Is encryption enough?


This article can also be found in the Premium Editorial Download "Storage magazine: What to do when storage capacity keeps growing."

Download it now to read this article plus other related content.

SNIA storage security recommendations

Requires Free Membership to View

  • Secure storage management
  • Identify and assess storage interfaces
  • Create risk domains
  • Monitor and control physical access
  • Address data security compliance
  • Protect externalized data
  • Understand the exposures
  • Implement appropriate service continuity
  • Utilize event logging
Source: "Introduction to Storage Security," a SNIA security whitepaper by Eric A Hibbard, LeRoy Budnik and Richard Austin.

Second line of defense
The second line of defense forms at the servers and hosts. "You need to have good security on any server attached to the SAN," says StorageIO's Schulz. It's easy to launch an attack on storage systems from a compromised server. Once again, storage managers have little control here, except to exhort their systems and application counterparts to button down all the security settings built into server operating systems. This can be as basic as regularly changing passwords.

Storage managers can implement zoning and masking on the SAN, which limits what a given server or host can access. "This lets you do SAN segmentation, in effect creating sub-SANs," says Schulz. However, zoning and masking provide only a modest amount of security. If the host has been compromised, it's easy to get around such SAN segmentation. Still, "LUN masking and zoning are basics that have to be done," insists Budnik.

"Zoning is a big part of our SAN security," says Lynn Granger, senior manager of data assurance at VeriCenter Inc., Houston. "We're a managed hosting company and we need to separate hosts from each other." Granger also changes passwords on the switches, uses access control lists for the firm's SAN routers and implements Public Key Infrastructure (PKI) to protect management tools.

Beyond that, storage managers are nearly helpless at this level. "How do you authenticate an HBA so it will talk to storage?" asks Preston. Most SANs authenticate based on the worldwide name, which isn't secure.

Third line of defense
The storage team really takes charge of security at the third level, where SAN-connected devices are locked down and communication between devices and switches is secured. You should start by running the latest operating system with all current patches on each device and switch, and change passwords on all equipment regularly. Expect vendors to complain about password changes because it hinders their support technicians, warns Budnik. In addition, close off unused ports and disable unused services on the switches, suggests Schulz.

Things should improve with the introduction of the Fibre Channel Security Protocol (FC-SP) later this spring, says SNIA's Budnik. FC-SP will include protocols for the authentication of FC devices, and will cryptographically secure key exchange as well as communication between FC devices.

A security protocol under FC-SP is Challenge-Handshake Authentication Protocol (CHAP) and Diffie-Hellman (DH)-CHAP. CHAP provides bidirectional secure key-exchange authentication for switch-to-switch and host-to-switch authentication. CHAP is required as part of iSCSI, while DH-CHAP is for FC.

This was first published in June 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: