Heeding the call for networked storage security
- 13 August, 2003 15:53
Network executives face the same challenges securing storage networks as they do enterprise data infrastructures — keeping corporate information safe without slowing application performance or adding management complexity. The problem is, the range of security options isn’t nearly as wide for storage as it is for corporate networks.
Storage networks link disk arrays to allow multiple applications (or servers) to access data, and more easily share unused storage than when disk drives attach directly to a server. However, as storage-area networks (SAN) and network-attached storage proliferate, security becomes a real problem. This is especially the case as more customers use IP to link storage devices instead of, or in addition to, the more secure Fibre Channel protocol customarily used in SANs.
“The prevailing perception is that because my [SAN] is behind my firewall it’s safe and I don’t have to worry about it,” president and CEO of US-based storage management company Contoural, Mark Diamond, said.
The problem with that, he said, was a SAN had many more entry points than direct-attached storage.
Relatively few products are designed purely to secure networked storage. This leaves most users relying on the security capabilities found in storage management software from hardware vendors such as Brocade Communications Systems, EMC and McData or in storage-management tools from vendors such as FalconStor Software.
Given this, analysts recommend looking for storage-management tools that support current security standards, such as IP Security (IPSec), Remote Authentication Dial-In User Service (RADIUS) and SNMP Version 3 (SNMPv3), and emerging standards, such as the Diffie-Hellman Key Encryption Protocol-Challenge Handshake Authentication Protocol (DH-CHAP). With IPSec, which the Internet Engineering Task Force mandated be used in certain storage wares in order to be considered standards-compliant, users can add encryption and authentication capabilities into IP storage networks.
RADIUS can provide a foundation for role-based security through a central database of user access information, and SNMPv3 supports encryption of management and troubleshooting data from storage devices. DH-CHAP, when it is finalised later this year, will ensure the identity of Fibre Channel storage devices, switches and managers.
Security standards in storage tools
Storage vendors offer a mixed bag when it comes to support for such standards.
McData said it would support third-party implementations of IPSec when it ships its first IP storage products later this year, with native IPSec support coming next year. In its SANtegrity security suite, McData supports RADIUS now and said it would add support for SNMPv3 and DH-CHAP later this year. In the meantime, Brocade’s Secure Fabric operating system now supports IPSec and will add support for DH-CHAP, RADIUS and SNMPv3 in the second half of the year. EMC does not support any of these standards in ControlCenter; FalconStor’s IPStor software supports IPSec but not RADIUS. Support for SNMPv3 and DH-CHAP will follow as they are finalised, FalconStor said.
Regardless of which security standards they use, most storage-management tool vendors support logical unit number masking, which limits the number of logical storage volumes an application or server can see; and zoning, which organises the devices on a storage network into logical groups similar to a virtual LAN. Some also support binding, a relatively new technique that uses access control lists to determine which devices can attach to which ports.
While such functions don’t secure data, they do prevent storage administrators from configuring their networks improperly. That helps keep storage networks secure, according to the US-based Storage Networking Industry Association (SNIA). In a report released in January, the SNIA said the complexity of storage networks made configuration mistakes the No. 1 security threat for most network storage users.
Unencrypted stored data is another big security weakness. At any time, 98 per cent of corporate data is not in transit over a network but at rest on disk or tape devices, a senior analyst at Enterprise Storage Group, Steve Duplessie, said. If it isn’t encrypted, that data “sits there like a big, fat elephant waiting to be shot,” he said.
That reality has turned encryption of data in disk drives or on tape back-up systems into a storage security hot spot. Storage vendors can provide encryption on the server, on the host bus adapters that link the server to the storage network, on the client, or in a standalone appliance.
At SwapDrive, a US-based online back-up company, customers were swayed only slightly by assurances from the company that it had great physical security and thorough security policies, CEO, David Steinberg, said.
To them the lack of encryption meant “we had a hole in our system”, he said.
To fix that “hole”, SwapDrive used Decru’s DataFort E440 storage security appliance to encrypt customer data as it moves from SwapDrive’s servers to a third-party managed storage service environment where it remains encrypted until the customer retrieves it. SwapDrive chose a standalone appliance rather than having customers manage their encryption keys and passwords, something it would have needed to do if it downloaded encryption algorithms to client machines.
An appliance also minimised any performance hit to the network and applications, Steinberg said.
Standalone storage encryption products also help customers split responsibility among groups for managing storage vs. storage security. This division of labour reduced the chance of somebody misusing legitimate access rights to steal or sabotage data.
It also allowed the outsourcing of data management while keeping security inhouse, director of product marketing at Decru, Andy Salo, said.
Other storage security appliances combine encryption with additional security features. NeoScale Systems’ CryptoStor FC provides encryption and centralised policy management, while the CryptoStor for Tape appliance, in beta testing, will do the same for tape systems. And the as-yet-unnamed Vormetric appliance due out in mid-April would combine encryption, authentication and fine-grained access control capabilities, according to David Tang, the company’s vice-president of marketing and business development.
Over time, vendors would incorporate encryption and other such security features into storage switches, tape drives and drive arrays, predicted Mike Alvarado, chair of the SNIA’s Storage Security Industry Forum, a group that intends to lobby vendors for improved security in networked storage products.
Users ultimately, would have a full complement of storage security appliances and integrated security functions from which to choose, Alvarado said. But for now, some storage vendors contend that integrated encryption isn’t necessary.
Director of storage networks for EMC, Paul Ross, said a lack of customer demand was the reason that the vendor didn’t offer encryption.
Some vendors say they hope to fight the storage security threat with authentication protocols and products that verify the identity of a switch, a drive array, a storage manager or anyone else before allowing network access. DH-CHAP, due out this year, will provide such authentication capabilities. DH-CHAP will be a mandatory part of the Fibre Channel Security Protocols under development at the American National Standards Institute. McData recently demonstrated the use of security protocols such as DH-CHAP to authenticate users across its own and other vendors’ switches.
While DH-CHAP was aimed at Fibre Channel storage networks, IPSec can provide authentication and encryption capabilities for users building IP storage networks, senior manager of technical marketing with Cisco’s Storage Technology Group, Tom Nosella, said.
Beyond tools, network storage managers need to develop the same kind of threat assessment and auditing processes they have in place for enterprise data networks, industry experts say.
Among other steps, storage managers should consult with their corporate or legal audit staffs to determine what legal or regulatory security requirements they face, Alvarado said.
“When people implemented network security, they didn’t say ‘Let’s look at the vulnerabilities and let’s protect them,’” Contoural’s Diamond said. “People did threat-assessment models, and got a lot of experience (in what worked and what didn’t). A lot of that work hasn’t been done for storage security.”