Data defenders

New storage security appliances provide protection at the network core.

You use encryption to protect data as it moves across your wireless network. You use IP Security to encrypt data coming in through your VPN. Transactions on your Web site are protected via Secure Sockets Layer.

But what's protecting your data as it sits in storage? Or when it moves from one storage medium to another? Or when it moves from a main storage-area network to a remote back-up system?

If the firewall represents perimeter defense, then secure storage represents defense at your enterprise's core, protecting the actual object of any attack. And four vendors - Decru, Kasten Chase, NeoScale and Vormetric - have released storage security appliances that attempt to do just that.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

You use encryption to protect data as it moves across your wireless network. You use IP Security to encrypt data coming in through your VPN. Transactions on your Web site are protected via Secure Sockets Layer.

But what's protecting your data as it sits in storage? Or when it moves from one storage medium to another? Or when it moves from a main storage-area network to a remote back-up system?

If the firewall represents perimeter defense, then secure storage represents defense at your enterprise's core, protecting the actual object of any attack. And four vendors - Decru, Kasten Chase, NeoScale and Vormetric - have released storage security appliances that attempt to do just that.

Defending at the core offers the advantage of protection against external attacks and internal attacks, which might run the gamut from a disgruntled super-user accessing corporate records, to theft of back-up tapes, to a rogue process accessing unauthorized data because of a programming error.

One factor that makes life complicated for network executives is that they're charged with the conflicting tasks of making data pervasively available while at the same time limiting access only to authorized users.

And these days, data is dispersed throughout the corporation in many ways. Companies have large, centralized SANs. They have smaller SANs, typically using either Fibre Channel or iSCSI as a transport mechanism, distributed about the company and in some cases hundreds or even thousands of miles apart. They have network-attached storage (NAS) devices scattered over the corporate LAN. And many companies still have their data stored on direct-attached storage devices.

However, whatever the storage topology, when stored data is accessible by any unauthorized person or process it is under threat.

The four ages of data

Data exists in one of four states during its life cycle: at rest within some aspect of the storage system; accessed by a user or by some process (a database, for example); in transit on the WAN, LAN or SAN; and under management by a security application. It's necessary to protect the data in each of these states; anything less likely will prove to be no security at all.

The new storage security appliances address three of these data states: at rest, in transit and being managed.

The secure storage appliance cometh

Large software companies such as Computer Associates and IBM/Tivoli have offered security applications for years, and many of their products are running on servers in some of largest corporations in the U.S. Typically these are large software implementations (often a part of an even larger software suite) aimed at guarding against outside attacks and which, correctly or not, are viewed by many as being the "high-priced spread," appropriate for the larger corporation, but not applicable to cost-sensitive small or midsize businesses.

As a result, CA's eTrust Encryption and Tivoli's IntrusionManager, RiskManager and other products often are ignored - perhaps undeservedly - by many companies.