In insecure times, security threats seem to be everywhere. When even little old ladies are made to take off their shoes for the airport x-ray machines, you know that everyone is a suspect until proven otherwise. SAN technology, which in its early career avoided strip searches before entering the data center, is also now coming under the security spotlight. As one SAN security vendor, NeoScale Systems, proclaims, “Availability Means Risk.” The fact that a storage area network facilitates availability of shared storage assets therefore makes SANs inherently insecure and a potential target of the Evil-Doers (whomever they may be).
As with most corporate networks, though, the main security threat is not from external malefactors, but from internal sources — bored or disgruntled employees, or simply the innocent administrator who inadvertently enables unauthorized access to departmental data. Because SANs create a neighborhood in which vital corporate data resides, a secure SAN should be a gated community with restricted and verifiable access. In practice, though, few companies implement anything more than simple physical isolation to safeguard their SANs. A SAN sitting behind the coded lock of a data center door may enjoy some protection from curious passersby, but it’s still exposed to security breaches or disruption by anyone who knows which buttons to push.
In addition, not everything stays within the data center. Traditional tape vaulting, for example, regularly transports terabytes of corporate information assets across public roads in the questionable security of a van or truck. The local area network used for SAN management may likewise exit the data center and attach to the corporate LAN and WAN. In the latter case, while it might not be possible for someone outside the data center to access storage data directly, the possibility certainly exists to use management to rezone server/storage assignments and provide a path to otherwise restricted data, or to execute a denial of service attack by resetting SAN switches.
Rudimentary Security Opens Door for SAN Security Breaches
Unlike conventional IP networking security issues, security breaches in a SAN can have a permanent and devastating effect. Corruption of current data on disk or tape is absolute and recoverable only to the latest snapshot or backup version. For the highest degree of data integrity, synchronous data replication at least ensures that a current copy of real-time data is secured elsewhere.
But even synchronous copy cannot protect against all deliberate or inadvertent intrusions. At one company, for example, an administrator swapped a blank disk drive into a primary array, thinking he was actually swapping it into the secondary mirror. As a consequence, current data on the secondary was deleted. The array itself provided no safeguards to prevent this inadvertent action.
To date, SAN vendors have provided only rudimentary options for safeguarding storage access. LUN masking and zoning are commonly used to ensure that only authorized servers have access to designated storage arrays. Both parameters, however, can be changed via the management interface, creating an opportunity for reassignment from an authorized server to an unauthorized server or workstation. Access Control Lists (ACLs) are another option for providing rudimentary verification, and prevent, for example, a newly introduced server from automatically logging on to the SAN fabric.
These frontline defenses are primarily aimed at circumventing administrative errors, but cannot withstand deliberate attempts to bypass authorized configurations. Management interfaces may be password protected, but once the password is cracked, a management utility, which is typically intuitive by design and offers online help, could be deciphered even by the uninitiated.
Two Primary Areas of Risk Exposure
In networked storage environments, data has two primary areas of risk exposure. Data in flight is exposed as it traverses the SAN infrastructure from source to destination. During transit, there is the risk that the data can be captured, copied, or redirected to unauthorized users. Data at rest is exposed as it is written to disk or tape. Disk drives can be removed from cabinets, or tape cartridges taken elsewhere, and the original data restored. These potential areas of vulnerability were generally ignored by vendors and customers alike, since it seemed unlikely that someone would be able to tap into a Fibre Channel SAN and wreck havoc.
A Fibre Channel analyzer, for example, only captures 1-2 seconds of data transport. That could, however, translate into hundreds of megabytes of customer data, bank account information, and PIN numbers. A seemingly innocent Fibre Channel trace of a backup operation taken by a third-party service technician and sent by email to a support organization could therefore pose a significant security concern.
Crypto techniques (authentication and data encryption) add an incremental level of security for data in flight and at rest, but cannot provide an absolute safeguard for storage. For data in flight, authentication and encryption can ensure that sniffing the SAN transport will not yield usable data. This is especially applicable to IP storage environments, where data may be traveling over untrusted local or wide area network segments.
Current encryption products can perform near wire-speed data encryption for gigabit networks, so there is no longer a severe performance penalty in providing in-flight security. For data at rest, new security products from NeoScale and other vendors provide payload encryption for data on Fibre Channel links just prior to writing to disk or tape. Anyone absconding with encrypted disk drives or tape cartridges would require enormous processing resources and time to attempt data recovery.
Heightened Security Awareness Breathes New Life into SAN Security
Although government organizations are obvious markets for the more sophisticated SAN security solutions, heightened consciousness on security issues is beginning to permeate commercial and particularly financial organizations as well. As recent events have shown, modern commerce is run over a thin veneer of technological infrastructure, beneath which is a potentially unstable foundation of shifting social, political, and geologic forces.
Companies are realizing they must safeguard their information assets as a precondition to business survival. Storage data must be replicated at a respectable distance from potential disruption, the availability of data reinforced, data in flight and at rest secured, and systems protected even from the friendly fire of inattentive or overworked administrators. Security audits that previously focused solely on the external IP network must now necessarily include storage and SAN components as well.
Whether a company feels that their SAN infrastructure is vulnerable to overt or unintended security violations is a subjective judgment call. Objectively, any system based on a peer-to-peer network has security exposure. On the other hand, budget and support considerations may push security to the background, at least until some major incident disrupts storage access. As with disaster recovery, many customers stop procrastinating only after a disaster has occurred. For customers who realize they must address SAN security, however, well-established procedures from traditional networking plus new SAN-specific security products are enabling them to build better security for their storage data.