Storage Security: Getting Beyond M&M SANs
Like the candy-coated treats, SANs are an irresistible lure to criminals that can't wait to get to the soft, sweet center.
"Most SANs are like M&Ms" — hard and crunchy on the outside and soft on the inside.
This observation on Storage Area Network (SAN) design comes from Clement Kent, the Chief Technical Officer of security firm Kasten Chase, Inc. He makes a vital point. Companies spend precious resources hardening the outer network shell with firewalls, passwords, certificates, and keys, but all too often the center – the actual data – is left as vulnerable as ever. Let's look at what it takes to secure a SAN all the way from the edge to the core.
Keep the Shell Hard
Opening the enterprise data farm to corporate users in far-flung remote offices makes data more usable and more valuable, but it also makes it far more vulnerable. Hackers and crackers continue to probe industrial defenses using new attack technologies, making it essential to deploy the latest developments in intrusion detection, firewalls, hardened switches and routers, and management systems.
Storage administrators must not make the mistake of leaving everything to network personnel. At the very least, they must stay current with perimeter defense technology and wage a constant funding campaign for new tools and upgrades.
Harden the Core
Imagine the consequences if a criminal walked off with the daily backup tapes — blackmail, class-action lawsuits, or corporate train wrecks would be real possibilities as a result. Storage personnel should always take the viewpoint that the bad guys could at some point succeed in their efforts, so steps must be taken to minimize the value of what the thieves might obtain.
This viewpoint is the first step toward real SAN security. If the data on the stolen backup tapes is encrypted, the criminal gains nothing and the company is safeguarded.
Still, storage encryption technology is not absolutely perfect, and SAN architects should not delude themselves by thinking otherwise. Given time and teraflops, a criminal can beat even 128-bit encryption. But storage encryption does wrap the data in yet another protective layer and hardens the core of any SAN. Storage encryption appliances such as Decru's Data Fort, Kasten Chase's Assurency SecureData, and NeoScale Systems' CryptoStor provide security without a costly performance hit. Using separate keys for data compartments can create an access control layer on top of the hardware zoning and LUN masking underneath.
Security is everyone's responsibility, but unless one person is given the responsibility and authority to oversee all areas of corporate security, the company can expect to have gaps in its coverage. A single appointed security manager can bridge the gap between network security and storage security specialists. Make the security manager the security policy approver, so that all conflicting procedures can be resolved through him or her, and gaps between boundaries can be eliminated.
Also solicit input from Human Resources to ensure that security policies have real teeth and unpleasant consequences for employees who slide off the straight and narrow. Obtain corporate buy-in to spread security awareness and responsibility to all parts of the company. These are vital steps, as end-to-end SAN security does not come cheap.
By Mike Harwood
January 27, 2004
IP-based SANs are attractive alternatives to their more expensive and complex Fibre Channel counterparts, but securing IP communications remains a significant concern. In our latest Storage Basics article, Mike Harwood examines how the IP Security Protocol (IPSec) can ensure the security of your iSCSI storage network's data.