal devices, and storage environments (especially storage area networks), the security department operates independently. The general view is that storage area networks are more secure, and some call this security "hazy security," which is based primarily on Fibre Channel (Fibre Channel) rather than TCP/IP. As a result, security audits of storage infrastructure and operational processes focus primarily on storage area network security and related internal threats.

In addition to the focus on storage Area network security, there seems to be little focus on other storage-related security issues. How many security teams naively believe that backup apps are "strong enough" to take into account every piece of information in the infrastructure? Is there any limitation of responsibility? or anyone who will audit access to the information?

In view of the importance of external data loss, many companies are trying to establish an effective and reliable key management mechanism. In fact, some people choose a completely different direction, they do not use encryption to solve the problem of offsite data, but simply to the offsite data storage problems to third-party service providers. The development of certain technologies (such as data deduplication and WAN optimization systems) and the increasing burden of broadband lines have allowed some companies to choose ways of backing up data replication to avoid offsite problems. For companies with multiple data centers, it becomes more and more practical to choose this option.

In addition, other companies did not take any action, some of the data loss in the off-site security risks ignored, and some choose to take a wait-and-see attitude, hoping that key management and encryption technology can continue to progress.