Content

Long-distance data

The world of iSCSI today is a very different place from when it first hit the market two years ago. Then it looked set to join the long list of innovations which promised much but delivered little. Now, by contrast, the take-up of iSCSI (an Internet Protocol-based storage networking standard) looks to become both rapid and widespread. Vendors are selling storage and networking iSCSI-based solutions and the end-user community's understanding of its potential has similarly matured.

At first, market interest primarily centred on how iSCSI would replace the more expensive Fibre Channel. Armed with better research and advice, interest is now more qualified, with data backup and retention seen as the areas of greatest potential for iSCSI in the foreseeable future. Yet at this stage of its development, its biggest weakness remains that of security.

The whole concept of iSCSI is that, for the first time, it is possible to open up data at the block level across a wide area network (WAN). However, as soon as you put data storage across your IP infrastructure, security questions immediately arise. By putting it across a WAN, for example, there are legitimate concerns that hackers might be able to get at your data, and tools already exist that can sniff out IP packets.

The particular problem iSCSI creates is that encryption devices which work at the file level cannot be applied when putting block data across the network, so different techniques will be required to set security encryption on the data.

Such companies as Decru and NeoScale have already introduced hardware devices that assist the process, by scrambling the data. As proprietary solutions however, they are based on each company's own encryption technology and do not comply with a common standard. As a result, the market relies on such vendors to develop their own certification for specific sectors, such as the military or financial services.

Industry standards

As with any such technology advance, one key challenge is to set industry-wide standards – in this case, to support an open-systems approach to encryption at block level.

In parallel with proprietary developments, therefore, SNIA is working on ways to address the problem of data security by setting standards, determining which encryption techniques should be adopted and how they should be applied and handled. So it is likely that common standards will be available within the next six to 12 months, thereby addressing many of the current concerns over security with iSCSI.

Proprietary solutions will continue to be offered, some of which might be adapted to support the new industry standard. Similarly, the new standard is likely to develop around much of what is already available.

A question of priorities

As a result, the gap will narrow considerably, although iSCSI will remain inherently less secure than Fibre Channel. This is because Fibre Channel, in its basic form, sits in a separate network at the back end of the server and is thereby contained within the data centre. By contrast, iSCSI, as with Fibre Channel over IP (IFCP and FOIP), involves sending data across a wide area link, which will always include an element of risk from a security perspective.

In the final analysis therefore, the end-user's decision will come down to a balance between the need for security and the desire for ease of implementation and management.

The other gap between iSCSI and Fibre Channel that will inevitably narrow as a result of improving iSCSI security is that of cost. Providing security via encryption is not cheap: currently, proprietary encryption devices are at least as expensive as Fibre Channel devices, and with the need to have devices at each end of the WAN, (encryption and de-encryption), this wipes out the cost argument of iSCSI over Fibre Channel SAN technology.

And the picture will not change immediately as a result of the introduction of common industry standards. What will make an impact is if major vendors sign up to the standard and develop encryption technology within their existing hardware products.

So, for example, if iSCSI switch manufacturers build this functionality into their switches and multi-protocol routers, encryption will become more cost-effective. Yet whatever happens, the inclusion of encryption will add considerably to the cost of an iSCSI implementation.

Of course, significant cost benefits will remain for those end-users for whom a high level of security is not a business priority. Yet for all businesses, the broader benefits of iSCSI will remain, opening up the advantages of SAN adoption to the SME market and so improving the flexibility and manageability of their storage environment.

One final point to make is that users will probably want to create a separate virtual network to carry the iSCSI traffic. This will avoid having large blocks of back-up data, for example, clogging up the general IP traffic on the main network.

Paul Hickingbotham is senior storage consultant at Hammer

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.