According to legend, when bank robber Willie Sutton was asked why he robbed banks he replied “because that’s where the money is.” In his autobiography, Sutton denies ever having made that statement, but the quote nevertheless persists.
Regardless of its truth, this story has important security implications for enterprise storage managers. Widely distributed storage such as traditional direct attached storage (DAS) doesn’t present much of an attraction to hackers, since it requires too much work for a low chance of return.
But with server consolidation, Network Attached Security (NAS) and Storage Area Networks (SANs) bringing a corporation’s intellectual assets into one location (virtual or otherwise), these attractive data depositories must be protected like Fort Knox. Unfortunately, organizations have been slow to realize this.
“Direct attached storage has good security, but NAS has definite security issues and weaknesses,” says Brandon Hoff, McData Corp.’s (Broomfield, Colo.) advisor to the Storage Networking Industry Association’s (SNIA) Storage Security Industry Forum (SSIF). “Centralizing and globalizing storage means that it is exposed on the network.”
Perimeter defenses such as firewalls and honey pots (sometimes) keep out hackers and intrusion detection systems (hopefully) catch invaders before they do too much damage. At least that is the theory. Ninety percent of respondents to the FBI/Computer Security Institute’s 2002 Computer Crime and Security Survey, however, reported that they had detected computer security breaches within the previous 12 months. We don’t know whether the other 10% had adequate security protection, or lacked adequate means of detecting the breaches which were happening.
While most of these attacks are small scale, some make the headlines such as the incident in early February where someone hacked into a database containing 8 million Visa, Mastercard and American Express credit card account numbers.
Then there are all the internal jobs, such as the employee of credit report processing firm Teledata who last year was arrested for accessing the credit reports on more than 30,000 people and selling them to criminals for $60 each, or the employee of ISM Canada who is accused of stealing a hard drive containing personal information on more than one million customers.
“Consolidation of resources opens storage up to a number of security risks that did not exist in the past,” says Nancy Marrone, senior analyst for the Enterprise Storage Group (Milford, Mass.). “Administrators now need to make sure each client is secure and, and that each portal to the storage itself cannot be breached.”
Although companies have their own business reasons for protecting storage assets from destruction or illegal access, these days there is now outside pressure to ensure they do so. At least two of the above incidents, for example, have resulting in the filing of class-action lawsuits.
In addition, there are a growing number of laws regulating the field. Companies doing business in Europe must comply with the EU Data Privacy Directive which lays out strict rules regarding the gathering, storage and transmission of personal data.
In the United States, there is the Health Insurance Portability and Accountability Act (HIPAA) which similarly sets data privacy standards and the Gramm-Leach-Bliley Act which applies specifically to financial records.
Further, the State of California last September passed Senate Bill 1386, which mandates that, beginning July 1, 2003, companies must notify California residents whenever there is a security breach resulting in their personal data being acquired by an unauthorized person. This applies whether or not the data is stored in California. Such announcements could have severe implications on stockholder as well as public confidence.
“CEOs and CFOs have recently become far more interested in storage security,” says Hari Venkatacharya, senior vice president of Secure Networked Storage for Mississauga, Ontario-based data security firm Kasten Chase, “since they have to sign off on it for regulations such as HIPAA.”
Storage Security Scramble
According to analysts, there is no quick fix that will instantly protect enterprise storage assets. Instead, it requires a comprehensive, end-to-end enterprise solution.
“Companies need to assess the vulnerability of storage from multiple perspectives,” says Marrone. “After assessing, the need to make sure they have every access point secured and, if they have particularly sensitive data, they should look into further protecting it through encryption of the data at rest.”
Several companies have released appliances specifically designed to do this type of encryption, including NeoScale Systems, Inc.’s (Milpitas, Calif.) CryptoStor FC, Vormetric, Inc.’s (San Jose, Calif.) CoreGuard, and Decru, Inc.’s (Redwood City, Calif.) DataFort.
Kasten Chase Applied Research, meanwhile takes a non-appliance approach with its Assurency Secured Network Storage.
“The vulnerability in using an appliance is that it doesn’t scale as well,” says Venkatacharya. “In addition, an encryption appliance can affect LUN masking [Logical Unit Number — identifier used on a SCSI bus to distinguish between devices sharing that bus].”
In addition to the new storage security software and devices which are coming out, SNIA has also been working with the industry to formulate much needed standards for security.
“The Storage Security Industry Forum is working to establish best practices and to educate customers,” says Hoff. “Security is 80% planning and 20% implementation.”
The American National Standards Institute (ANSI), too, is addressing the area of security standards through the Fibre Channel Security Project (FC-SP). FC-SP operates under ANSI’s Technical Committee T11, the body which works in the fields of Fibre Channel and storage network management.
The Internet Engineering Task Force (IETF) is also involving itself in the issue through its IP Storage Group (IPS). IPS is not developing its own standards so much as it is adapting those set for by T11 and T10 (SCSI) for use in transmitting storage blocks over an IP network, rather than over Fibre Channel or SCSI. In particular it is addressing the areas of security, naming, discovery and configuration.
“The industry wants to establish one standard for security,” Hoff continues. “We want to take the established networking best practices and adapt them to storage since network administrators already understand those standards.”
With all these new standards, devices and software hitting the market, security then comes down to that final 20% Hoff spoke of — putting it in place on individual storage systems.
As the SQL Slammer worm illustrated, getting people to keep their systems secure is still a weak point. But if you don’t, the Willie Sutton’s IT progeny are standing by to pay your storage a visit.