Storage vulnerabilities you can't afford to miss

When it comes to the crowned jewels of business networks, I can't think of any systems more critical than storage servers. Whether you've got an advanced SAN, NAS or simply run-of-the-mill file servers housing your organization's information, your systems must become and remain as secure as possible. Unfortunately, in the rush to add more storage space, implement a brand-new network-based storage system and deploy desperately needed servers at the last minute, there are holes – large, gaping holes – left in the storage configuration that can easily be exploited by someone with nothing better to do.

These vulnerabilities seem almost too obvious, but they're quite pervasive in today's networks – especially given the complexity of the information systems that network managers are responsible for today. Some are technical in nature and others I've seen are business-related, but they're certainly items you can't afford to overlook.

1. Lack of share and file-level access controls. This is typically OS defaults or settings that allow everyone full, unaccountable access.

2. Too much reliance on data encryption. Contrary to my recent tip on how much more important it is to encrypt data at rest compared to data in transit, encryption is not the silver bullet. Your data can be encrypted down to the last file or database field, but it can still be compromised by a 'trusted' insider or poorly-coded application that can be tripped up just enough to grant an intruder system-level read/write access to the goods he's looking for.

3. Failure to implement storage security with defensive tactics in mind. In other words, create as many hoops for attackers to jump through as reasonably possible without negatively impacting system performance or carving into your budget. This includes utilizing network segmentation of storage systems where possible, hardening the system at the OS level if it's not already, implementing disk/file/database encryption where practical, and implementing disk, share and file access controls where appropriate.

4. Lack of protection for shared information. Random text, word processor and spreadsheet files containing sensitive information scattered around server shares -- local workstation drives for that matter – all without one iota of access control, much less the file's creator or network administrator having any knowledge that they're even there.

5. Absence of audit trails supporting who did what. This is still a large issue in most organizations. True, audit logging and monitoring can be a drain on both personnel and processors, especially if they're not deployed properly. Even the highest level of logging that takes place within the confines of your storage devices is not just an information security best practice – it can be of great value when the time comes to investigate a security breach, and it's becoming a fundamental regulatory standard that affects practically every business.

6. Single administrator point of failure. This means if an employee with critical information is involved in an accident, is fired, or skips the country, the organization is left without passwords, encryption keys, network diagrams and the thousands of other things crammed into the typical network or storage administrator's head.

7. Technology driving security policies and business decisions. It should actually be the business needs determining technology and the associated security risks determining security policies.

8. Unnecessary administrator distractions. Network and storage administrators who are held responsible for (and being distracted by) the enforcement of organizational security policies when they should instead be working to implement and manage the technologies necessary to help a security committee and upper management enforce their policies.

If you're a network manager responsible for the administration and security of your organization's critical storage systems, it's time to find and fix these loopholes before they're exploited, leaving you caught in a jam. Network-based security controls aren't the answer; poor software development practices aren't going away and we all know that 'security awareness training' only goes so far. Root out these vulnerabilities in your storage systems and implement some reasonable controls at the lowest levels you can reach. It's an excellent way to layer security and batten down the hatches on the systems for which you're responsible. It's your last line of defense.

For more information:

Securing the tape custody chain

About the author: Kevin Beaver is an independent information security consultant with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data storage management Server virtualization may have big disaster recovery payoff SAN vs. NAS Storage: What's the difference? How to make your storage greener RAID 6 vs. RAID 10 Top 5 storage management tips of 2007 How to mitigate the performance penalties of data encryption software Tutorial: Creating a tiered SAN architecture Avoiding storage-related bottlenecks in virtualized environments Ten reasons storage security is critical How to reduce risk with storage security policies RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.