Enterprise Strategy Group
Published: 13 Oct 2003
Over the past few years, business and technological pressures have forced storage teams to expand from the cozy world of Fibre Channel (FC), SCSI and host bus adapters (HBAs). To protect and move critical corporate data, storage gurus had to interface with networking and telecom departments and devise a plan for transporting information across LAN and WAN pipes. As the storage infrastructure became increasingly complex to manage, the storage staff had to coordinate the use of storage area network (SAN) management tools and processes with network operations.
It's dÉjÀ vu all over again--but this time the cooperative union is with security. In the next few years, security requirements will be coming down the proverbial IT tracks and the storage team needs to jump on the train--quickly.
What's driving this new partnership between the storage and security groups? Read the news any day: Internet connectivity, broadband in the home, e-business applications, Web services, wireless connectivity, global terrorism--you name the technology or geopolitical trend and there's a security risk with it. These vulnerabilities are getting an increasing amount of attention in the boardroom and IT budget. According to IDC, Framingham, MA, corporate security spending will explode from $17 billion in 2001 to a whopping $45 billion in 2006.
Here's an overlap between storage and security. Security professionals often use the acronym CIA (confidentiality, integrity and availability) to describe their focus. Storage management and operations center on data integrity and availability (e.g., RAID devices, backup/restore and remote mirroring).
Furthermore, storage and security professionals have leading roles in the planning of disaster recovery (DR) and business continuity (BC) and this relationship is likely to strengthen in the future. Why? CSOs tend to own DR and BC planning, but according to leading IT placement service provider, Robert Half, only 15% to 20% of enterprise companies have CSOs today. As more large firms hire CSOs, the storage staff will be integrated into security.
Finally, storage and security have intertwined due to the notorious insecurity of today's SAN technologies. Based on just a cursory look, any security expert will point out that SANs weren't developed with security in mind. Zoning, LUN masking and world-wide names provide a few rudimentary protection mechanisms, but today's SANs offer little in the way of authentication and data encryption. SAN management tools lack basic SSL/SSH protection, strong password management or secure versions of SNMP. New tools from Decru, Kasten Chase, Neoscale and Vormetric are available to fill these security voids while the industry consortium, the Storage Network Industry Association (SNIA), is working on a secure version of FC, called FC-SP. At the very least, storage professionals must pay attention to these storage security vulnerabilities and trends.
As security gets more executive attention and dollars, the storage team must be part of the solution, not the problem. Storage executives should police all functional storage activities immediately. Begin this exercise with a security audit, encompassing storage equipment, physical security, policies and procedures and staff skills.
Auditing storage equipment
IT equipment is often implemented with a minimal security concern, resulting in security holes you could drive a truck through. While it's beyond the scope of this article to outline all of the necessary remediation steps, some common things to look for include:
- Misconfigured switches: Mistakes with switch configuration and ACLs give hackers access to the entire SAN fabric. As you're searching for these types of errors, you may also discover LUNs and zones you weren't even aware of. Correct this vulnerability with vendor-approved configurations that meet your requirements. All configuration changes must be documented through a formal change management process. This helps reduce the risk of unknown LUNs and zones in the future.
- Default server configurations: In their haste to get systems up and running, system admins often keep default configurations intact, leaving the system open to anyone with basic Unix or Windows skills. If these systems are connected to the network, hackers can access them through Telnet or by perusing FTP directory structures. Visit every backup and storage management server to see if your IT shop has this problem.
- Software patches: When your focus is on storage infrastructure and operations, it's easy to forget about patching servers. It's important to scan systems on a periodic basis to get a full picture of vulnerabilities. Many security service providers will gladly lend you a hand. Be sure to add security requirements to vendors and equipment evaluation criteria moving forward.
Many shops with an abundance of firewalls, intrusion detection systems (IDS) systems and virus protection software fail the physical security test. When it comes to physical security and storage, be sure to:
- Place storage equipment in locked cages in the data center. During the client/server days, the general philosophy was to collocate systems with the users they supported. This was done for technical reasons (slow LAN speeds) and political reasons (distributed IT budgets). Those days are gone.
- Adhere to a strict tape management policy. Security books are full of stories where rogue IT workers steal backup tapes to extort money from their employers. This opportunity is created through poor tape management practices. Take the necessary steps to avoid this problem through appropriate tape labeling, off-site rotation, backup encryption and secure tape storage procedures.
Policies and procedures
Although the storage group won't be called on to develop security policies, compliance is mandatory. Particular attention should be paid to:
- Change and configuration management: Sloppiness here inevitably leads to security vulnerabilities and downtime. Work with the entire IT staff to develop change management policies, procedures and documentation standards.
- Data classification: Information value, age, useful life and personal association is often used to classify data into private sector categories such as public, sensitive, private and confidential. Once data is classified, the storage group is instrumental in the implementation process. Data classification is difficult, but it leads to improved security, lower costs and easier compliance with regulations.
- BC/DR: The storage team plays a starring role in backup/restore procedures through BC and DR planning. Storage and security should work together on this.
The storage staff must be prepared to participate in the enterprise security effort. This will require:
- Background checks: Experience with EMC, Brocade and Veritas can't forgive a rap sheet of felonious activities. All personnel must be screened appropriately.
- Training: To add security skills to the mix, the storage team should receive specific security training on storage vulnerabilities, fixes and general security prevention, detection and reaction techniques. It's worthwhile to encourage the storage staff to take the Certified Information Systems Security Professional (CISSP) exam to broaden their knowledge base.
There's an old security saying that states the enterprise security chain is only as strong as the weakest link. The storage team should do what it must to ensure that it avoids this weakest-link distinction. The team should take proactive steps to fix existing people, process and technology security holes while preparing for future challenges.