During the past year, the storage industry has worked hard to deliver standards and technologies for securing storage networks. Of course, we can compare and debate the cryptographic strengths and vulnerabilities of these technologies and how much cryptanalysis work has been done – but at the end of the day, the CIO's decision comes down to two things: compatibility and interoperability.
Compatibility ensures that a storage vendor's security offering "seamlessly" integrates with the customer's existing security infrastructure. Interoperability requires that security offerings from different storage vendors -- and for different SAN components -- can interoperate with each other. During this year, these mantras will dictate the success or failure of storage security technologies.
So, what is the big deal about compatibility? Large corporations rely on certain standard security technologies: SSL (Secure Sockets Layer) for securing Web sessions; IPSec/VPN for securing traffic between corporate offices, business partners and remote users. For authentication, most have implemented passwords (first step), and many have smart cards and CHAP/RADIUS (Challenge Handshake Authentication Protocol – RFC 1994, Remote Authentication Dial In User Service – RFC 2865) technology for remote users. These types of customers need to be assured that the technology integration will be smooth while they extend their enterprise security policies to
With the above landscape in mind, the storage standards community has been developing security standards.
There is some good news here! IETF and ANSI T11 have been respectively working on iSCSI (SCSI over IP) and FC SAN standards that also provide compatibility and interoperability. The iSCSI authentication requires the implementation of CHAP protocol. At a recent ANSI T11 FC SP (Fibre Channel Security Protocol) meeting, I proposed the use of DH CHAP (CHAP with stronger security using Diffie-Hellman) for authentication among FC SAN entities. It was proposed as a "must" implement protocol to allow interoperability. An overwhelming majority approved this proposal.
Even if the customer does not have an existing CHAP/RADIUS implementation, CHAP and RADIUS have been lightweight protocols with commonly available components for the past several years. From the viewpoint of authentication, storage standards are aligning with the existing customer environment. We would hope that this year storage vendors deliver on these technologies.
But, authentication is just the first step. There are other security aspects to be tackled. How about security of storage management traffic – often cited as the highest risk in SAN security? As a result of the recent healthcare and finance industry regulations on privacy, companies need to ensure data integrity, confidentiality and non-repudiation. If I only had a wish list for 2003 -- I'd hope that storage security standards and vendors continue on this path and make life easier for customers.
The next time you evaluate storage products and vendors, be sure to ask about how compatible and interoperable the products are with regards to your existing and future security plans. Here a few questions to include:
- How flexible is your product to support my existing security policies? (You may want to specify some of the security policies for storage networks and stored data.)
- If you use RADIUS server, ask how compatible the vendor's product is with the RADIUS server? (Be sure to specify your RADIUS server vendor.)
- How interoperable is your product with other storage vendors' products?
- Which storage security standards (or proposed standards) does your product currently support?
- Which storage security standards (or proposed standards) does your product plan to support in future? Do you have a timeline or roadmap for when you plan to implement other security standards?
- If your product uses IP networks, how compatible is it with my VPN products?
About the author: Vijay Ahuja is president of Cipher Solutions, Inc., a leading provider of professional services in storage and network security. He can be reached at vijay@CipherSolutions.com or by going to the Cipher Solutions Web site. Since Vijay is also a storage security expert available on SearchStorage.com, you can also ask him any storage security questions. Go to his Ask the Experts area to pose a question.
This was first published in January 2003