Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

Storage and Security: Ever the Twain Shall Meet?

http://www.wwpi.com/index.php?option=com_content&view=article&id=9061:storage-and-security-ever-the-twain-shall-meet&catid=99:cover-story&Itemid=2701018

Since the early days of storage-based networking, experts have sounded warnings about the need for greater cooperation between the storage and security groups within an organization. Historically there have been virtual (mostly organizational or political) walls between the two groups with security focused primarily on issues like network threat detection and prevention and end-point protection (e.g. access control, anti-viruses and -malware on systems), while storage happily existed independently in its own SAN island. While some voices sounded alarms about the potential threats, such as a bad actor wreaking havoc via SAN intrusion and tampering with centralized storage arrays, few took any special action beyond perhaps tightening password security on SAN and storage infrastructure.

Then, several years ago, data breeches became a hot news item shining the light of public scrutiny on the ramifications of stolen notebook computers and lost backup tapes. Suddenly, it seemed there were almost weekly reports in the technology trade press of new incidents of data risk through lost media or accidental exposure. Encryption became the watchword of the day, and it was widely anticipated that data-at-rest encryption would become a standard practice as enterprises sought to protect their data. At the very least, mobile media such as tape would be encrypted before being sent offsite.

While offsite tape encryption was adopted by some and came to be considered a best practice, it is far from a standard practice. Instead, the growing adoption of disk-based backup, made affordable by deduplication, caused many organizations to choose to minimize their exposure by reducing or eliminating removable media, thus side-stepping – to a degree – the media-encryption issue. Still, others have simply chosen to continue to live with the risk.

Security Exposure

However, the fact is that while mobile media – whether tape cartridges being shipped offsite or disk drives inside a laptop – represent a significant security exposure, data residing on drives within the data center can also be at risk to a number of threats both intentional and accidental. While there are data access controls regularly assigned and managed at the host operating system level, many organizations lack a coordinated strategy when it comes to storage security. An effective security strategy should address protecting data at multiple levels – host, network, and disk – and for multiple usage scenarios.

Since host protection is relatively well understood within most organizations, I won’t dwell on it here other than to mention the need to control host access to SAN and storage devices. These devices can potentially be managed both in-band (e.g., fibre channel) and out-of-band (e.g., LAN), and it is important to ensure that management access via either method is restricted to designated management devices and authorized users.

While LANs and WANs are typically subject to intense scrutiny by both network and security teams, the fibre channel SAN often receives much less attention when it comes to security. This is largely due to two factors. First, unlike the ubiquitous TCP/IP protocol of the LAN environment, enterprise SANs predominantly run over the much less familiar Fibre Channel protocol, offering a false level of comfort or what some have termed “security by obscurity”. While security experts have spent decades developing skills and best practices regarding LAN and WAN security, relatively speaking, the SAN is still the “new kid on the block”.

The second factor is organizational: SANs are typically managed by the storage team rather than the networking team. This has several ramifications, including the fact that storage administrators tend to be more focused on issues relating to performance and availability. These are areas that are of primary concern to their users, and as a result, security becomes at best a lower priority item, or at worst an impediment to addressing these higher order needs.

Addressing Storage Security

This mindset naturally extends beyond the SAN to the management of storage arrays themselves. This becomes evident in the establishment of storage service tiers where the dominant concerns again are performance and availability with minimal attention to potential differentiation of security requirements across tiers. In actuality, there can be significantly different requirements between the storage security needs of, say, a production environment versus a development sandbox. Yet in many cases, they may end up sharing common ports on a storage array. This is not necessarily by design or carelessness, but simply by lack of appropriate policy and process resulting from the fact that security considerations were not formulated into the requirements.

The first step to addressing storage security is simply to start making it a priority. There are guidelines available, including simply adopting security best practices from organizations like the National Institute of Standards and Technology (NIST) that may already be practiced within the server and network environments to the storage realm. For a more storage-focused approach to security, the Storage Networking Industry Association (SNIA) has published a Technical Proposal called Storage Security Best Current Practices that has been endorsed by the not-for-profit Trusted Computing Group (available at http://www.trustedcomputinggroup.org/resources/storage_security_best_current_practices). This paper provides a comprehensive set of guidelines for general security management of storage, as well as specific technology areas, including NAS, block-based IP storage and fibre channel, and can serve as an excellent basis for an assessment of current security capabilities.

Another important step is to begin to apply networking security monitoring and management practices to the storage network. Some network monitoring and management suites offer SAN support and certainly logging and event correlation tools that play an important role in threat identification and analysis can be applied to storage networking devices. This will likely become an even greater imperative as networking transports and protocols converge in the growing adoption of 10 Gb Ethernet for both LAN and SAN traffic in conjunction with iSCSI and FCoE.

A third area of focus is to establish a formal security plan for data at rest. Beyond tapes and laptops, another well-publicized area of data leakage has been through discarded disk drives showing up on the secondary market (think eBay). Far more likely is lurking risk of exposure and misuse of sensitive information internally either maliciously or accidentally. Addressing these issues requires both policy and process, but can be aided by technology. Encryption capabilities are broadly available at the host, network, and storage levels that can assist in implementing data-at-rest security policies. Disk drive manufacturers, including enterprise-class drive producers like Seagate and Hitachi, now offer self-encrypting drives and advanced features like the ability to quickly cryptographically erase disks and automatically lock them on removal from a system.

Clearly, there are differing orders of needs for storage security depending on organization type, and not all features and capabilities are appropriate for all situations. Industries like defense and finance have traditionally been highly security conscious and have evolved mature practices. However, in other types of organizations, there is a danger of complacency – because storage security concerns are not so obvious they have received little attention. The reality is that the world is changing and data breeches – even relatively low order ones – can have a much more significant business impact than was previously thought possible. The impact of rapidly growing technologies like virtualization and cloud simply expands the potential risk profile, and the implication for data storage security in such scenarios needs to become a higher priority.

In the past, addressing “one-off” security concerns, such as off-site tapes, in a check-list manner may have been sufficient. Today, it’s not just about avoiding an embarrassing newspaper article. It’s really about ensuring the ability to continue to operate and function as an organization. This requires a strategic approach.