Security of your enterprise is driven by the policies and practices in place. From a business perspective, storage security should be evaluated as any other technology. So, first evaluate the critical assets of the corporation. When deciding to invest in technologies to secure those assets, try the following rules of thumb:
1. It should cost (significantly) less to secure an asset than the value of the asset.
2. It should (expectedly) cost more to steal the asset than the asset is worth.
In this newsletter, we discuss the best practices for storage security focusing on the multi-layered security design, security policies and hardening.
Designing security should be a two-pronged strategy: secured data overlaid with layers of peripheral security. Data is secured by securing the four "touch points."
1. Access to data
2. Data in transit
3. Data in store
4. Data being managed
For each "touch point", there are a variety of technologies to ensure security. For example, you can use authentication and access control schemes to control access to data. In parallel with securing data, there has been significant work underway to develop multi-layered security zones. The DMZ (Demilitarized Zone) was the first appearance of a two-layered security. You may introduce additional layers of security within the intranet to secure your application servers and databases. For storage network, you may want to place it behind the application servers with another firewall or a filter. This layer should be in addition to the layers securing your application servers. Examples for secure zones to protect storage data, include the SMZ (Secure Management Zone) approach by McDATA and VSANs (Virtual Storage Area Networks) by Cisco.
Most corporations have well defined security policies in place. However, for storage security, the policies must also address issues specific to storage data. First, it must state the format for different types of data has to be kept in storage. For example, sensitive data must be encrypted, corporate confidential data must be encrypted, e-mails can be stored as plain text, partner data must be encrypted with different keys and so on. The policy must also state how the corporate data and the management data (of storage network) must be handled while in flight through the storage area network. This part of the policy will be dictated by the various audit and legislative requirements and partner agreements.
Hardening of the platforms is becoming a common practice. This is one of the cheaper ways to resist most of the common attacks. Disable all the unnecessary services form the operating system platform. Additionally, apply all the security fixes that have been issued by the platform vendor. It is often stated that about 80 percent of the attacks exploit well-known vulnerabilities for which the software patches are available, but the companies have not applied them.
Finally, in order to design your storage security, you must outline some guiding principles that dictate the above security designs and policies. Following is a sample list to get you started securing your stored data:
1. All corporate plans and personnel records will be encrypted in store and in flight.
2. All company e-mails and data over the Internet must be encrypted and authenticated.
3. All passwords and secrets will be transmitted and stored only in encrypted format.
4. Each device, user and application must be authenticated and in case of sensitive transactions, strong (two-factor) authentication will be required.
5. All storage data will be backed in encrypted format and at a minimum ensure acceptable level of data integrity.
6. Separate keys will be used for encrypting stored data belonging to different parts of the corporation.
7. All configuration data for the storage network will be protected from unauthorized modifications.
For more information on storage security such as encryption and data flight, check out Vijay's Ask the Expert category.
This was first published in March 2003