Storage vendors range from multibillion-dollar market leaders such as EMC, NetApp and Veritas, to startups such as AppIQ, Data Domain and Sepeton. While all vendors provide some level of security protection, most of their attention is focused on developing products with higher performance or lower operating costs.
In the past, limited storage security was acceptable when applications and data lived within the four corporate walls--but this is no longer the case. Since the mid-1990s, companies have opened their systems to outsiders via the Internet in order to exploit revenue opportunities, improve business efficiencies and reduce costs.
In addition to Internet-based threats, corporate employees also present a distinct security risk. According to the 2003 Computer Security Institute/Federal Bureau of Investigation survey, 77% of respondents believe that disgruntled employees are a likely source of attack.
As security concerns increase, storage security laissez faire is no longer acceptable. Storage vendors must enhance security to address:
- Enterprise security policies. To meet the security challenge, many companies are adopting standards for things such as password management, secure communications and delegation of administrative tasks. Storage products that can't be configured to meet these standards will be eliminated in favor of those that can.
- Regulatory compliance. Government mandates such as California SB 1386, Graham-Leach-Bliley, HIPAA and Sarbanes-Oxley have an implied or explicit security component.
- Existing storage security woes. Problems include insecure Fibre Channel (FC) switch configurations, open-management interfaces, clear text data in flight and at rest and a lack of authentication.
- Future storage initiatives. Over the next few years, storage innovations such as information life cycle management (ILM) and iSCSI will intertwine storage and IP networks. New processes will automate the movement of information over the Internet, exposing storage to worms and viruses. To take advantage of storage innovations, companies must improve storage security. After all, if an ILM implementation is attacked, critical data could be compromised or lost, resulting in noncompliance and business interruption.
Demand storage security
Storage vendors have traditionally eschewed security because users never asked for it. Why? Until recently, most storage was configured as direct-attached storage (DAS), therefore users could rely on server security to address any storage concerns. Now, however, storage networks are introducing numerous security vulnerabilities that warrant user attention. Because storage area networks (SANs) house vital information, storage managers should include security as a must-have purchasing criteria. In addition, these security demands should go beyond product features/functions and include vendor security knowledge and support.
Beginning immediately, users should include security functionality in their storage hardware, software and networking vendor qualifications. Security demands should focus on three areas: storage architecture, storage management software and security processes.
Secure storage architecture
The basic problem with storage hardware is that it was never designed with security in mind, neglecting basic security tasks such as authentication, encryption and password management. These security lapses leave your typical FC SAN, storage subsystem or network-attached storage (NAS) box open for attacks. It doesn't take much skill to log into systems through default passwords or change a FC zone by spoofing a world-wide name (WWN).
Some storage vendors have done a good job of addressing these shortcomings. For example, the Brocade Secure Fabric Operating System is a hardened version of the standard management environment. The Secure Fabric OS authenticates switches in a fabric, enhances zoning for security and locks down switch administration to impose policies and rules.
While Brocade's implementation is good, it is only applicable in a Brocade environment; introduce a Cisco or McData switch and you need another security model. Ultimately what's needed here are security standards that enable heterogeneous storage security. For example, all devices (HBAs, FC switches, storage and tape subsystems) should be set up in trust relationships supported by strong authentication through existing standards such as Kerberos, PKI or RADIUS. Heterogeneous support is the precise goal of SNIA and the ANSI T.11 committee through their support of the Fibre Channel Security Protocols (FC-SP). Users should make sure that their storage vendors are participating in the standards committees or, at the very least, plan on supporting the standards when they are ratified.
Storage management software
Storage tools suffer from a couple of common problems. First, many systems store password files in clear text so anyone who hacks into the system can read the entire password file and gain legal access. Many storage management servers also allow communication through insecure protocols like HTTP, FTP and Telnet. Anyone sniffing the wire during these management sessions can learn passwords, configurations, even view critical data. Finally, many servers are configured in an insecure fashion allowing unnecessary services and default configurations to create easy targets for the bad guys.
Storage management software vendors must simply adhere to standard security best practices common throughout the enterprise. For example, when configuring Linux, Unix or Windows storage management servers, vendors should have support capabilities to help customers harden host-based operating systems (i.e., turn off unnecessary services, change default passwords, select most-secure OS options, etc.). Vendors should provide documentation and support for secure operating system configurations based upon the Center for Internet Security (CIS) guidelines.
Storage software should also provide strong management of passwords by limiting the number of log-in attempts, storing passwords in an encrypted file and mandating password character length. And management sessions should use secure protocols like SSH and SSL.
One other point to note--if you plan on encrypting your backups, check the encryption algorithm used. Many backup vendors support the Digital Encryption Standard (DES), a 56-bit encryption method introduced in 1976. The problem with DES is that in January 1997, RSA Inc. issued a challenge, with a prize of $10,000, to crack DES. Computers participating in the challenge aimed to try every possible decryption key to crack DES--over 72 quadrillion (72,057,594,037,927,936). What does this mean? If you're protecting your tapes with DES encryption, it wouldn't be that hard for a sophisticated hacker to run a brute force attack and gain access to your data. Make sure that your backup vendor can either support a more modern encryption algorithm like 3DES or AES or they can configure their systems to support a third-party encryption solution from companies such as Decru or Kasten Chase.
Security expert Bruce Schneier often says that "security is a process, not a product." Storage vendors worth their salt will live up to this truism by supporting customers with security skills and processes that supplement their product offerings. Security should extend to account management, professional services, product documentation and customer support.
When a storage vendor shows up at your door, do they ever ask questions about your security requirements? From now on, demand that they do. Vendors should consider security in all their plans. As part of this process, the vendor should test against known storage security vulnerabilities.
Choose vendors who enhance security rather than hinder it. By insisting on security, vendors will recognize that it's essential to users, which should lead them to offer more secure products.