Leaping Hurdles to Safeguard the SAN
The horror stories on storage "insecurity" keep rolling in.
Just in the past month, someone stole the personal information for nearly 120,000 Canadians from Revenue Canada; a bank inadvertently sent detailed information on hundreds of thousands of customers to eBay for auction; and two men posing as computer technicians walked in and out of Sydney Airport, wheeling two computers containing customer databases right out the door in plain view of security guards.
"Managers who know security is a huge problem at the corporate level don't always recognize how insecure their storage networks really are," says Jamie Gruener, a Yankee Group analyst. "Storage security is now emerging as a significant new focus for enterprises and government as part of their compliance and risk management initiatives."
Let's take a look at the increasing prevalence of Storage Area Networks (SAN) insecurity and what IT managers can do to safeguard their storage assets.
There is no doubt that modern-day storage management has greatly increased the value and availability of corporate data. No longer are businesses held ransom by one or two individuals who are the only ones privy to vast stores of data. Under that model, you had to put in a request for a report or some specific data, and after a few days – or even weeks in some cases – you got what you wanted.
But at least that system was relatively secure.
Nowadays, virtualization, storage pooling, and platform/vendor-agnostic architectures make data instantly available across the planet, primarily using the Internet Protocol (IP). But such freedom comes at a price.
The more available data is, the higher the risk of incursion. In response, most companies implement stringent network safeguards. They reason that a combination of anti-virus software, firewalls, and intrusion detection equals a protected SAN. This is faulty logic.
"Most SANs are like M&M's," says Clement Kent, CTO of storage security vendor Kasten Chase Inc., a storage security vendor based in Mississauga, Ontario. "They are hard and crunchy on the outside, and soft on the inside."
The soft center results from the fact that the data within the average SAN lies unprotected. While not a problem if an intruder can't get past the front gate, it makes things all too easy for those that are able to find a way inside. And according to numbers from the FBI and the Gartner Group, 50 to 70 percent of all security vulnerabilities come from within.
Disgruntled employees, industrial espionage, and other internal threats are driving home just how naked SANs really are at the back-end. One analogy is a bank with security guards outside and screens between the tellers and the public, but no vault within to hold the money.
The good news is that awareness is shifting.
"A year ago only a few percent really grasped the issue of SAN insecurity," reports Michele Borovac of Decru, a storage security specialist out of Redwood City, Calif. "Now about 25 percent are aware of the need to lock down SAN data."
Page 2: Locking Down Your SAN
Locking Down Your SAN
So how do you go about locking down a SAN? There are a few key points to address.
The first thing to do is implement a corporate security policy that specifically includes storage security. Organizations that set a thorough security policy for their storage environment will go a long way toward raising the level of employee awareness. Policies should encompass passwords, authentication, and access. Passwords, for example, should probably be no fewer than 10 digits and should include a mix of letters (uppercase and lowercase) and numbers.
The corporate policy should also specify how often passwords are to be changed. Don't get too silly in this regard, however. Some policies are so stringent and demand changes so frequently that they actually drive users into insecure practices.
The second part of the equation is physical security. Locked doors and security guards don't go away. SAN security needs to be safeguarded with a physical presence to prevent theft of hardware and software. Other aspects of physical security to take into consideration include tapes being lost or data not being backed up properly. Devise ways to guard against this happening.
It's also important to continue enforcing existing storage security actions. Like everything else, there is defense in depth and layers of protection. Switch vendors offer zoning, for instance, and array vendors have LUN masking. Utilize all the avenues available to keep storage under wraps.
Another key point is encrypting your SAN's data. By encrypting information before it arrives at the SAN, the organization is effectively eliminating the danger posed by a hacker attack or internal insecurity. If someone creeps past the firewall and browses around in your storage pool, they won't learn very much. Or if someone walks out the door with some of your disks or tapes, they won't be able to decrypt the content.
This only applies, though, if the encryption level is high enough. Recent tests have demonstrated that even 50-bit encryption can be cracked within a few hours using sophisticated tools. The way around this is to increase the bit rate of encryption.
"Every time you add a [single] bit, it gives you double the protection," says Kent. "And 128-bit or above is probably going to be safe for another 50 to 100 years."
While that prediction may be a little optimistic, 128-bit encryption appears good enough at the moment for most uses. The military standard is 256-bit encryption and is known as FIPS 140-2 Level 3.
IT and security managers also need to remember to control internal access.
In addition to general encryption, SAN data can also be broken down according to user constituencies, seniority, and security clearance levels. That means, for example, HR people can't get into the transactional files. Similarly, certain functions, such as storage management, need to be locked down and access restricted to only a select number of people.
The common denominator of SAN insecurity appears to be a lack of differentiation between network and storage security.
"The problem is that few IT professionals understand both security and storage," says the Yankee Group's Gruener. "People have expertise in one discipline or another, but there's not much crossover."
A combination of traditional security measures, coupled with policy and encryption safeguards, is the key. If storage professionals assume that SAN data will eventually get into the wrong hands, no matter how good the perimeter defenses, they will gain a better understanding of the steps that need to be taken to safeguard their SANs.
Feature courtesy of eSecurity Planet.
See All Articles by Drew Robb