Taking a layered approach to storage security simplifies the organizational issues. A chief information security officer (CISO) is responsible for traditional information security, including storage. Reporting to the CIO, CTO or CFO, storage security starts with a proper business assessment of the risks and the costs of mitigation, and obtains agreement from the lines of business.
Each layer in a storage security architecture needs to be managed independently from the other layers. Ensuring authorized access to data is a data network issue. Ensuring security of data that is transported over networks, especially IP and iSCSI, is also a data networking issue. Both of these areas (and probably fibre channel networks as well) should be owned by the networking security people. Ensuring physical security is a storage data center issue, as is ensuring that security logs and security audits of those logs will make data thieves believe that they will be caught. The innermost layers (such as encryption by the database) should usually be owned by the application group or database group.
Action Item: Organizations need to adopt a top-down, bottoms-up approach to organizing storage security. A top-down CISO needs to define the levels of risk and spend, as well as define a layered storage security architecture. Each storage security technology layer needs to be assigned to an appropriate IT department for implementation and ongoing operations.
Footnotes: