This article can also be found in the Premium Editorial Download "Storage magazine: Tips for lowering the cost of storage support contracts."
Download it now to read this article plus other related content.
The frightening world of storage security
Given that no one was truly minding the storage security store, I found a scary situation full of holes the size of Volks-wagens. Storage vendors seemed to eschew security in the way they designed, built and managed their products. Few field engineers, developers or chief technology officers ever mentioned security in customer meetings or analyst briefings. I discovered that almost all storage technologies:
- Were never tested for software-based security vulnerabilities. Storage software was filled with insecure interfaces, unnecessary functionality and buffer overflows. The code wasn't even a challenge for script kiddies, let alone sophisticated hackers.
- Left management interfaces wide open. This was especially alarming because hackers often rely on scanning networks to map IP addresses, discover hosts and find open applications. Storage devices were "sitting ducks."
- Had few processes for security bug tracking and patching. In the storage world, software updates were designed to repair software functionality glitches and came out a few times a year. Few vendors had anything in place to monitor, test, fix and distribute patches for addressing security vulnerabilities.
- Relied on insecure channels for storage management. Many storage professionals logged onto storage management apps over insecure protocols like Telnet and
- HTTP, rather than HTTPS or SSH. Critical storage management data was transported willy-nilly around the network in cleartext.
- Depended on basic authentication. Changing configurations on enterprise-class storage systems required only a user name and password combination. Even scarier, most users would simply log onto devices as "admin," gain root access to the systems and have the ability to change anything.
- Didn't log events. Storage systems may have had some proprietary logging format, but few users knew about it, let alone turned it on.
- Had insecure default configurations. Storage was insecure by default, meaning that if you configured an enterprise storage system the way the vendor recommended, it was wide open to the bad guys.
This was first published in May 2007