How does your company enforce data security? I bet most of your answers will involve procedures based on host applications that have varying degrees of sophistication, depending on how much is at stake with a security breach.
A different question, "Does your company have independent, storage-based data protection measures?" will probably just trigger blank stares, because data protection is mostly entrusted to host-residing applications and, at the moment, there are very few alternatives to that approach.
Host-based data-protection works well (and has for many years) in cohesive environments where servers or mainframes never release their grip on data. Unfortunately, with the growing use of networked storage, cohesive environments are becoming less and less common.
In fact, in many SANs, no single host has a comprehensive view of all LUNs (logical unit numbers), so assigning the proper watchdog often becomes a challenge. Moreover, those LUNs often move from one host to another to allow for, say, maintenance or contingency procedures. Obviously, the host-based security apps (and their licenses) should obediently follow.
To complicate things further, consider that many LUNs are created without host involvement or awareness, perhaps from mirroring applications residing on a storage appliance or on the storage network.
Add all of this up and it's easy to see how immensely complicated the work of the host-bound security administrator really is. It seems obvious that applications residing on a storage network can better protect data residing on that network than applications that reside on a host can.
With that in mind, Symantec's soon-to-be-completed acquisition of Veritas Software sounds like a significant step toward protecting networked storage because it will bring together a strong presence in security applications and an exceptional portfolio of storage applications.
We should see the effects of that deal in the near future, but not everybody agrees with my optimistic outlook, as I learned during a conversation with Danny Milrad, senior product marketing manager at Veritas.
Milrad doesn't mention a specific date or product, but he is sure that the merger with Symantec will generate storage applications that are more security conscious. "I don't understand why people have a hard time grasping that," he says.
Marketing hype? Perhaps, but the recent announcement that Network Appliance will buy Decru is another indication of a renewed sensitivity for data protection in a big storage company. As you may remember from a March 1 post to The Storage Network, Decru offers host-independent, appliance-based encryption for networked storage, supported by a robust authentication system that uses smart cards with varying degrees of authority assigned to each user. To me, the most important aspect of this acquisition deal is that Decru's approach to security -- and to storage-hosted data protection in general -- gets a significant nod of approval from an influential vendor such as NetApp.
Will NetApp transplant Decru security into every storage appliance they sell? I'm reluctant to second-guess a storage company these days, but I'd say that approach would probably be overkill. It's more likely that NetApp will let the ongoing partnership (the two companies have recently pursued several joint projects) take a more committing turn, while still offering add-on security appliances to customers with storage gear from other vendors.
There's yet more built-in data protection blooming in the storage world: A third, and no less important, novelty comes from Seagate, which recently unleashed a cascade of announcements covering (what else?) new disk drives.
There's so much to talk about Seagate's announcement. Among them is the first deployment of disk drives with perpendicular recording, a technology that allows greater density by doing exactly what its name implies: It piles up bits vertically on the recording surface.
Along the lines of security, Seagate is offering a first in data protection: A notebook drive with built-in hardware-based encryption that the company should begin shipping early next year. Mark the name Momentus FDE (full disc encryption), because Seagate is going to secure the data content of this 120GB serial or parallel ATA device with lock and key.
The drive will implement a remarkable shield that will accompany the unit from cradle to grave. In essence, it will provide an OS-independent encryption mechanism to secure its data content in scenarios such as loss or theft.
Obviously FDE will come at a price, but the unprecedented possibility of securing gigabytes of files hosted on mobile devices should be welcome if the possible embarrassment from a stolen or misplaced laptop keeps you awake at night.
I look forward to a not-too-distant future when it won't be news if an FBI agent or a Bank of America consultant can't find his laptop, and when losing or misplacing backup tapes won't be a big deal. The data that matters will be encrypted at the source.
Am I dreaming? I don't think so. Make data protection easy to implement and everybody will use it. After all, the alternative can be a lot more expensive.