Tip

Storage security 101 -- A checklist of practical safeguards

What you will learn from this tip: There are some commonly overlooked storage security issues that every storage administrator needs to consider. In this tip, information security expert Kevin Beaver outlines a set of solid storage security basics you can use as a guide to check your own work, look for vulnerabilities in a vendor's storage configuration or to help with your organization's security compliance efforts.

Whether you're relatively new to storage administration or a veteran, or whether your storage is network-based or directly attached, there are several storage security must-haves in order to make sure your data is as safe as possible. With storage systems housing "the goods," a lot can happen, including stolen passwords, unauthorized access, improper deletions and modifications, bypassing zone restrictions through physical port changes and more. The highly publicized breaches at

Requires Free Membership to View

The Privacy Rights Clearinghouse Chronology of Data Breaches illustrate just how often these security breaks happen.

Related information

The compliance payoffs for securing vulnerable information at rest

Storage vulnerabilities you can't afford to miss

Securing data at rest vs. data in transit

When performing network security assessments, I come across a wide range of storage-related security vulnerabilities and poorly implemented administrative processes that are easily corrected. The following checklist provides a broad range of platform-agnostic storage security essentials. These items can serve as a strong layer in your overall defense strategy and provide a solid foundation for protecting critical information in your files, shares and databases.

  • It's (almost) all about access controls so determine your policies and change insecure access permissions (i.e., everyone having full access by default in Windows NT and 2000 and improperly configured NFS exports in UNIX).
  • Unload unnecessary storage services related to NFS (i.e., mountd, statd, and lockd) if they're not needed and limit network-based permissions for NetWare volumes, Windows shares, etc. to a need-to-know basis from the get-go -- otherwise individual accountability and responsibility are out the window.
  • Proper authentication is critical as well, so ensure credential verification is taking place at one or more layers above your storage devices (i.e., within the operating system, applications and databases) where possible.
  • Operating system, application and database-centric storage safeguards may not be enough so don't rely on them solely if the utmost in storage security is required. Consider enabling technology and vendor-specific storage controls as well as third-party add-ons if you're not comfortable with your default setup.
  • Accountability is another one of those storage security must-haves, so make sure audit logging is taking place where possible and practical.
  • Most likely, you have bits and pieces (sometimes large chunks) of critical information that may not be adequately protected on workstations, servers and mobile devices (laptops, PDAs, smartphones, etc.) -- root this information out, take an inventory and put it in its place (or at least apply reasonable access controls to it where its currently located).
  • Encrypting data in transit can help, but it's not everything (see Securing data at rest vs. data in transit), so don't rely on it exclusively.
  • Use separate accounts for storage administration and maintenance with strong passwords for accountability purposes and to minimize the damage that can be done if a standard user account is compromised.
  • Physical security is essential -- if that cannot be attained, then trying to reach a reasonable level of digital security is futile.
  • Consider the various software-based storage encryption solutions for your critical systems (i.e., what NeoScale, Decru -- now NetApp, PGP and others are offering).
  • Hardware-based drive encryption is coming of age on the client side, which can be a great way to lock things down at the lowest level.
  • Develop your own internal storage security standards (i.e., encryption requirements, zoning configurations, access control methods, security architecture, etc.).
  • Documented, maintained and enforced security policies that cover confidentiality, integrity and availability for storage-specific areas (where possible) are a must.
  • Storage vendors are taking security more seriously and integrating better safeguards into their products (such as NetApp's recent acquisition of Decru) -- demand these and use them where possible.

As information spreads out more across local and network-based storage systems into the future, it'll become more difficult to control. Your security focus (i.e., assessments, audits and controls) needs to expand proportionately. This, combined with an ongoing change in storage technologies and new hacking methods and tools, will demand that you always be on the lookout for storage weaknesses in your network. This space -- and its associated threats and vulnerabilities -- will evolve. So, if storage security is even remotely on your radar, these security basics can get you off to a great start and build a solid foundation -- something you cannot afford to be without.

For more information:

Go beyond SOX for business continuity



About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.