When Security And Storage Collide

Former Symantec CEO John Thompson may have been more right than he thought when he initiated the takeover of storage management vendor Veritas in 2004. Storage is a critical part of the security equation.

At the time, that’s not what Thompson said about the Symantec merger with Veritas. I was among many journalists that inappropriately attributed terms like “information lifecycle management” to Thompson’s strategy. But it seems as though security and storage are converging.

Last week, the third-largest security vendor, Trend Micro, announced the acquisition of Humyo, a provider of cloud-based storage. Trend has a vision for securing virtualised and cloud environments, and has an array of cloud-based security offerings. Humyo will add a completely different flavour to its product line, since it is purely about providing storage capabilities to users of PCs, Macs, smartphones and other computing devices.

Security companies have been dabbling in storage for years – if you can call the £8.8 billion ($13bn) Symantec paid for Veritas “dabbling”. McAfee has a longstanding partnership to provide security solutions for Commvault’s storage offerings, as well as stand-alone content security solutions for storage. SonicWall introduced its continuous data protection (CDP) in 2007. IBM last year released a hybrid security and storage solution for continuous data protection and backup. And Kaspersky Lab has storage security as a priority on its technology development road map.

Coming in the other direction, storage companies have been playing with security for years. The best example is EMC’s acquisition of RSA Security in 2006 for £1.4 billion ($2.1bn). I remember sitting with an EMC executive in early 2006, listening to the EMC road map for the future. The big hole I saw was security, and I said EMC should look at RSA for the answer. The executive – who is no longer with the company – just smiled.

NetApp also signaled intent to delve into security when it bought Decur in 2005. Decur was a specialist in storage security solutions, and it seemed a perfect fit in the NetApp portfolio. But NetApp has allowed Decur to operate as an independent entity and hasn’t fully integrated its technology into its core storage offerings.

Is backup a security or a storage function?

What much of these security-storage combinations share in common is providing security for data, but not necessarily the storage media. This goes back to a longstanding debate in the security world whether backup and disaster recovery are security functions or storage functions.

If you look at the security triad – confidentiality, integrity and availability – ensuring data is critical and that would make backup a security function. Years ago, many people would say backup and disaster recovery is a separate function altogether, but there’s pretty solid momentum to say security and storage share this discipline.

As the world shifts to being more data and application focused than infrastructure, security is shifting to meet the needs of protecting data “in transit,” or as it’s moving across the pipes or on a client. Protecting data “at rest” still seems to be a function of infrastructure security – putting layers of firewalls and intrusion prevention systems in front of the storage array to keep bad guys out.

Here’s what’s interesting to me: Backup and disaster recovery offered by many security companies are not providing security to the data, but rather the mechanisms for managing the data going to the media. The question that comes is whether security vendors need to own the storage media to provide security services and protect data at rest. Many people say that security companies should be agnostic in storage, but the security vendors are certainly exploring their options. We may soon see security and storage converging in ways we never thought probable.