Storage security mantras: Compatibility and interoperability

During the past year, the storage industry has worked hard to deliver standards and technologies for securing storage networks. Of course, we can compare and debate the cryptographic strengths and vulnerabilities of these technologies and how much cryptanalysis work has been done – but at the end of the day, the CIO's decision comes down to two things: compatibility and interoperability.

Compatibility ensures that a storage vendor's security offering "seamlessly" integrates with the customer's existing security infrastructure. Interoperability requires that security offerings from different storage vendors -- and for different SAN components -- can interoperate with each other. During this year, these mantras will dictate the success or failure of storage security technologies.

So, what is the big deal about compatibility? Large corporations rely on certain standard security technologies: SSL (Secure Sockets Layer) for securing Web sessions; IPSec/VPN for securing traffic between corporate offices, business partners and remote users. For authentication, most have implemented passwords (first step), and many have smart cards and CHAP/RADIUS (Challenge Handshake Authentication Protocol – RFC 1994, Remote Authentication Dial In User Service – RFC 2865) technology for remote users. These types of customers need to be assured that the technology integration will be smooth while they extend their enterprise security policies to

Requires Free Membership to View

the storage networks.

With the above landscape in mind, the storage standards community has been developing security standards.

There is some good news here! IETF and ANSI T11 have been respectively working on iSCSI (SCSI over IP) and FC SAN standards that also provide compatibility and interoperability. The iSCSI authentication requires the implementation of CHAP protocol. At a recent ANSI T11 FC SP (Fibre Channel Security Protocol) meeting, I proposed the use of DH CHAP (CHAP with stronger security using Diffie-Hellman) for authentication among FC SAN entities. It was proposed as a "must" implement protocol to allow interoperability. An overwhelming majority approved this proposal.

Even if the customer does not have an existing CHAP/RADIUS implementation, CHAP and RADIUS have been lightweight protocols with commonly available components for the past several years. From the viewpoint of authentication, storage standards are aligning with the existing customer environment. We would hope that this year storage vendors deliver on these technologies.

But, authentication is just the first step. There are other security aspects to be tackled. How about security of storage management traffic – often cited as the highest risk in SAN security? As a result of the recent healthcare and finance industry regulations on privacy, companies need to ensure data integrity, confidentiality and non-repudiation. If I only had a wish list for 2003 -- I'd hope that storage security standards and vendors continue on this path and make life easier for customers.

The next time you evaluate storage products and vendors, be sure to ask about how compatible and interoperable the products are with regards to your existing and future security plans. Here a few questions to include:

  • How flexible is your product to support my existing security policies? (You may want to specify some of the security policies for storage networks and stored data.)
  • If you use RADIUS server, ask how compatible the vendor's product is with the RADIUS server? (Be sure to specify your RADIUS server vendor.)
  • How interoperable is your product with other storage vendors' products?
  • Which storage security standards (or proposed standards) does your product currently support?
  • Which storage security standards (or proposed standards) does your product plan to support in future? Do you have a timeline or roadmap for when you plan to implement other security standards?
  • If your product uses IP networks, how compatible is it with my VPN products?

About the author: Vijay Ahuja is president of Cipher Solutions, Inc., a leading provider of professional services in storage and network security. He can be reached at vijay@CipherSolutions.com or by going to the Cipher Solutions Web site. Since Vijay is also a storage security expert available on SearchStorage.com, you can also ask him any storage security questions. Go to his Ask the Experts area to pose a question.

This was first published in January 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.