Look Both Ways: SAN Safety Precautions
Just when you'd think it would be okay for IT administrators to kick back and relax, they've been presented with a new set of worries: the security of their storage-area networks (SANs).
"SAN security now is where Internet security was five or 10 years ago," says Clement Kent, the vice president of product management for Kasten Chase Applied Research, a security firm based in Mississauga, Ontario.
The need for SANs and other storage techniques to perform at a high level is growing exponentially. Customer relationship management, business intelligence, and other procedures produce ever-higher mountains of data. These and other sales and marketing tools demand data be available instantaneously. Compounding the issue are new regulations, such as the Sarbanes-Oxley Act of 2002 and The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which make exacting demands on how information is processed and stored.
The storage infrastructure is struggling to keep pace. "SANs originally were a few computers talking to a few servers," says Kevin Brown, the vice president of marketing for Decru, a storage security appliance vendor based in Redwood City, Calif. "It was a relatively isolated and controllable environment. It has turned into giant networks with hundreds of devices, many interconnection points, and dozens of people touching [the data]."
There are several ways to think about SANs and storage. At each level — be it physical or electronic — the usual recommendation is a "defense in depth" strategy. As the name suggests, this approach relies on no single procedure or technology to safeguard the SAN. Instead, various security approaches permeate the storage network. IT managers must also recognize the need to prioritize as a way of maximizing budgets. "One of the things we suggest people do is look at which data is most valuable," Kent says. "You spend different amounts of money based on what you are defending."
The next important element is the physical security of the servers and tape backups. There are documented cases of employees simply sailing off with tapes and servers. "It could be as simple as what happens to data stored on tape," says Scott Gordon, the vice president of marketing for NeoScale, a data storage security firm based in Milpitas, Calif. "Tapes can have as much as half a terabyte [of data]. You can put up firewalls, but then someone walks out of the back end with tape media."
Page 2: Protecting Data, Both 'In Flight' and 'At Rest'
Protecting Data, Both 'In Flight' and 'At Rest'
The general high level of network vulnerability, both physical and electronic, means all data must be encrypted. Thus, even if a tape or a storage server is stolen, the data cannot be read. SAN security differs pointedly from other areas of security because it involves two distinct tasks: protecting data that is being transmitted (called data in flight) and data that is sitting idle (called data at rest).
To further complicate things, the type of encryption necessary for data in flight and data at rest are different. The main requirement of data in flight encryption is that it operates at "wire speed" — the speed at which the data is traveling. Conversely, such high-processing speeds are not as vital for data at rest. The key here is that data at rest will sit for a long time. For this reason, it must be protected in a bulletproof manner. Exceptionally strong encryption algorithms, such as military grade AES 256, are often used.
Ultimately, this complexity calls for a centralized hardware device, which has come to be known as a storage security appliance. NeoScale's Gordon says these appliances centralize security functions. Storage security appliances tend to operate transparently, use standards-based approaches, employ high-level encryption, and secure key management procedures. Decru's Brown agrees that a separate device is necessary: "If you try to do it in software, you're toast," he says. "It can't be fast enough."
Port zoning and logical unit number (LUN) masking are two key SAN management tools. At the highest level, these procedures control access to the stored data. Both relate to limiting the ability of outsiders to "see" and gain access to the entire storage network. Port zoning, according to Gordon, involves creating a physical association between the storage device and a particular physical port. If the device is moved, the zone map must be redrawn. LUN masking controls whether a storage device (e.g., a disk array or tape drive) is visible to a host.
SAN security is moving quickly, as it seeks to keep pace with the exploding amount of available data. The task is steep, however. "Most network security is at the perimeter of the network, such as a firewall, VPN, or intrusion detection system," says Brown. "They are guarding just the fence. However, according to the FBI, 50 percent to 80 percent of [security breaches] happen inside the firewall. The problem with stored data is that there are many, many different ways to reach it."
Feature courtesy of ServerWatch.
Back to Enterprise Storage Forum