This article can also be found in the Premium Editorial Download "Storage magazine: Storage managers give thumbs up to IP storage."
Download it now to read this article plus other related content.
Secure storage architecture
The basic problem with storage hardware is that it was never designed with security in mind, neglecting basic security tasks such as authentication, encryption and password management. These security lapses leave your typical FC SAN, storage subsystem or network-attached storage (NAS) box open for attacks. It doesn't take much skill to log into systems through default passwords or change a FC zone by spoofing a world-wide name (WWN).
Some storage vendors have done a good job of addressing these shortcomings. For example, the Brocade Secure Fabric Operating System is a hardened version of the standard management environment. The Secure Fabric OS authenticates switches in a fabric, enhances zoning for security and locks down switch administration to impose policies and rules.
While Brocade's implementation is good, it is only applicable in a Brocade environment; introduce a Cisco or McData switch and you need another security model. Ultimately what's needed here are security standards that enable heterogeneous storage security. For example, all devices (HBAs, FC switches, storage and tape subsystems) should be set up in trust relationships supported by strong authentication through existing standards such as Kerberos, PKI or RADIUS. Heterogeneous support is the precise goal of SNIA and the ANSI T.11 committee through their support of the Fibre Channel Security Protocols (FC-SP). Users should
Storage management software
Storage tools suffer from a couple of common problems. First, many systems store password files in clear text so anyone who hacks into the system can read the entire password file and gain legal access. Many storage management servers also allow communication through insecure protocols like HTTP, FTP and Telnet. Anyone sniffing the wire during these management sessions can learn passwords, configurations, even view critical data. Finally, many servers are configured in an insecure fashion allowing unnecessary services and default configurations to create easy targets for the bad guys.
Storage management software vendors must simply adhere to standard security best practices common throughout the enterprise. For example, when configuring Linux, Unix or Windows storage management servers, vendors should have support capabilities to help customers harden host-based operating systems (i.e., turn off unnecessary services, change default passwords, select most-secure OS options, etc.). Vendors should provide documentation and support for secure operating system configurations based upon the Center for Internet Security (CIS) guidelines.
Storage software should also provide strong management of passwords by limiting the number of log-in attempts, storing passwords in an encrypted file and mandating password character length. And management sessions should use secure protocols like SSH and SSL.
One other point to note--if you plan on encrypting your backups, check the encryption algorithm used. Many backup vendors support the Digital Encryption Standard (DES), a 56-bit encryption method introduced in 1976. The problem with DES is that in January 1997, RSA Inc. issued a challenge, with a prize of $10,000, to crack DES. Computers participating in the challenge aimed to try every possible decryption key to crack DES--over 72 quadrillion (72,057,594,037,927,936). What does this mean? If you're protecting your tapes with DES encryption, it wouldn't be that hard for a sophisticated hacker to run a brute force attack and gain access to your data. Make sure that your backup vendor can either support a more modern encryption algorithm like 3DES or AES or they can configure their systems to support a third-party encryption solution from companies such as Decru or Kasten Chase.
Security expert Bruce Schneier often says that "security is a process, not a product." Storage vendors worth their salt will live up to this truism by supporting customers with security skills and processes that supplement their product offerings. Security should extend to account management, professional services, product documentation and customer support.
When a storage vendor shows up at your door, do they ever ask questions about your security requirements? From now on, demand that they do. Vendors should consider security in all their plans. As part of this process, the vendor should test against known storage security vulnerabilities.
Choose vendors who enhance security rather than hinder it. By insisting on security, vendors will recognize that it's essential to users, which should lead them to offer more secure products.
This was first published in April 2004