Whether you're relatively new to storage administration or a veteran, or whether your storage is network-based or directly attached, there are several storage security must-haves in order to make sure your data is as safe as possible. With storage systems housing "the goods," a lot can happen, including stolen passwords, unauthorized access, improper deletions and modifications, bypassing zone restrictions through physical port changes and more. The highly publicized breaches at
- It's (almost) all about access controls so determine your policies and change insecure access permissions (i.e., everyone having full access by default in Windows NT and 2000 and improperly configured NFS exports in UNIX).
- Unload unnecessary storage services related to NFS (i.e., mountd, statd, and lockd) if they're not needed and limit network-based permissions for NetWare volumes, Windows shares, etc. to a need-to-know basis from the get-go -- otherwise individual accountability and responsibility are out the window.
- Proper authentication is critical as well, so ensure credential verification is taking place at one or more layers above your storage devices (i.e., within the operating system, applications and databases) where possible.
- Operating system, application and database-centric storage safeguards may not be enough so don't rely on them solely if the utmost in storage security is required. Consider enabling technology and vendor-specific storage controls as well as third-party add-ons if you're not comfortable with your default setup.
- Accountability is another one of those storage security must-haves, so make sure audit logging is taking place where possible and practical.
- Most likely, you have bits and pieces (sometimes large chunks) of critical information that may not be adequately protected on workstations, servers and mobile devices (laptops, PDAs, smartphones, etc.) -- root this information out, take an inventory and put it in its place (or at least apply reasonable access controls to it where its currently located).
- Encrypting data in transit can help, but it's not everything (see Securing data at rest vs. data in transit), so don't rely on it exclusively.
- Use separate accounts for storage administration and maintenance with strong passwords for accountability purposes and to minimize the damage that can be done if a standard user account is compromised.
- Physical security is essential -- if that cannot be attained, then trying to reach a reasonable level of digital security is futile.
- Consider the various software-based storage encryption solutions for your critical systems (i.e., what NeoScale, Decru -- now NetApp, PGP and others are offering).
- Hardware-based drive encryption is coming of age on the client side, which can be a great way to lock things down at the lowest level.
- Develop your own internal storage security standards (i.e., encryption requirements, zoning configurations, access control methods, security architecture, etc.).
- Documented, maintained and enforced security policies that cover confidentiality, integrity and availability for storage-specific areas (where possible) are a must.
- Storage vendors are taking security more seriously and integrating better safeguards into their products (such as NetApp's recent acquisition of Decru) -- demand these and use them where possible.
As information spreads out more across local and network-based storage systems into the future, it'll become more difficult to control. Your security focus (i.e., assessments, audits and controls) needs to expand proportionately. This, combined with an ongoing change in storage technologies and new hacking methods and tools, will demand that you always be on the lookout for storage weaknesses in your network. This space -- and its associated threats and vulnerabilities -- will evolve. So, if storage security is even remotely on your radar, these security basics can get you off to a great start and build a solid foundation -- something you cannot afford to be without.
For more information:
About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at email@example.com.
This was first published in December 2005