The road to practical SAN security


This article can also be found in the Premium Editorial Download "Storage magazine: Managing data storage for remote employees."

Download it now to read this article plus other related content.

As storage networks grow from isolated data center environments to IP-enabled networks spanning the world, users are starting to consider issues with security. Along with greater flexibility and consolidation of storage, the networking of storage has brought along the other risks of networks: hacking, denial of service, data theft and network availability. This article looks at some of the fears and worries of storage managers, and emerging solutions they hope will keep security threats away from their networks.

Security concerns for storage
Until recently, security was rarely considered an issue in storage. Dedicated storage was secure by nature, and storage networks were mostly installed within the bounds of physically secure data centers. The issue hasn't been security, but ensuring data integrity and allocating storage. Even with the rapid growth of storage networks, security concerns have only increased incrementally, mostly to handle allocation of shared storage, which has been dealt with by implementing zoning and LUN access controls. Configuration control and keeping administrators from accidentally destroying data has been the main focus - as opposed to dealing with hostile threats and fears of the wrong people accessing or tampering with stored data.

Dan Tanner, an analyst at the Aberdeen Group, Boston, MA, says security is now becoming more important, "if transmission is beyond a data center or firewall."

Requires Free Membership to View

Storage security solutions
Prevent unauthorized access to management interfaces Configurable interfaces, SSH, SSL Brocade
Protect data on disk Data encryption Paranoia, NeoScale
Protect data in transit Encrypting storage firewall appliances Cylix, NeoScale, Vormetric
End-to-end IP storage encryption IPsec silicon Hifn/Trebia, NetOctave
One major factor is shared storage requirements for multitenant networks - such as storage service providers or corporate customers - who want to subdivide their networks between customers or departments. According to Wes Garner, an engineer on the storage team at Application Service Provider (ASP) USinternetworking, Annapolis, MD, "We already have in place LUN level masking on storage implementation, and on the SAN we use hardware port-level zoning. Access to the data is pretty well defined within each data center." USi has about 75TB of storage in their data centers, and has a shared SAN environment between customers. However, Garner is worried about security because "there are switches out there that are accessible because they need to be managed." He adds, "we need to make sure the availability and integrity of our client data is not affected in any way."

Another reason which is pushing security to the forefront is the issue of transferring data over public networks. As users start to expand data traffic beyond the data center, to remote locations and across wide geographic distances, security has become an important issue. Aberdeen's Tanner says, "When storage is networked, security becomes more important, especially if the network isn't contained within a secure data center." With the advent of IP-based storage networking, data is now readily accessible as it travels over unsecured IP infrastructure. The ever-present threats of hackers and issues with the fundamentally insecure nature of public networks has made security a top priority in these IP-enabled solutions.

In fact, even with safe internal networks behind a firewall, there's still a need for securing storage data. On public networks, "Everyone understands that SSL/TLS [Transport Layer Security is based on Secure Sockets Layer, a commonly-used protocol for managing the security of a message transmission on the Internet] is needed to protect passwords, credit card numbers and the like," says David Black, an architect at EMC and one of the contributors to the iSCSI spec. "The problem is with less-than-public networks - it's very easy to assume that the entire corporate LAN behind the firewall[s] is secure, and that's not only just plain wrong, but dangerously so."

Finally, vendors cite recent legislation such as the Health Insurance Portability and Accountability Act (HIPPA) and the Gramm-Leach Bliley Act (GLBA), which mandates that certain industries must store and manage their data in a secure manner. These pieces of legislation require that these firms secure their data from unauthorized use or access to a much greater degree than they previously have been, including encryption on disk or tape and across network links.

Users' security concerns
The top threats to storage network security include modification, destruction or theft of data, denial of service or viruses, hacking - particularly through management interfaces such as Web interfaces and Telnet - and operator error/mistakes. However, depending on who you ask, some of these areas are more important than others.

Aside from the issues of preventing rogue or improperly configured servers from corrupting or accessing data in Fibre Channel (FC), security issues in storage networks in the data centers are mostly limited to access to Ethernet management ports. Roy Hall, director of storage engineering at GlaxoSmithKline points to hacking of management interfaces as the threat he worries most about. He says, "Some of our SAN management tools use Web interfaces, and thus are vulnerable in that they can be accessed via our LAN."

This was first published in September 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: