Published: 15 Jun 2003
Lately, I've started seeing a flood of storage security products appear in development. At the same time, our customers...
have begun asking about security security management groups in storage area network (SAN) deployment planning. Clearly, concern about SAN security is on the rise, but what can be done?
The key is to focus on the concerns of today and tomorrow, but learn from the past and keep an eye out for the headaches of next week. With SAN security, this means watching the current pathways into the SAN and securing management interfaces in the short term. In the long term, larger SANs--extended with technologies like iSCSI and virtualization--need dedicated focus and products to enhance security. Now is the time to prepare for this future, but a lack of shipping products means implementation will have to wait.
Confidentiality, integrity and availability Security breaches are often assumed to involve someone gaining access to information, but can also involve disruption of operations. In general, the topic of security focuses on three areas, each with its own risks and responses:
- Confidentiality: preventing unauthorized viewing and copying of data
- Integrity: preventing the loss or modification of data
- Availability: ensuring that data is continuously available for operations
Ensuring data integrity relies on much the same access controls just mentioned. Locking out access to data keeps it safe. But like confidentiality, integrity can be hard to measure because prying eyes and meddling hands can leave a seemingly intact copy of data behind.
While modification of data can be far more insidious than a loss of availability, howls of users when systems fail make it difficult to avoid attacking the problem. But their howls will be louder if it's evident that a security breach caused the outage. Here again, access control is the key, but brute-force attack can be much more difficult to defend against.
Maintain your integrity
So far, most of the security focus for storage managers has been on physically limiting access to equipment and to a lesser extent, securing the SAN fabric itself from unauthorized use. Currently, most storage networks are limited to a single data center room with tight physical security. But this is changing, as replication technologies begin to use standard Fibre Channel (FC) and IP connectivity rather than more proprietary encapsulation methods. As iSCSI allows storage to make the leap to IP on Ethernet LANs, more and more storage networks will break out of the data center. Once this happens, the security of access-controlled data centers is destroyed.
Although not always recognized as a security-related task, ensuring availability in an FC fabric is common practice for storage designers and managers. Redundant fabrics, multiple data paths, redundant equipment and business continuance copies are commonly employed to improve availability in the event of mistakes and failures. There are also other potential paths for attackers: insecure hosts, backup tapes, retired hardware and inside jobs.
Even the most secure SAN can't protect data once a connected host has been compromised. By far the most common breach of SAN integrity is caused by accidental misconfiguration, rather than malicious attack. Most SAN managers have seen cases where a host "stepped on" another host's SAN LUNs. Even if it hasn't happened to them, the storage and systems administrators I talk to are concerned, and employ techniques like LUN masking on the array and zoning on the fabric to prevent it. Every SAN should use these techniques to ensure data integrity, and offline backup copies are required to recover from data corruption.
Next, to protect the confidentiality of your data, don't forget to secure your backup tapes. Every day, a complete image of your storage infrastructure is sent out the door. Are you sure those tapes went out with the right people?
Also make sure you have well thought out standard operating procedures (SOPs) for handling tapes in a secure manner. Some backup products can encrypt the data being sent to tape, too, but the encryption schemes aren't necessarily very strong, and aren't widely used.
In a recent study documented in the IEEE's new Security and Privacy journal, the majority of hard drives purchased through eBay still had confidential data on them. What if these were your drives? As more corporate equipment is retired and put into the secondary market, the confidentiality of data on old hardware should be a consideration. Even hardware repurposed within the same organization can lead to a security breach.
Don't assume your employees can be trusted to maintain security, either. According to Activis, a U.K. security firm, just 6% of security breaches are perpetrated by strangers. Employees are responsible for 81%, and ex-employees for the rest. Auditing, role-based access control and backup copies are needed to safeguard data from the people with the keys. Many storage devices and software can send a log of their use to a secure system through the syslog protocol, ensuring a record of access. More and more storage management products are being designed to limit access based on assigned roles, which can help keep data safe. But only secure backup copies can ensure that data can be recovered in the event of a breach.
The storage security crystal ball
One of the more interesting aspects of my job is giving new companies feedback on the latest storage products in development. I'm seeing a great deal of attention being paid to storage products with security applications, from a replication engine with built-in encryption to business process automation with auditing. Even non-security products such as storage resource management (SRM) are adding role-based access controls and availability features.
A recent study by us pointed out that although few organizations currently focus on storage security, most said they saw it as a major concern for the coming year. They see that, as their SANs grow, more vulnerabilities arise and the potential for damage increases dramatically. The loss of a single FC switch might only affect a few systems. But the loss of a diverse, consolidated SAN would affect every attached host, and would undermine confidence in the storage organization.
Although I am bullish on iSCSI, it could pose major security headaches. Right now, the obscurity and limited size of FC hardware limits access to fabrics. But with iSCSI built into Windows, SAN knowledge can't be assumed to be limited to the high priests of storage. Although a best practice for iSCSI looks to be limiting it to a private Ethernet network, it seems likely that these networks will often be bridged to the production LAN. How will you feel about security when anyone with a laptop can be part of your SAN? Storage security will be a major concern in the coming years, and now is the time to start thinking about it. One final note: In April, I asked folks to e-mail me so I could help collect and summarize their utilization data. The offer is still open and in a few months, I'll be revisiting the storage utilization topic with updated data.