Risks are relative when assessing the vulnerabilities associated with any system, but the innovations and ever-changing requirements of enterprise storage have introduced more threats to the availability, integrity and confidentiality of today's storage infrastructure.
What have evolved are the corporate demands for greater storage capacity, economies, accessibility, recovery and compliance. The once isolated storage resources are rapidly progressing to more complex, networked and distributed storage models. What were once local administrative errors, can now have more significant impact if not confined. The islands of storage systems and stored sensitive information, once managed by a few, are being consolidated and are accessible by more.
External influences
Possible threats to operations and information have required more distributed, long distance storage capabilities for business continuity – in some cases recovery is managed by third parties. Data that was once closely held at the data center is being stored outside the organization. Backup systems have advanced to provide more data storage on portable tapes, as well as highly accessible virtual tapes on arrays. And a variety of compliance directives (e.g. HIPAA, GLBA, SEC17a, SB-1386, 2002/58/EC, etc.) affect the management of stored data that is trusted, personnel and business transaction oriented.
Security is never free, therefore tradeoffs are determined by assessing business requirements, ranking business application/information, assessing security requirements and risks, and of course, risk mitigation costs. This methodology should be applied to storage security implementation – procedures, recovery, or whatever.
While biting off more than one can chew is arduous, the practice concept is necessary. By focusing on the more obvious mission-critical business applications and information, one can slowly, but surely and more cost-effectively, deliver reliable and secure storage. What is the cost of the information/application if it is not available? Ranking the business application/information value is needed to understand, first, the storage infrastructure, resources, procedures and budgets that support the most important applications, and second, where and how to exert security expenditures.
Once ranked, the next step is to determine an application's infrastructure vulnerability – the probability of it being breached or made unavailable. By assessing the problems and risks associated with supporting storage applications and devices, it is possible to create or utilize security profiles that reduce vulnerabilities. This profile is comprised of appropriate configurations, access controls/authorizations, management processes, and recovery procedures.
The last step is to determine the 'whole' costs associated with reducing or eliminating the threat. The more homogeneous the applications and systems which support an enterprise's storage infrastructure, the easier it will be to document, implement and enforce storage security policies – given that one can reuse similar profiles that exist among the different business applications. There is no one-stop shop for storage security – security is a process that is best served using a layered model that reduces risks within primary storage (online) and secondary storage (nearline and offline) functions.
Examining potential exposures
Upon examination of a storage infrastructure/function, one can assess potential exposures that exist in Fibre Channel, iSCSI, file-based networks and even direct-attached environments. Many such threats are being explored and are in varying stages of being tackled by storage and security vendors, as well as a variety of industry consortiums and standards bodies.
Storage security must address hosts, connections, routing devices, storage devices and media. Security measures that exist today include auditing and monitoring, physical access controls (guards, gates and locks), user/application access controls (system authentication and authorization), system and device configuration management, network security (such as firewall, port segregation/zoning, and tunneling), logical unit number (LUN) masking, as well as file, record and block-level encryption. The more complex the storage models, the more potential layers of data storage protection are required to adequately defend distributed storage.
Hosts are at the edge of storage infrastructures and, if compromised, can potentially access and corrupt stored data. Leveraging existing desktop security countermeasures significantly reduces this risk. This includes configuration management, content filtering, user/application-level access and authentication, authorization services, etc. The adoption of additional storage-centric host-level security will depend on the existing security investment on the host, the cost of implementation, the degree of additional system and administrative overhead, and the application-level granularity that such solutions provide.
Storage networks, as with data networks, are susceptible to known security threats such as system breaches, spoofing, denial-of-service and corruption. Network-attached storage (NAS) allows access to stored data over a data network and facilitates its centralization and management. Beyond traditional data network security, NAS file access protocols have varying degrees of security (e.g. NFSv4 is improved, but not iron- clad). Administrators can use NIS, Active Directory or LDAP services to automate the management of NAS access policies.
The use of stronger authentication protocols, such as Kerberos, can enhance access and authentication of users. To secure the link between host and the NAS server, one can implement data network transport security methods such as IPsec and virtual private networks (VPN). The implementation of firewalls and use of subnets can also segment and refine NAS access over remote networks. It is imperative to lock down the configuration, access and management of NAS servers, directory services servers and routers.
Fibre Channel (FC) storage area networks (SAN) also streamline the management and centralization of stored data, with the added performance derived through the use of FC protocol. FC SANs are generally confined and cannot presently extend to significantly long distances. Currently, native FC does not support link security like tunneling or VPN services. Extension is usually achieved through company-leased/owned dark fiber or IP network transport security methods in conjunction with storage gateways that convert FC protocols to IP.
FC SANs utilize zoning to authorize host access to storage resources between one or more FC switches – essentially restricting SAN-attached entity communications based on either switch ports or worldwide names (WWNs). Port-based zones are designed on tying SAN-attached entities to specified switch port numbers. Any entity that physically connects to the specified switch port becomes a member of the zone. WWNs are associated with an FC host bus adapter (interface card) as well as storage devices (such as disk arrays and tape libraries) and visible to FC switches. Members of a WWN zone are created by grouping the WWNs of SAN-attached servers or devices. This zone can span across multiple switches. Generally, switch zone configurations that rely solely on WWNs are a weak means of SAN entity authentication.
Any port in a zone
The advantage of port zoning is that the members are associated with their physical connected ports – it is not easy to physically access the switch. However, if you move a host or device to another port, the zone membership will have to be re-mapped.
The advantage of WWN zoning is ease of management, as hosts remain in the same zone as they are moved or changed to different switch ports. The disadvantage is that WWNs can be spoofed, or FC packets may be modified or intercepted so as to be identified as a valid WWN member of a zone. Additionally, WWN zones can be of either hard or soft type, determined by the switch capabilities. Hard zone only allows zone members to talk with other zone members, whereas soft zone cannot prevent non-members from communicating to members.
Logical unit number (LUN) masking is another storage security method that controls which storage devices are visible to a host. A LUN is a logical representation of a physical unit of storage, such as a disk array, a tape drive, or a virtualized disk array containing many physical disks. LUN masking can be implemented at the server level by controlling what LUNs a host can see after a query is initiated. This is managed on a per host basis. LUN masking can also be implemented at the storage device in which configuration manages what hosts can see what LUNs.
LUN masking is commonly implemented through intelligent switches. When a device attaches to a switch, it publishes its WWN as well as its LUNs. When a host attaches to a switch, the switch informs the host which devices and associated LUNS it can access. While zoning restricts host access to storage devices, LUN masking is more granular by further restricting host access to units of storage of that device. Note that WWN spoofing can 'circumvent' LUN masking efforts.
Management security at the storage application and device level is, by its very nature, critical. This is especially important given the availability, centralization and management capacities offered by NAS, SAN, directory, routing and backup services. Additionally, most storage applications and devices can be managed remotely.
Should the switch, management server or management application be breached, an attack could result in material compromise of the storage network and pose a serious threat of data corruption. Therefore, most storage systems implement secure access controls, authentication and communications to reduce the threat of application or device hijacking or administration error.
Increasing protection
Even with these security provisions, it is possible that a misconfigured storage device, newly initialized device, or a device with unchanged default settings and passwords could lead to service interruption and data loss or corruption.
Storage vendors have completed or are in the process of implementing such security capabilities as remote login using SSH, or web SSL for a secure connection, two-factor authenticated access, roles-based administrative privileges, granular monitoring and alerting, PKI and strong password protection, and auditing capabilities. The industry has made recent advances concerning SAN entity authentication and the use of encryption to protect the storage infrastructure and stored data.
Authentication and encryption
The Internet Engineering Task Force has proposed IPsec protocols to be implemented in FC-IP to enable fabric tunneling. The FC SAN community, through the International Committee for Information Technology Standard's T-11 technical committee, has specified encapsulating security payload (ESP) to secure transmissions between SAN devices. It provides message authentication and optional encryption to determine how devices will be allowed to attach and communicate.
This will require switches, hosts and devices to manage keys and session key lifetime. For entity authentication, T-11's FCSP committee recently settled on Diffie-Hellman challenge handshake authentication protocol (DH-CHAP). This employs a shared password-based scheme with administration offloaded to a centralized RADIUS type service. In addition, vendors can also incorporate their own digital certificate-based schemes. Given the localton and role of intelligent switches in network storage, it would make sense to enforce authentication at the switch. Vendors are making progress towards adding this standard authentication capability.
Securing data in transit
The internet small computer system interface (iSCSI) is a storage networking protocol to enable SCSI commands to be sent over IP networks. Since iSCSI can connect hosts locally or over long distances to storage resources utilizing existing data networks, it offers a new means to extend storage infrastructures. Another promise of iSCSI is to leverage the internet for such storage communications.Therefore, the IETF has also proposed IPsec for iSCSI. Ultimately, these security services will be inbuilt.
Given the transient risks of data in-flight, the risks associated with data-at-rest are more enduring. While link encryption protects data only while it is in transit between two tunneling devices, encrypting stored data extends protection all the way to the physical media. Encryption can prevent a user or system from accessing sensitive, trusted and regulated information. Storage vendors are exploring means to provide data encryption and advanced access control services to both primary and secondary storage without adding high costs, impacting performance or increasing complexity.
Locking the storage vaults
Three factors driving additional encryption and access control services ar econsolidation, remote data storage and data privacy compliance. Data storage encryption must take into account the media type, algorithm/key strength, key manageability, reliability, performance, expense and application. Encryption algorithms determine the encryption strength , how fast the algorithm works, and how keys are qualified, implemented, exchanged, protected and maintained. The two leading strong encryption algorithms are the advanced encryption standard (AES) and triple data encryption standard (3DES).
Deeper levels of encryption
Encryption can be implemented by the application, at the host or through a storage security device both at the file level, record level or the block level. Encrypting stored data-at-rest requires maintaining file meta data and compression rates for block data going to tape, so as to be non-disruptive.
Application or software-based encryption processes can provide strong, application data protection, encrypting files or block-based data on the host. Considerations associated with application or software-based encryption include the impact on system and application response, as well as key management and protection. Use of host-based encryption cards may offer a means to off-load encryption and authentication processing.
Granular encryption
Record-level data protection means applying encryption processes to portions of a database. This offers a very granular means to protect sensitive data, but may have similar considerations to that of application-based encryption. Dedicated appliances for storage security services provide an alternative route for data protection and access control. By employing the encryption and access control functionality and processing in a built-for-purpose device, policies can be enforced, keys protected and management centralized, while the storage processing remains intact. Reliability, performance, scalability, interoperability and transparent compression are all important considerations.
Since storage security is relative to the business application and its supporting storage infrastructure, a risk mitigation methodology is a sound way to strengthen storage availability, reliability and privacy.
Scott Gordon is vice president of marketing, NeoScale Systems, Inc. (www.neoscale.com)
Article Published Online December 2003
