What you will learn from this tip: Four storage experts explain why storage security has been overlooked and how administrators can keep thieves out of their storage resources.
"Security for storage has been ignored by storage administrators and everyone else in charge of IT security," says Jim Damoulakis, CTO of GlassHouse Technologies, Inc., based in Framingham, Mass.
Damoulakis' assessment comes on the heels of recent storage security breaches, including unencrypted backup tape thefts from Bank of America, sizeable backup tape losses at Ameritrade and Time Warner and theft of DSW Shoe Warehouse customers' credit card data. These headline-grabbing data losses have led to the introduction of Senate legislation, the Personal Data Privacy and Security Act of 2005, which puts the blame for
Historically, added security for storage was deemed unnecessary, because storage was done on relatively isolated standalone devices, according to Dennis Martin, senior analyst for storage management software and security at Greenwood Village, Colo.-based Evaluator Group. Since the physical connections of those devices to the hosts were hidden, they were difficult to find within a network. If an outsider couldn't get to the host, he or she couldn't get to the storage device or to the stored data.
With the advent of new storage technologies, storage is no longer so hidden. Fibre channel (FC) and iSCSI SANs are accessed and managed over IP connections, with all the attendant risks to which IP exposes networks.
"Islands of SANs within an environment have been considered low-risk areas," says Damoulakis. "However, the SAN infrastructure connects to hosts on the network. To do very serious damage would simply require working through a compromised host and getting access to this largely unsecured storage network."
Standard corporate network security practices -- such as password management, enforcing access controls, enabling audit trails, securing management interface points -- should all be applied to storage, the experts agree.
"Security for backup has also been very lax," says Jon Oltsik, senior information security and storage analyst at Enterprise Strategy Group, Milford, Mass. For example, Bank of America's backup tapes were stolen by baggage handlers while being shipped to another location on a commercial plane.
The fact that Bank of America's stolen data was unencrypted points to another historic oversight. "Typically, companies only do encryption on information in motion across the network from point A to point B," says Damoulakis.
Oltsik explains that encryption of stored data has been a duty shirked for two reasons; encryption slowed networks down to a crawl, and management of algorithms and keys is difficult.
The issue of bogging down performance is old news as far as Oltsik is concerned. "Encryption is a very processor-intensive activity, but it no longer slows backup because the processors are 10 times as fast as they once were," Oltsik explains.
According to Vijay Ahuja, president of Raleigh, N.C.-based Cipher Solutions, managing encryption is not the easiest task but is doable with simple best practices. The management of encryption keys should be carefully considered, with the security risks inherent in changes in personnel and company management taken into account. Ahuja counsels companies to review and test their encryption keys and algorithms on a regular basis.
Securing data may be a hassle but it's a job that can't be ignored anymore. The experts recommend taking a holistic approach to IT infrastructure, in which the security and storage teams work together to examine and secure the infrastructure as a whole.
Every best practice in security that's in place for the network should be implemented for storage. Here's the experts' list of some important best practices:
- Audit and do a risk assessment on the storage infrastructure, looking for risks and vulnerabilities.
- Implement authentication across the storage network. Ahuja advocates using the Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP). "The beauty is that most Fortune 500 companies already have this protocol in their networks," says Ahuja.
- Implement strong role-based access controls. Assign access rights to parties on a need-to-know basis.
- Demand strong security from storage system vendors and offsite storage providers.
- Adopt and enforce data encryption policies. Best practices include classifying data and applying encryption to private and confidential data through the lifecycle of the data. "You don't have to encrypt all data," says Oltsik, but sensitive data should be encrypted in flight and at rest.
- Don't forget to secure your SAN at the switch or fabric level, says Martin. Carving up your fabric by zones is one technique that limits access to various parts of the SAN.
- Create a policy for discarding old devices and media, routinely doing such tasks as scrubbing and destroying hard disks, Martin says.
- Isolate your storage management network from your corporate IT network. "The storage management network has to be secure, since that network is connected to all of your devices," says Ahuja. "If you don't isolate the networks, every employee has access to your storage."
- Treat backup as an "orange alert" process. Adopt secure media management tracking and handling policies. "Backup literally touches everything, every bit of corporate financial information, employee data and intellectual property," says Damoulakis.
IT shops can no longer afford to ignore the risks of leaving their storage unprotected. With common sense best practices in place, everyone can rest assured that corporate data is secure.
For more information:
This was first published in August 2005