Features - Enterprise Data Insights:
STORAGE SECURITY -- WHAT, HOW, WHY
By Scott Gordon,
of Marketing, NeoScale Systems Inc
Why enterprise storage security? Is the sky falling? Are new exposures are
overwhelming the storage foundation which comprises modern data centers?
Certainly this premise seems a bit over-exaggerated.
Risk has always been relative when it comes to assessing the real
vulnerability associated with any system. But storage innovations and business
requirements have introduced risks that can threaten the availability,
integrity and confidentiality of today's storage infrastructures. A recent
survey, by PriceWaterhouseCoopers and CIO Magazine, of almost 8,000 CIOs
indicated that stored data being unavailable, compromised or lost was the top
security issue in 2003. This paper will cover the broad topic of enterprise
storage security: the drivers and applications; risk reduction methodology;
threats within networked and distributed storage; available security
capabilities and practices; industry progress; data encryption advances; and
general storage security best practices.
What has evolved are the corporate demands for greater storage capacity,
economies, accessibility, recovery and compliance. The once isolated storage
resources are rapidly progressing to more complex, networked and distributed
storage models. If not confined, once local administrative errors can now have
more significant impact. The islands of storage systems and stored sensitive
information once managed by a few are now being consolidated and accessible by
more. Possible threats to operations and information have required more
distributed, long-distance storage capabilities for business continuity -- in
some cases recovery is managed by third parties. Data once closely held at the
data center is being stored outside the organization. Backup systems have
advanced to provide more data storage on portable tapes, as well as highly
accessible virtual tapes on arrays. In addition, a variety of compliance
directives (e.g. HIPAA, GLBA, SEC17a, SB-1386, 2002/58/EC, etc.) affect the
management of stored data that is trusted, personnel and business transaction
Risk Reduction Methodology
Security is never free -- there are costs in terms of capital, implementation,
maintenance and system impact. Therefore, tradeoffs are determined by
assessing business requirements, ranking business application/information,
assessing security requirements and risks, and of course, risk mitigation
This risk mitigation methodology, used in network security, business
continuity, etc., should be applied to storage security implementation. While
biting off more than one can chew is arduous, the practice concept is
necessary. By focusing on the more obvious, mission critical business
applications and information, one can slowly, but surely and more
cost-effectively deliver reliable and secure storage. What is the cost of the
information/application if it is not available, stolen or corrupted? Ranking
the business application/information value is needed to understand the storage
infrastructure, resources, procedures and budgets that support the most
important applications, and where and how to exert security expenditures.
Once ranked, the next step is to determine an application's infrastructure
vulnerability -- the probability of being breached or made unavailable. By
assessing the problems and risks associated with supporting storage
applications and devices, one can create/utilize security profiles that reduce
vulnerabilities. This profile is comprised of appropriate configurations,
access controls/authorizations, management processes and recovery procedures.
Lastly, determine the "whole" costs associated with reducing or eliminating
the threat. The more homogeneous the applications and systems which support an
enterprise's storage infrastructure, the easier it will be to document,
implement and enforce storage security policies -- given that one can
repurpose like profiles that exist among the different business applications.
There is no one-stop shop for storage security -- security is a process that
is best served using a layered model that reduces risks within primary storage
(online) and secondary storage (nearline and offline) functions.
Threats And Defenses
Upon examination of a storage infrastructure/function, one can assess
potential exposures that exist in Fibre Channel, iSCSI, file-based networks
and even direct-attached environments. Many such threats are being explored
and are in varying stages of being tackled by storage and security vendors, as
well as a variety of industry consortiums and standards bodies including the
Storage Network Industry Association (www.snia.org), Internet
Engineering Task Force (www.ietf.org)
and the International Committee
for Information Technology Standards (INCITS) Technical Committee T11
Storage security must address hosts, connections, routing devices, storage
devices and media. Security measures that exist today include: auditing and
monitoring, physical access controls (guards, gates and locks),
user/application access controls (system authentication and authorization),
system and device configuration management, network security (such as
Firewall, port segregation/Zoning, and tunneling), logical unit number (LUN)
masking, as well as file, record and block-level encryption. The more complex
the storage models (e.g., consolidation, disaster recovery, peer production
sites, remote backup, and managed services), the more potential layers of data
storage protection required to adequately defend distributed storage.
Hosts are at the edge of storage infrastructures, and if compromised, can
potentially access and corrupt stored data. Leveraging existing desktop
security countermeasures significantly reduces this risk. This includes
configuration management, content filtering, user/application-level access and
authentication, authorization services, etc. The adoption of additional
storage-centric host-level security will depend on the existing security
investment on the host, the cost of implementation, the degree of additional
system and administrative overhead and the application-level granularity that
such a solution provides.
Storage networks, as with data networks, are susceptible to known security
threats such as system breach, spoofing, denial of service, unauthorized
access, internal attack, media theft, data theft and corruption.
Network-attached storage allows access to stored data over a data network and
facilities its centralization and management. Beyond traditional data network
security, NAS file access protocols have varying degree of security (e.g.
NFSv4 is improved, but not iron-clad). Administrators can leverage NIS, Active
Directory or LDAP services to automate the management of NAS access policies.
The use of stronger authentication protocols, such as Kerberos, can enhance
access and authentication of users. To secure the link between host and the
NAS server, one can implement data network transport security methods such as
IPsec and virtual private networks. The implementation of Firewalls and use of
subnets can also segment and refine NAS access over remote networks. Clearly
it is imperative to lock down the configuration, access and management of NAS
servers, directory services servers and routers.
Fibre Channel (FC) SANs also streamline the management and centralization of
stored data with the added performance derived through the use of FC protocol.
FC SANs are generally confined and can not presently extend to significantly
Currently, native FC does not support link security like tunneling or virtual
private network (VPN) services. Extension is usually employed through
company-leased/owned dark fiber or IP network transport security methods in
conjunction with storage gateways that convert FC Protocols to IP.
FC SANs utilize Zoning to authorize host access to storage resources between
one or more FC switches -- essentially restricting SAN-attached entity
communications based on either switch ports or World Wide Names (WWNs).
zones are based on tying SAN-attached entities to specified switch port
numbers. Any entity that physically connects to the specified switch port
becomes a member of the zone. WWNs are associated with an FC host bus adapter
(interface card) as well as storage devices (such as disk arrays and tape
libraries) and visible to FC switches. Members of a WWN zone are created by
grouping the WWNs of SAN-attached servers or devices. This zone can be spanned
across multiple switches. Generally speaking, switch zone configurations that
rely solely on WWNs are a weak means of SAN entity authentication.
The advantage of port zoning is that the members are associated with their
physical connected ports -- it is not easy to physically access the switch.
However, if you move a host or device to another port, the zone membership
will have to be re-mapped. The advantages of WWN zoning is ease of management
as hosts remain in the same zone as they are moved or changed to different
switch ports. The disadvantage is that WWNs can be spoofed (for example one
could swap HBAs or intercepting/modifying FC packets so as to be identified as
a valid WWN member of a zone. Additionally, WWN zones can be of either hard or
soft type and are determined by the switch capabilities. Hard zone only allows
zone members to talk with other zone members, whereas soft zone can not
prevent non-members from communicating to members.
LUN masking is another storage security method that controls which storage
devices are visible to a host. A logical unit number (LUN) is a logical
representation of a physical unit of storage such as a disk array, a tape
drive, a virtualized disk array containing many physical disks, etc. LUN
masking can be implemented at the server level by controlling what LUNs a host
can see after a query is initiated. This is managed through the driver and HBA
on the host on a per host basis. LUN masking can also be implemented at the
storage device in which the storage device configuration manages which hosts
can see which LUNs. LUN masking is commonly implemented through intelligent
switches. When a device attaches to a switch, it publishes its WWN as well as
its LUNs. When a host attaches to a switch, the switch informs the host which
devices and associated LUNs it has access to. While zoning restricts host
access to storage devices, LUN masking is more granular by further restricting
host access to units of storage of that device. Note that WWN spoofing can
"circumvent" LUN masking efforts.