Published: 12 Jun 2006
Encrypting data at rest is a reliable security measure, but it's only one component of an effective storage security plan.
Attend a storage conference these days, and you might think encryption solves all of your storage security woes. It seems as if one "expert" after another is singing the praises of storage encryption for both data in transit and data at rest. But don't believe them.
Encryption is part of the SAN security solution, but it has its limitations. "Encryption is an interesting option, but mainly for tape," says Tim Arland, principal consultant at Forsythe, a Skokie, IL-based storage systems integrator. "Real-time encryption of everything at line speed is very rare," adds Arland, yet that's ultimately what you would need if you want encryption to solve all of your SAN security problems.
And even then, it might not work. What happens if a host bus adapter (HBA) spoofs an authorized system? More than encryption will be needed. The storage security problem transcends storage alone, which makes it unlikely that storage professionals can solve it by themselves. "Storage professionals are waiting to work with other corporate security teams," says Robert Stevenson, managing director, storage practice at TheInfoPro Inc., a New York City-based research firm. But Stevenson notes that in a survey conducted by TheInfoPro, some respondents also complained about corporate security intruding into storage operations.
At one time, storage managers could take some slight measure of comfort in security through obscurity, believing their Fibre Channel (FC) SAN wouldn't be noticed by would-be attackers. But "today, storage infrastructures [disk, arrays, IP and SAN fabrics, NAS and tape] are highly vulnerable to attack because of the gap between known security techniques and their level of implementation," says LeRoy Budnik, chairman of SNIA's Storage Security Information Forum (SSIF). Budnik is also one of the authors of the whitepaper "Introduction to Storage Security," which identifies a number of general recommendations and provides detailed storage security activities for each.
SANs today are vulnerable to myriad internal and external threats that require improved security. Various regulatory mandates are also forcing storage teams to adopt greater security measures, such as classifying data, monitoring its access and securing it in different ways depending on how the data is classified. With no single action likely to make the problem go away, storage managers must begin implementing Budnik's recommendations, ranging from requiring vendors to immediately inform them of changes in their support staff to locking down the security identifier on Windows servers to prevent spoofing.
The list of things to do is long, and the storage team can't do it all alone. Multiple types of threats expose different vulnerabilities and require various lines of defense. Ultimately, storage managers will have to do what the network people have been trying to do for years--implement a strategy called "defense in-depth." For storage, that means a minimum of three lines of defense: access, identity and policy control; securing servers and hosts; and securing storage devices, components, switches and their communications links.
|Top five storage security technologies|
First line of defense
Although external identify theft is grabbing the headlines, TheInfoPro's survey respondents fear internal threats more. "Three-quarters of the respondents consider threats inside the network to be greater than external threats," says the firm's Stevenson. In particular, they were concerned with unauthorized access to sensitive data and the ability to transfer sensitive data, such as slipping a gigabyte of confidential data out of the organization on a tiny USB device attached to a keychain.
Access control and identity management therefore represent the first line of SAN defense. The goal is to hinder unauthorized people from gaining access to your storage management tools and devices. This requires the ability to authenticate users or systems trying to gain access and grant appropriate authorization.
"Who do you allow to access your SAN? Access control is the first step in SAN security," says Scott Robinson, chief technology officer at Datalink Corp., a Chanhassen, MN, storage systems integrator. Approximately three-quarters of TheInfoPro respondents identified access control as either extremely important or very important in securing their storage (see "Top five storage security technologies").
"Management tools are the biggest threat to your SAN. Once people gain access to your storage management tools, they can do almost anything," says Greg Schulz, founder and senior analyst at StorageIO, a storage industry research firm in Stillwater, MN.
Management tools are accessed through servers that connect directly to the SAN. "The Achilles' heel of SAN security is that the management interfaces to the storage devices are sitting on the corporate LAN," says W. Curtis Preston, vice president of data protection at GlassHouse Technologies Inc., Framingham, MA. At a minimum, he says, managers should regularly change the passwords to management tools.
Establishing effective access control for storage is problematic at this point. "No one has strong role-based access control, the kind that will let you control access at the command line," says SNIA's Budnik. He expects such role-based security to emerge over the next two years.
In addition to access control is identity management. Storage managers, however, can't do much on their own about identity management. "The tools are mainly in the application stack," says TheInfoPro's Stevenson. "Storage people often see identity management as the responsibility of the DBA or application developers."
This kind of finger-pointing is typical of the breakdowns that lead to security breaches. The solution calls for storage, corporate security, network and application teams, and business managers to work out a set of policies and procedures together.
"What we've seen is that policies are the key to security," says Jot Gill, an information management consultant now building a strategic consulting practice at Network Appliance Inc. "This is not a device layer issue or an application layer issue--it is a business issue." Such a policy effort, he adds, should even include input from--heaven forbid--lawyers and accountants.
This requires cooperation among all players. "The struggle we're seeing with our customers is who drives the policy," says Forsythe's Arland. "The storage people can take some basic security measures, but you really need an overall security policy on the corporate level."
|SNIA storage security recommendations|
Second line of defense
The second line of defense forms at the servers and hosts. "You need to have good security on any server attached to the SAN," says StorageIO's Schulz. It's easy to launch an attack on storage systems from a compromised server. Once again, storage managers have little control here, except to exhort their systems and application counterparts to button down all the security settings built into server operating systems. This can be as basic as regularly changing passwords.
Storage managers can implement zoning and masking on the SAN, which limits what a given server or host can access. "This lets you do SAN segmentation, in effect creating sub-SANs," says Schulz. However, zoning and masking provide only a modest amount of security. If the host has been compromised, it's easy to get around such SAN segmentation. Still, "LUN masking and zoning are basics that have to be done," insists Budnik.
"Zoning is a big part of our SAN security," says Lynn Granger, senior manager of data assurance at VeriCenter Inc., Houston. "We're a managed hosting company and we need to separate hosts from each other." Granger also changes passwords on the switches, uses access control lists for the firm's SAN routers and implements Public Key Infrastructure (PKI) to protect management tools.
Beyond that, storage managers are nearly helpless at this level. "How do you authenticate an HBA so it will talk to storage?" asks Preston. Most SANs authenticate based on the worldwide name, which isn't secure.
Third line of defense
The storage team really takes charge of security at the third level, where SAN-connected devices are locked down and communication between devices and switches is secured. You should start by running the latest operating system with all current patches on each device and switch, and change passwords on all equipment regularly. Expect vendors to complain about password changes because it hinders their support technicians, warns Budnik. In addition, close off unused ports and disable unused services on the switches, suggests Schulz.
Things should improve with the introduction of the Fibre Channel Security Protocol (FC-SP) later this spring, says SNIA's Budnik. FC-SP will include protocols for the authentication of FC devices, and will cryptographically secure key exchange as well as communication between FC devices.
A security protocol under FC-SP is Challenge-Handshake Authentication Protocol (CHAP) and Diffie-Hellman (DH)-CHAP. CHAP provides bidirectional secure key-exchange authentication for switch-to-switch and host-to-switch authentication. CHAP is required as part of iSCSI, while DH-CHAP is for FC.
Encryption plays a role in securing stored data, but it's not necessarily a storage decision. "Encryption really is a function of the content--there are internal and external factors to consider, compliance issues [and] questions about where to do encryption," says Budnik. "It's really a corporate decision." He suggests some alternatives to storage encryption: "Is it possible to insist that the application vendor encrypt the proper fields? Maybe the database vendor or the enterprise resource planning vendor should provide utilities to encrypt certain fields and columns."
Encryption is good only if you have good authentication to begin with, adds GlassHouse's Preston. "The core security problem with SANs is not encryption, but the lack of proper authentication," he says.
"We aren't advising customers to encrypt their data generally," says Datalink's Robinson. "They should encrypt selected data going offsite and, over the next 12 to 18 months, they may want to begin to encrypt certain data sets, such as financial or customer data."
VeriCenter does a limited amount of encryption when customers insist. "Encryption slows down backup and key management is difficult," says the firm's Granger "Still, a few customers encrypt at the database level."
Industry analysts and consultants see three major obstacles to widespread storage encryption at this point: cost, latency and key management. As for cost, encryption is expensive. "I have seen enterprises that spent $1 million on storage encryption appliances," says Preston.
In terms of latency, encryption is CPU-intensive. Even with fast, dedicated processors offloading the task, it entails another step when storing and retrieving the data.
Key management is both risky and costly. The risk lies in the potential to lose keys, which will render the encrypted data useless. "Key management also increases costs because it requires more administration," says consultant Gill.
Security doesn't come cheap. Encryption will likely be the largest single product expense, requiring multiple hardware-based encryption appliances that start at approximately $30,000 a pop.
Authentication, identity management, firewalls, intrusion-detection systems and the other components of IT defense in-depth also require an investment, although some of this is a shared infrastructure expense.
In addition, there's considerable administrator overhead for storage security. Administrators need to actively manage passwords, authenticate systems and devices, monitor communications among storage components, control access to management tools and handle keys. Effective security requires substantial education, which raises the cost.
According to TheInfoPro's latest survey, 85% of organizations spend less than 10% of their storage budget on security. However, almost all respondents reported that they expect storage security spending to increase, says the firm's Stevenson.
There's no simple panacea to the storage security problem. Authentication, ID management and encryption all have important roles to play. So do network security and application security, which are beyond the control of the storage team. Storage managers can begin by implementing the dozens of security actions outlined in SNIA's "Introduction to Storage Security" whitepaper, but storage security isn't a job the storage team can do alone. Storage security truly requires a corporate-wide effort and resources.