"A lot of end users have the mistaken belief that if their storage network is behind a firewall it is secure, and that is a big mistake," Diamond says. "And, unfortunately, many of the major vendors are failing to encourage end users to take advantage of some of the existing security features in their products, like making sure ports are shut down or changing passwords. A lot of education still needs to be done." Diamond also is a member of the Storage Security Industry Forum, formed by the Storage Networking Industry Association to promote the need for storage security and develop best practices.
One reason storage security hasn't emerged as a widespread enterprise concern is the knowledge gap that separates the storage administration staff and the security team at many companies. Accustomed to beefing up perimeter security and responding to E-mail virus attacks, security team members often don't focus on securing core pieces of the IT infrastructure such as storage.
At the same time, although they may recognize that vulnerabilities exist in their SAN environments, most storage administrators have seen security as peripheral to their jobs. While most have employed common Fibre Channel management techniques such as zoning and logical-unit-number masking to attempt to control access to disk arrays, switches, and other elements of a SAN fabric, few are familiar with stronger security technologies such as encryption and authentication.
"Corporate security officials don't really understand the issues around networked storage, while the storage guys generally see security concerns as getting in the way of them doing their jobs," Diamond says.
On top of that, storage security can be a complex issue. Most enterprises live with networked storage elements from a variety of different vendors--switches from Brocade Communications Systems and McData, storage arrays from EMC and IBM, for example--and each of those vendors offers different technical options for securing their gear. Storage-security standards that could provide common, cross-platform storage-security tools are just emerging. So, for now, it's not possible to buy a comprehensive storage-security solution as one would a firewall or intrusion-detection system.