This article can also be found in the Premium Editorial Download "Storage magazine: Low-cost storage pieces fall into place."
Download it now to read this article plus other related content.
It's dÉjÀ vu all over again--but this time the cooperative union is with security. In the next few years, security requirements will be coming down the proverbial IT tracks and the storage team needs to jump on the train--quickly.
What's driving this new partnership between the storage and security groups? Read the news any day: Internet connectivity, broadband in the home, e-business applications, Web services, wireless connectivity, global terrorism--you name the technology or geopolitical trend and there's a security risk with it. These vulnerabilities are getting an increasing amount of attention in the boardroom and IT budget. According to IDC, Framingham, MA, corporate security spending will explode from $17 billion in 2001 to a whopping $45 billion in 2006.
Here's an overlap between storage and security. Security professionals often use the acronym CIA (confidentiality, integrity and availability)
Furthermore, storage and security professionals have leading roles in the planning of disaster recovery (DR) and business continuity (BC) and this relationship is likely to strengthen in the future. Why? CSOs tend to own DR and BC planning, but according to leading IT placement service provider, Robert Half, only 15% to 20% of enterprise companies have CSOs today. As more large firms hire CSOs, the storage staff will be integrated into security.
Finally, storage and security have intertwined due to the notorious insecurity of today's SAN technologies. Based on just a cursory look, any security expert will point out that SANs weren't developed with security in mind. Zoning, LUN masking and world-wide names provide a few rudimentary protection mechanisms, but today's SANs offer little in the way of authentication and data encryption. SAN management tools lack basic SSL/SSH protection, strong password management or secure versions of SNMP. New tools from Decru, Kasten Chase, Neoscale and Vormetric are available to fill these security voids while the industry consortium, the Storage Network Industry Association (SNIA), is working on a secure version of FC, called FC-SP. At the very least, storage professionals must pay attention to these storage security vulnerabilities and trends.
As security gets more executive attention and dollars, the storage team must be part of the solution, not the problem. Storage executives should police all functional storage activities immediately. Begin this exercise with a security audit, encompassing storage equipment, physical security, policies and procedures and staff skills.
Auditing storage equipment
IT equipment is often implemented with a minimal security concern, resulting in security holes you could drive a truck through. While it's beyond the scope of this article to outline all of the necessary remediation steps, some common things to look for include:
- Misconfigured switches: Mistakes with switch configuration and ACLs give hackers access to the entire SAN fabric. As you're searching for these types of errors, you may also discover LUNs and zones you weren't even aware of. Correct this vulnerability with vendor-approved configurations that meet your requirements. All configuration changes must be documented through a formal change management process. This helps reduce the risk of unknown LUNs and zones in the future.
- Default server configurations: In their haste to get systems up and running, system admins often keep default configurations intact, leaving the system open to anyone with basic Unix or Windows skills. If these systems are connected to the network, hackers can access them through Telnet or by perusing FTP directory structures. Visit every backup and storage management server to see if your IT shop has this problem.
- Software patches: When your focus is on storage infrastructure and operations, it's easy to forget about patching servers. It's important to scan systems on a periodic basis to get a full picture of vulnerabilities. Many security service providers will gladly lend you a hand. Be sure to add security requirements to vendors and equipment evaluation criteria moving forward.
This was first published in October 2003