Does 'storage security' buy you anything?

I sat in on a webinar the other day and reviewed the sponsors' product data-sheets and other product materials. This was a 'storage security solution'. What is a storage security solution?

To sum it up, it's a data encryption solution that secures data at the SAN/NAS storage layer. In other words, it encrypts the data stored within the SAN and also includes access controls to restrict access to certain data within the SAN by certain hosts. Sounds kinda neat, huh? I found it interesting that the vendor was touting that their product addresses the encryption and data security requirements of the PCI (Payment Card Industry) Data Security Standard. I have to completely disagree with this positioning.

The product does encrypt data at rest within the SAN. But this is not really where the threat exists. The solution does nothing in regards to protecting data once a host is authorized to access the data within the SAN. And the threat of someone getting physical access to your SAN in order to attach to an existing volume is, shall we say, not very probable. And, if you are following the other requirements of PCI, you have your SAN and servers secured within a data center with appropriate physical access controls. So the chance of someone walking off with servers and your SAN also has a low probability.

With a solution like this in place, the Oracle database server has complete access to the encryption keys and all of the data in the SAN that it needs in order for the database to operate. And the web application that's connected to this database has access to all of the data it needs in order for the application to operate. So, even with such a solution implemented, you are still completely dependent on the security and access controls (and inadequacies) of those systems to protect the data. If someone can circumvent the controls in the web application or the database access controls, is doesn't really matter if the data is encrypted in the SAN. Implementing a database encryption solution would be a much more effective and secure solution.

But a solution like this isn't all bad. Where I do see value is in highly virtualized environments. Since the data is encrypted with the SAN you will have the capability to restrict access to only authorized hosts. Another great feature of the solution I reviewed is the ability to apply this technology to backup media. This is an area that's fraught with vulnerability, and it's good to see a product that addresses this head-on. What bugs me is when vendors get a little over zealous in their marketing strategy, attempting to position themselves as a solution to problems they don't really solve.

Copyright (c) 2007 Kenneth M. Smith

No comments:

Post a Comment