Constructing Secure Storage Area Networks

Increasingly concerned about the availability of their business data, many enterprises over the last five years have implemented sophisticated storage area networks (SANs). With metro optical networks cost-effectively satisfying the huge bandwidth requirements, services such as business continuity and disaster recovery have helped enterprises avoid costly network downtime, improve corporate resource utilization and efficiently manage growing amounts of data.

Today, these same enterprises are fortifying the security of their SANs. A multi-layered approach to SAN security – taking advantage of innovations in the most demanding Recovery Time and Recovery Point objectives (RTO and RPO) will seek an advanced scenario in which business operations can shift to backup servers at a different location, with users never noticing failure of the primary data center. For this type of business-continuity service (such as Mainframe Geoplex Clustering and Open Systems Clustering), distributed central processing units are interlinked and in a single logical server performing non-stop, redundant synchronization. Runtime-sensitive protocols such as Geographically Dispersed Parallel Sysplex, Fiber Connection (FICON), ESCON, Coupling Link, Sysplex Timer and others have high bandwidth (several terabits per second) and low latency requirements, and only protocol-agnostic, WDM-enabled optical networks are up to the job.

An enterprise with a less-demanding RTO (the amount of time an enterprise deems it can afford to go without access to its information resources) might instead deploy a disaster-recovery solution in which ESCON, FICON and Fibre Channel applications perform disk mirroring between data centers separated by up to several hundred miles. Depending on the RTO, the enterprise could choose to perform mirroring over fiber or legacy Synchronous Optical Network/Synchronous Digital Hierarchy (SONET/SDH) links; or, when RTO can be measured in hours or days, sites could be connected in point-to-point or ring networks spanning considerable distances in a remote-backup service.

With the bandwidth power and protocol flexibility of WDM-enabled optical networks, today’s state-of-the-art SAN connectivity solutions deliver unprecedented capabilities. Where, for example, executing a 60-terabyte data recovery across a single STM-1/OC-3 connection once might have required 45 days or more, the same exercise can be undertaken in 15 minutes with a 64-channel, carrier-class Dense WDM (DWDM) platform supporting 10Gbit/s Fibre Channel transmission.

Eliminating the Risks

Because of the business value of these services, the volume of sensitive data that is networked and distributed has never been greater. Now the security of this SAN traffic is coming under heightened scrutiny.

Here again, government regulations are influencing the priorities of enterprises considering infrastructure decisions. Government concern about the security of networked personal, financial and medical information has spawned the Sarbanes-Oxley Act, Graham-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), California’s Information Privacy Act and other regulations. In some cases, the threatened penalties of regulations are stiff for both a violating enterprise and even individual executives within that organization, so the pressure is intense to demonstrate reasonable and acceptable due diligence that data is protected from rogue access in the data center or while in transit for mirroring from one site to another.

Enterprises are achieving the high degree of security they require by employing layer defense. Physical, access and zoning controls form an important foundation. Additional mechanisms must be utilized to achieve truly secure SAN extension for real-time storage applications.

Physical-layer intrusion detection, for example, is emerging as an important capability. Some WDM-enabled optical networking platforms can be programmed to take various immediate, automated actions per level of signal degradation. An inherent ability to shut down service to one data center, for example, without the delay of human intervention has proven to be a powerful tool for mitigating the damage of breaches – especially in industries such as finance where an enterprise’s infrastructure might be processing thousands of transactions per second.

In-flight data encryption is another emerging security mechanism, often deployed as an important last line of defense. Some enterprises have deployed carrier-class WDM platforms in tandem with recently released SAN VPN appliances that perform native SAN encryption via 3DES or AES (Data or Advanced Encryption Standard, respectively) at wire speed. A process similar to IPSec Tunnel Mode, this function encapsulates and encrypts an entire Fibre Channel frame as it enters or leaves the SAN. Conversion to IP is not required, so the process does not add latency delay for sophisticated, real-time SAN applications such as 1Gbit/s and 2Gbit/s Fibre Channel or Fiber Connection. This is critical because the challenge is to improve security without reducing the performance of the services carried across the SAN. The enterprise must be able to meet regulatory requirements and alleviate data-privacy concerns without imposing adverse operational impact on its SAN applications.

Conclusion

Though there have been several high-profile incidents of information theft over the last few years, most breaches have gone unreported. Regulatory trends suggest that enterprises in more and more industries will no longer be allowed to remain silent about compromises to their information assets. While healthcare, financial services, manufacturing and government entities have been the most eager adopters of multi-layered SAN security strategies, there is activity in other industries, such as airlines, pharmaceuticals, life sciences and education.

It is important to do all that can be done to shore up protection, because the risks of sitting still are considerable. Beyond inviting sometimes-stiff government penalties, an enterprise stands to severely damage customer confidence and loyalty if its infrastructure is shown to be vulnerable to data theft.

As the nature of security threats has evolved and matured, so have the security capabilities available for optical networks. Enterprises today are adopting increasingly sophisticated, multi-faceted SAN security strategies to keep in compliance with data-protection regulations and keep out of tomorrow’s negative headlines.