At the most basic level, storage area networks are more capable of seeing and controlling access to storage resources. First, there are a couple of basic barriers to accessing the SAN that must be dealt with, i.e., configuring access at the fabric and/or array level. At first, you might be tempted to consider this a point of exposure. After all, if all of the crown jewels are stored in one location, you more likely know where to focus your energies. But in fact, it gives you an opportunity to better control and track how your storage is accessed and utilized.
Second, the consolidation inherent in SANs often give you better access to security features that are built into an array. Today, many arrays come with drive-level encryption features, and there are some advanced network-based technologies available for authentication and in-flight data encryption. It is simply impossible to get these levels of features in direct-attached storage (DAS) today.
So, in a nutshell, for data loss prevention, when you turn to a SAN, you're getting better visibility of who is accessing what, and you will likely have better capabilities for in-flight and at rest encryption of data. For intrusion prevention, some of the authentication and in-flight mechanisms can help as well. But keep in mind, a SAN isn't the whole pie for either aspect. Real DLP and security takes a comprehensive approach that focuses on the edge, the server OS, the SAN, other points of ingress/egress and end-user nodes. The SAN can help you augment your practices, but it is just one layer in a multilayer and in-depth defense data security strategy.
This was first published in June 2009