Vital business information should be carefully stored but, Jon Tullett asks, can you be sure it really is locked away safely?
Storage security, and storage area network (SAN) security, is a critical but often underestimated part of enterprise IT management. In addition to safeguarding some of your company's most valuable assets (the information and data underlying the business), there are also implications for management and cost of ownership, as well as numerous incidental benefits to having a well-secured SAN.
While there are plenty of techniques and technologies for securing storage, many companies fail to take full advantage of them. That is partly because storage buying has, until recently, been focused on acquiring capacity.
Keeping information safe
For many years it was accepted as popular wisdom that while other market segments rose and fell, storage growth was consistently vigorous. Companies today are creating information faster, and needing to keep it longer, both for deeper analysis by CRM and data mining applications, but also for legal compliance. At the vanguard of the storage advance was the storage network, with promises of capacity and scalability. As a result, companies focused primarily on buying raw capacity, with management and security as afterthoughts.
That may just reflect how vendors have sold SANs. "The reality is that there just haven't been a lot of good SAN security solutions up to this point, so users have not had options," says Doug Makishima, vice president of marketing for Hifn Inc.
Those trends have shifted, with companies spending less on raw capacity: IDC's research showed quarter-on-quarter shrinkage of three percent in the storage market last year. Instead, the focus is very much on storage management, with companies seeking to wring every drop of value from their storage infrastructure investment. And at the same time, there is growing understanding that storage environments are not inherently more secure than other network services, and do need tighter control if data is to be protected.
"If you compare spending now versus five years ago, there's a healthy underlying trend," says Mike Alvarado, chairman of SSIF, the Storage Security Industry Forum subgroup of the Storage Networking Industry Asso ciation (SNIA). "But there's a focus on reducing costs flat out. There is a lot of demand now to justify how security spending can reduce cost or simplify the storage environment."
Getting to grips with SAN security needs two questions answering: what are the threats, and who are the actual attackers?
The threats to a SAN are not much different to those of a regular switched data network, nor are the consequent security requirements. First and foremost is the need to protect the integrity of the data at rest, whether from accidental damage or attack. Access control is also important: controlling who has access to what. Then there are the needs to protect the data once it is on the network, using encryption to prevent eavesdropping, and preventing denial-of-service attacks.
The source of the attack can be one of three possibilities. It could be an outsider, attacking the network from the wide area, or via a subverted node inside your trusted network; an insider, using knowledge of the system and possibly valid credentials; or even yourself - simple misconfiguration is in fact far more of a threat to SAN integrity than any directed attack.
"By far the greatest angst at the moment is about misconfiguration leading to permanent loss of data," Alvadaro says. And, he adds, advanced management tools without suitable safeguards can make matters worse. Virtualization and automation make it possible to manage entire networks quickly and easily, but they also "make it possible to propagate a mistake over a wide area."
Enter SAN security in its management guise - effective access control and auditing on the administrative interfaces can help prevent these sorts of accidents while also protecting the network from malicious attack.
Scott Gordon, vice president of marketing at NeoScale, says other common implementation mistakes include leaving default configurations untouched on storage devices and software, awareness of which storage components do not have backwards compatibility (such as older versus new switch management access controls), and testing zoning and LUN mapping attributes (for more on zoning and LUN see page 35).
Users are not solely to blame, Alvarado says. Vendor implementations of standards can vary, leaving users no choice but to work around technology flaws. "In particular there have been some PKI and IPsec combinations which are extremely vendor-specific, with no interoperability." Users tend to "connect, deploy and then secure," he says, with the inevitable result that implementations are not as secure as they should be.
The need for standards
Makishima says vendors have spent too much time focusing on single technologies, too. "The main vendor problem today has been a focus on low-level technology issues. For example, up to this point, there has been a lot of attention to data encryption. This is not what users need. They need a system-level solution, including not just encryption but authentication and management, all seamlessly integrated into one."
Alvarado concurs. "You've got to have the ability to take advantage of information in other layers. You need more intelligence in the nodes."
Fortunately, standards are moving in the right direction to ensure interoperability, but are they going far enough? Last year saw the introduction of the Bluefin specifications, launched by the SNIA to provide a baseline for vendors to prove their devices would play nicely together. But Alvarado says that while this is a good step, there is not enough emphasis on specific security needs, and no standards at all in some areas.
He is quick to point out that storage security is neglected in other standards as well, which is having a knock-on effect on corporate deployments. "BS7799 [ISO17799], for example, talks about data protection, but not about the actual storage," he says. As a result, corporate IT policies may not be taking storage security into account.
There are some basic steps to securing a SAN. First of all, raise awareness among everyone concerned, from senior management through to users. Manage ment needs to understand that security is not optional, and that there are benefits (especially cost benefits, when you are talking to management) to be had. Administrators must understand policies, configuration requirements and best practices.
The cost benefits are easier to identify than many believe. A network that is designed for security tends to be less complex and more thoroughly "thought out" than one that is not, Alvarado says. As a result, administrative overhead is lower, the system will be more flexible, downtime can be minimized and, of course, security much stronger.
The next step is to research best practices for your environment. "Most SANs are deployed for single applications," Alvarado says. This may mean that you need to focus more on one component than another, and decide what level of risk is acceptable. In particular, make it your vendor's problem - demand a best-practices and standards roadmap from them, which will clearly identify target areas.
Now audit the system as it stands. Look at existing standards that are in place for components such as access control, encryption, and backup. Identify all the access points that come into the network, all the servers and nodes on the SAN, and the applications that need access.
With that homework done, you can start battening down the hatches. Access control policies can be reviewed and ideally integrated into an enterprise identity management solution. Access points must be firewalled, logged and audited. Encryption must be working, and not preventing network management. If you are using end-to-end encryption, for example, in-band network management is impossible without risking being tied to a single vendor's solution, so you may need out-of-band management.
Be prepared for changes
Finally, test, test and retest. SANs are flexible by design. Users come and go, policies change and new network access points will be introduced. Any change should be tested thoroughly before and after it is introduced into the live SAN.
There are also secondary risks which SAN environments can easily overlook. One of these is backup and recovery, despite the core disaster recovery role played by many SANs, which offer good off-site storage management. The mistake, Alvarado says, is to assume that backup processes are working, or to fail to secure the backup.
"You can have zones and use LUN masking, but is the tape media left unprotected in the hallway prior to the vaulting service picking it up?" asks Gordon. "You can lock down your management ports and implement switch zones while a backup admin working the late night shift takes home a 1/4 terabyte tape in his pocket."
It is common, Alvarado says, for restore procedures to circumvent security policies entirely, throwing caution to the wind in the need to reinstate the data as quickly as possible. As a result, a subverted backup may succeed where an attack on the data in place on the SAN would have failed.
One of the most interesting developments in the SAN world was the introduction of IP networking, away from the switched-fabric model of fibre channel and SCSI. By encapsulating SAN frames into IP packets via standards such as fibre channel over IP (FCIP), or iSCSI, the benefits of both environments can be achieved. Using IP networks yields many benefits, such as easier relocation of storage assets across a WAN, established management tools and the reuse of admin skills.
However, it also introduces new risks, such as denial-of-service against IP-switches, packet sniffing and other man-in-the-middle attacks, and compromises against servers or other devices using IP.
Dedicate the resources
That is largely because the skills and tools required to attack IP networks are far more widespread than knowledge of SAN vulnerabilities, but Alvarado warns that "security through obscurity is not a long-term solution." Avoiding IP will not necessarily keep a SAN secure, especially since many use IP networks for out-of-band management if not actual data traffic.
Overall, the cost of securing a storage network need not be overwhelming. As a rule of thumb, Alvarado estimates that about one to 1.5 percent of a SAN budget should be specifically dedicated to security provisions, but only after all the groundwork (which may itself have costs involved) has been completed.
But how many companies actually set that one percent put aside? "From what we see, budgets for SAN security don't necessarily exist as they do in the IP world," says Gordon. "Although awareness and keen interest does exist, and budgets are obtained for specific SAN applications, most SANS seem to be secured after the fact and as an ongoing process."
Without dedicating resources to tackling the specific security technologies and best-practices required by storage security, you may be leaving yourself open to attacks or to accidental loss of data, and missing many cost-savings and management improvements.
Any way you cut it, if your organization is using a SAN, it likely holds the most valuable data you have. Protecting it should be a top priority.
Jon Tullett is SC Magazine's U.K. and online editor.