Plugging Storage Security Holes

Computerworld - Storage systems weren't designed with security in mind. They started out as direct-attached, so if the host was secure, the storage was too. That's all changed.

Fibre Channel storage networks often have multiple switches and IP gateways, allowing access from a myriad of points. Compound this with poor work by systems administrators, new data security laws and recent high-profile cases of consumer information theft, and the need for improved storage security becomes urgent.

But if systems administrators can't follow the basic steps of network storage security, better tools may not help. That's part of the reason why encryption is becoming the most widely adopted solution to the problem.

Misconfiguring logical unit number (LUN) zones and not maintaining network-access lists are two major causes of unauthorized access to storage networks, says Nancy Marrone, an analyst at The Enterprise Storage Group Inc. in Milford, Mass. Another common mistake administrators make is not bothering to change the device default password, according to Dennis Martin, an analyst at Evaluator Group Inc. in Greenwood Village, Colo.

Beyond the human failings, Fibre Channel itself isn't a secure protocol. Through it, application servers can see every device on a storage-area network (SAN). Switch zoning and LUN masking on a storage array can restrict access to devices on a SAN. Zoning segregates a network node either by hard wiring at the switch port or by creating access lists around device world wide names (WWN). Masking hides devices on a SAN from application servers either through software code residing on each device or through intelligent storage controllers that permit only certain LUNs to be seen by a host's operating system.

According to Marrone, managing access through LUN masking works on smaller SANs but becomes cumbersome on large SANs because of the extensive configuration and maintenance.

Encryption Makes Gains

Given these human errors and technology shortfalls, some users are turning to encryption.

Michelle Butler, technical program manager for the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign, manages three SANs—two with 60TB of capacity and one with 40TB. For her, security means that data needs to be encrypted, both when it's in transit and stored on a disk—or "at rest."

"There are some tools out there, but there are also some big gaping holes being left that so far don't seem that interesting to hackers," Butler says.

Nevertheless, the NCSA plans to buy Brocade Communications Systems Inc.'s newly released Secure Fabric operating system and Fabric Manager software. Butler says the products will allow her storage administrators to create network management access-control lists using public-key infrastructure (PKI) technology and device access-control lists based on WWN. The software also offers authentication and encryption for control information or management data on SAN devices.