The horror stories on storage insecurity keep rolling in.
Just in the past month, someone stole personal information about 120,000 Canadians from Revenue Canada; a bank inadvertently sent detailed information on hundreds of thousands of customers to eBay for auction; and two men posing as computer technicians walked into Sydney Airport, wheeling two computers containing customer databases right out the door in plain view of security guards.
”Managers who know security is a huge problem at the corporate level don’t always recognize how insecure their storage networks really are,” says Jamie Gruener, a Yankee Group analyst. ”Storage security is now emerging as a significant new focus for enterprises and government as part of their compliance and risk management initiatives.”
We’ll look at the increasing prevalence of Storage Area Networks (SAN) insecurity and what IT managers can do to safeguard their storage assets.
There is no doubt that modern-day storage management has greatly increased the value and availability of corporate data. No longer are businesses held ransom by one or two individuals who are the only ones privy to vast stores of data. Under that model, you had to put in a request for a report or some specific data and after a few days, or weeks, you got what you wanted.
But at least that system was relatively secure.
Nowadays, virtualization, storage pooling, and platform/vendor agnostic architectures make data instantly available across the planet, using Internet Protocol (IP) primarily. But such freedom comes at a price.
The more available it is, the higher the risk of incursion. In response, most companies implement stringent network safeguards. They reason that anti-virus software, firewalls and intrusion detection equals a protected SAN. This is faulty logic.
”Most SANs are like M&M’s,” says Clement Kent, CTO of storage security vendor Karsten Chase Inc., a storage security vendor from Mississauga, Ontario. ”They are hard and crunchy on the outside and soft on the inside.”
The soft center is the fact that the data within the average SAN lies unprotected. While not a problem if you can’t get past the front gate, it makes things all too easy for those who find a way inside. Yet according to FBI and Gartner Group numbers, 50 percent to 70 percent of security vulnerabilities come from within.
”The problem is that few IT professionals understand both security and storage,” says Gruener. ”People have expertise in one discipline or another, but there’s not much crossover.”
Disgruntled employees, industrial espionage, and other internal threats are driving home just how naked SAN’s really are at the back end. One analogy is a bank with security guards outside and screens between the tellers and the public, but no vault to hold the money.
The good news is that awareness is shifting.
”A year ago only a few percent really grasped the issue of SAN insecurity,” says Michele Borovac of Decru, a storage security specialist out of Redwood City, Calif. ”Now about 25 percent are aware of the need to lock down SAN data.”
Locking Down a San
So how do you go about locking down a SAN? There are a few keys points to address.
The first thing to take stock of is a corporate security policy. Organizations that set a through security policy for their storage environment will go a long way toward raising the level of employee awareness. Policies should encompass passwords, authentication and access. Passwords, for example, should probably not be less than 10 digits and should include a mix of letters, upper case and lower case, and numbers.
And the corporate policy should specify how often passwords are to be changed. Don’t get too silly in this regard, however. Some policies are so stringent and demand changes so frequently, that they actually drive users into insecure practices.
The second part of the equation is physical security. Locked doors and security guards don’t go away. SAN security needs to be safeguarded with a physical presence to prevent theft of hardware and software. Other aspects of physical security include tapes being lost or data not being backed up properly. Devise ways to guard against this happening.
Continue existing storage security actions. Like everything else, there is defense in depth. Switch vendors offer zoning, for instance, and array vendors have LUN masking. Utilize all the avenues available to keep storage under wraps.
Encrypt SAN data. By encrypting information before it arrives at the SAN, the organization is effectively eliminating the danger posed by a hacker attack or internal insecurity. If someone creeps passed the firewall and browses around in your storage pool, they won’t learn very much. Or if someone walks out the door with some of your disks or tapes, they won’t be able to decrypt the content.
That applies, though, only if the encryption level is high enough. Recent tests have demonstrated that even 50-bit encryption can be cracked within a few hours using sophisticated tools. The way around this is to increase the bit rate of encryption.
”Every time you add a bit, it gives you double the protection,” says Kent. And 128-bit or above is probably going to be safe for another 50 to 100 years.”
While that prediction may be a little optimistic, 128-bit encryption appears good enough at the moment for most uses. The military standard is 256-bit encryption and is known as FIPS 140-2 Level 3.
IT and security managers also need to remember to control internal access.
As well as general encryption, SAN data can be broken down according to user constituencies, seniority and security clearance levels. That means HR people can’t get into the transactional files and vice versa. Similarly, certain functions, such as storage management, need to be locked down to a very few people.
The common denominator of SAN insecurity appears to be a lack of differentiation between network and storage security.
”The problem is that few IT professionals understand both security and storage,” says Jamie Gruener, an analyst with Yankee Group. ”People have expertise in one discipline or another, but there’s not much crossover.”
A combination of traditional security measures, coupled with policy and encryption safeguards is the key. If storage professionals assume that SAN data will eventually get into the wrong hands, no matter how good the perimeter defenses, they will gain a better understanding of the steps that need to be taken to safeguard their SANs.