Timing the announcement to coincide with the RSA Conference security show in San Francisco, EMC said it has wrapped RSA’s software into the high-end storage box, so tightening security controls on the device, and toughening up its event or audit log.
While EMC said that RSA’s software can also be used to do exactly the same for rival disk arrays – such as Hitachi’s TagmaStore or IBM’s DS8000 – the storage giant claimed that it is the first to offer the tighter security as a ready-integrated and free-of charge feature.
Separately to RSA, but keeping with the security theme, EMC also today announced a military-grade data deletion service. Until now access to the management screen for the Symmetrix has been password-protected, with access levels varying according to staff level. But with the RSA software now written in, customers have the option to add an extra layer of credential control, which would require administrators to present security tokens, or secondary, frequently changing passwords.
What we had before was state-of-the-art. This is really just upping the bar on that, said EMC product marketing manager Bob Wambach.
The same applies to the event or audit log on the Symmetrix, which courtesy of the RSA treatment is now tamper proof, according to EMC.
This is going to be a selling point for EMC, said Mesabi Group analyst David Hill. The other vendors will have a grace period to catch up, but if they don’t eventually match what EMC is offering, then they’re going to find life difficult, Hill said.
Which customers are going to want to apply the new security features? All of them, said Wambach for EMC.
For the Mesabi Group, Hill said: It really will be any companies that can be sued in a US federal court. The analyst referred to changes made last December to the US Federal Rules of Civil Procedure, which codified requirements for the process of discovery of electronically stored evidence.
While there may not be specific requirements for features such as credential control, Hill said that the new legal environment makes it essential for companies to be seen to be doing their best to handle data correctly.
If I were an enterprise-class business, I’d consider it mandatory to use the RSA controls. If you’re being sued, you’ve got to show as much good faith as possible, and to avoid any semblance of impropriety. Enterprises now have to be Caesar’s wife, Hill said.
The toughening of the Symmetrix security controls is part of what EMC says has been an evolution of security thinking. Perimeter defenses such as firewalls and VPNs are no longer adequate, and now need to be part of a wider information-centric approach that sees data defended wherever it is stored, according to EMC.
Security analysts have previously said that the customers’ first priority concerning storage security has been to strengthen controls on administrator consoles, which often on run on servers or desktop machines that are connected to corporate networks, and so can be reached by outside hackers.
But some data also needs to be destroyed, and EMC today launched a certified data erasure service for the Symmetrix DMX-3. Complying with a US Department of Defense specification, this will involve multiple re-writes and an auditable record of data erasure.
The military-grade annihilation data service is a feature of the DMX-3 operating system. For drives removed from an array perhaps because of failure – it is also a service offered by EMC Global Services.
All of the security features will be part of release 5772 of the Symmetrix Enginuity operating system, which will ship this quarter. They will only function on the DMX-3 version of the Symmetrix, which EMC began shipping over a year ago.