Ask the Expert

Security benefits of storage area networks

What are some of the security benefits of storage area networks (SANs)?

Requires Free Membership to View

You can think about security in a number of different dimensions when it comes to storage, and availability is one. However, I'll talk specifically about the data loss prevention (DLP) and intrusion prevention aspects of a storage area network (SAN). I'll use SAN to refer to both Fibre Channel (FC) and iSCSI SANs. While there are some differences between the two, in general, you find similar security benefits from both approaches. Some may argue that Fibre Channel requires a higher intrusion effort, but without segregating an Fibre Channel SAN from all outside attachments, which would also be possible with iSCSI, it is actually fairly easy to tap or break into the Fibre environment these days.

At the most basic level, storage area networks are more capable of seeing and controlling access to storage resources. First, there are a couple of basic barriers to accessing the SAN that must be dealt with, i.e., configuring access at the fabric and/or array level. At first, you might be tempted to consider this a point of exposure. After all, if all of the crown jewels are stored in one location, you more likely know where to focus your energies. But in fact, it gives you an opportunity to better control and track how your storage is accessed and utilized.

Second, the consolidation inherent in SANs often give you better access to security features that are built into an array. Today, many arrays come with drive-level encryption features, and there are some advanced network-based technologies available for authentication and in-flight data encryption. It is simply impossible to get these levels of features in direct-attached storage (DAS) today.

So, in a nutshell, for data loss prevention, when you turn to a SAN, you're getting better visibility of who is accessing what, and you will likely have better capabilities for in-flight and at rest encryption of data. For intrusion prevention, some of the authentication and in-flight mechanisms can help as well. But keep in mind, a SAN isn't the whole pie for either aspect. Real DLP and security takes a comprehensive approach that focuses on the edge, the server OS, the SAN, other points of ingress/egress and end-user nodes. The SAN can help you augment your practices, but it is just one layer in a multilayer and in-depth defense data security strategy.

This was first published in June 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: