Plugging Storage Security Holes

SAN and NAS systems have security problems. Here's how to fix them.

Storage systems weren't designed with security in mind. They started out as direct-attached, so if the host was secure, the storage was too. That's all changed.

Fibre Channel storage networks often have multiple switches and IP gateways, allowing access from a myriad of points. Compound this with poor work by systems administrators, new data security laws and recent high-profile cases of consumer information theft, and the need for improved storage security becomes urgent.

But if systems administrators can't follow the basic steps of network storage security, better tools may not help. That's part of the reason why encryption is becoming the most widely adopted solution to the problem.

Misconfiguring logical unit number (LUN) zones and not maintaining network-access lists are two major causes of unauthorized access to storage networks, says Nancy Marrone, an analyst at The Enterprise Storage Group Inc. in Milford, Mass. Another common mistake administrators make is not bothering to change the device default password, according to Dennis Martin, an analyst at Evaluator Group Inc. in Greenwood Village, Colo.

Beyond the human failings, Fibre Channel itself isn't a secure protocol. Through it, application servers can see every device on a storage-area network (SAN). Switch zoning and LUN masking on a storage array can restrict access to devices on a SAN. Zoning segregates a network node either by hard wiring at the switch port or by creating access lists around device world wide names (WWN). Masking hides devices on a SAN from application servers either through software code residing on each device or through intelligent storage controllers that permit only certain LUNs to be seen by a host's operating system.

According to Marrone, managing access through LUN masking works on smaller SANs but becomes cumbersome on large SANs because of the extensive configuration and maintenance.

Encryption Makes Gains

Given these human errors and technology shortfalls, some users are turning to encryption.

Michelle Butler, technical program manager for the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign, manages three SANs—two with 60TB of capacity and one with 40TB. For her, security means that data needs to be encrypted, both when it's in transit and stored on a disk—or "at rest."

"There are some tools out there, but there are also some big gaping holes being left that so far don't seem that interesting to hackers," Butler says.

Nevertheless, the NCSA plans to buy Brocade Communications Systems Inc.'s newly released Secure Fabric operating system and Fabric Manager software. Butler says the products will allow her storage administrators to create network management access-control lists using public-key infrastructure (PKI) technology and device access-control lists based on WWN. The software also offers authentication and encryption for control information or management data on SAN devices.

Examples of the necessity of encryption abound. For instance, in January, a disk drive with 176,000 insurance policies was stolen from Guelph, Ontario-based Co-operators Life Insurance Co.

In response to events like this, California adopted a new law. SB 1386, which went into effect this month, requires any company that stores information about California residents to publicly divulge any breach of security affecting that data within 48 hours.

In addition, Sen. Dianne Feinstein's (D-Calif.) office is finalizing a federal version of the bill—called the Database Security Breach Notification Act—that would provide similar protections to all U.S. residents. The only companies exempt from the California law and the proposed national legislation are those that encrypt data at rest.

Several newly released products address concerns posed by the recent legislation. In April, Mississauga, Ontario-based Kasten Chase Applied Research Ltd. announced its Assurency Secure Networked Storage platform, agent-based software that provides a stripped-down PKI-based authentication and encryption for networked storage devices. The company estimates that a complete encryption system is generally 7% to 10% of the cost of a SAN.

Other Vendors

Another company getting noticed is start-up appliance vendor Decru Inc. in Redwood City, Calif., which uses proprietary software to encrypt data on the storage array, but uses the IPsec protocol on the application server to encrypt data while in transit. Its DataFort security appliances work for for both SANs and network-attached (NAS) storage.

Vormetric Inc. in Santa Clara, Calif., sells an appliance that supports SANs as well as both NAS and direct-attached storage devices and can be used to do high-speed encryption of data at the file system level, on a file by file basis. And NeoScale Systems Inc. in Milpitas, Calif., sells a product called CryptoStor FC, that provides wire-speed, policy-based encryption for SAN and NAS data.

Although most currently available storage security technologies offer encryption, analysts say it's important for users to make sure that the data is encrypted both at rest and while being transmitted across networks.


SAN Security Basics

Maintain current network-access lists.

Get up to speed on the port-zoning method your vendor uses (they're not all the same).

Change default passwords on new hardware.

Design the topology of a SAN with network security administrators.

Encrypt data both at rest and in transit.

Consider carefully how you dispose of old hard drives and backup tapes.

Copyright © 2003 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon