Is encryption enough?
12 Jun 2006 | SearchStorage.com
Encrypting data at rest is a reliable security measure, but it's only one component of an effective storage security plan.
Attend a storage conference these days, and you might think encryption solves all of your storage security woes. It seems as if one "expert" after another is singing the praises of storage encryption for both data in transit and data at rest. But don't believe them.
Encryption is part of the SAN security solution, but it has its limitations. "Encryption is an interesting option, but mainly for tape," says Tim Arland, principal consultant at Forsythe, a Skokie, IL-based storage systems integrator. "Real-time encryption of everything at line speed is very rare," adds Arland, yet that's ultimately what you would need if you want encryption to solve all of your SAN security problems.
And even then, it might not work. What happens if a host bus adapter (HBA) spoofs an authorized system? More than encryption will be needed. The storage security problem transcends storage alone, which makes it unlikely that storage professionals can solve it by themselves. "Storage professionals are waiting to work with other corporate security teams," says Robert Stevenson, managing director, storage practice at TheInfoPro Inc., a New York City-based research firm. But Stevenson notes that in a survey conducted by TheInfoPro, some respondents also complained about corporate security intruding into storage operations.
At one time, storage managers could take some slight measure of comfort in security through obscurity, believing their Fibre Channel (FC) SAN wouldn't be noticed by would-be attackers. But "today, storage infrastructures [disk, arrays, IP and SAN fabrics, NAS and tape] are highly vulnerable to attack because of the gap between known security techniques and their level of implementation," says LeRoy Budnik, chairman of SNIA's Storage Security Information Forum (SSIF). Budnik is also one of the authors of the whitepaper "Introduction to Storage Security," which identifies a number of general recommendations and provides detailed storage security activities for each.
SANs today are vulnerable to myriad internal and external threats that require improved security. Various regulatory mandates are also forcing storage teams to adopt greater security measures, such as classifying data, monitoring its access and securing it in different ways depending on how the data is classified. With no single action likely to make the problem go away, storage managers must begin implementing Budnik's recommendations, ranging from requiring vendors to immediately inform them of changes in their support staff to locking down the security identifier on Windows servers to prevent spoofing.
The list of things to do is long, and the storage team can't do it all alone. Multiple types of threats expose different vulnerabilities and require various lines of defense. Ultimately, storage managers will have to do what the network people have been trying to do for years--implement a strategy called "defense in-depth." For storage, that means a minimum of three lines of defense: access, identity and policy control; securing servers and hosts; and securing storage devices, components, switches and their communications links.