Since I first started covering storage, back around the turn of the century (sounds more impressive than it is, no?), the argument has been ongoing in far more organizations than you could imagine PoliceBadge about who should “own” storage security. Does it belong with the storage group? With the security group? How about in IT services, since they’re the ones that are on the pointy end of user relations?

Considering the number of times that the security group has been around this May-pole, you’d think they would have all the answers, but in many ways this isn’t a “what is best for our organization” type question, it’s largely a political one. After all, the key point is that the systems be locked down in the manner that the organization has chosen is best. Who does it really doesn’t matter one whit to the majority of your organization, they just want to assume that someone is. This can have negative impacts on the business if done wrong, and can open holes that malicious individuals both internal and external if not done at all.

Perhaps I’m too practical, perhaps each individual company that struggles with this problem has good reasons to. But in my opinion, pick a group, give them the responsibility, and move on. As long as someone is minding the store, the specific who is less important. Particularly with convergence of data and storage networks. When your SAN is an independent entity that is only exposed to the data network through machines with dedicated cards, then it makes a certain amount of sense to have that security rest with the storage staff, such as they may be. The machines will be locked down by corporate security policy like any other, and security for the SAN rests with those who are paid to know all about Storage Area Networks. Of course there’s some grey areas where the access level of a the interfacing machines has to mesh, but they’re teams working toward the same goal – providing secure and reliable infrastructure to the organization – so that bit of working together is not a huge problem. Or shouldn’t be anyway.

With the growing encroachment of NAS, iSCSI, and FCoE on the realm of the SAN, this division is less clear and that might be the source of the latest round of duck duck who’s responsible playing out in this space. Since convergence is happening and will continue to get stronger (seriously, only SAN-heads want two separate network technologies, everyone else could be convinced of the benefits of two separate networks, but not two separate network technologies), it does make sense to start transitioning this responsibility over to the security team. They’re responsible for keeping corporate data – all corporate data and systems – safe. Storage isn’t a special snowflake, it’s the holding point for all the stuff security is supposed to protect. So I think we’ve reached the point where they should.

If you’ve got a SAN, that’s going to mean training. If you have a ton of NAS’s, then it’s going to mean a headache for whomever is responsible. This is the part where I plug File Virtualization products like our ARX, which can aggregate security policy on your many NAS boxes into one centralized security model. That can include random shares Bob in Marketing created to show off his leet PowerPoint skills, or that Steve in AppDev created to show off his 1337 code h4x0r skills. It certainly makes security policy maintenance easier if you centralize it on such a device, and most security teams are familiar with Windows share security, making centralized NAS security not a far stretch. But even if you have decentralized NAS, policy is the same, it is merely implementation that is different, and even that might be the same, depending upon your architecture.

So what’s the point? Well, if you have a stretch of road that two counties claim ownership of, the correct solution is to have one patrol it while you figure out ownership. Remember that, because information security isn’t much different from law enforcement – an ounce of prevention and all.

Until next time,

Don.