Indeed, a report from industry researcher, Enterprise Strategy Group (ESG), carried out last year with organizations with revenues of between US$50 million to US$5 billion, concluded that storage security remains an exposed island, outside of mainstream security activities. The company found that 30% of storage professionals who responded said that organizational security policies and procedures do not include storage technologies.
The forgotten vulnerability
This mindset could be due in part to the fact that storage, in some shape or form, has always been an inherent part of IT, even before the days of networks and internet connectivity, and has grown, little by little, as the business has grown. But storage itself has also evolved over the years, and exists in place in varying degrees of complexity, which may not always be comprehended by those signing off the security budget.
Back in the days before the dawn of modern computing, technology for external data archiving, backup and restoring was directly attached to the computer system. More storage meant sticking another server with a big disk drive in it on your mainframe or network, and because it's old school and obvious, Direct Attached Storage (DAS) is still very much the storage choice of today. But over the years we have come to realize that this model is inefficient in terms of space usage and required a lot of time, effort and people to keep it ticking over.
Today's modern and data-dense landscape, with its proliferation of online data that needs to be accessible 24x7, demands much more efficient technologies that can be better integrated with business processes. This paved the way for two networked storage models, Network Attached Storage (NAS) and Storage Area Networks (SANs) -- technologies evolved out of necessity, because all companies in the information age need to invest in some form of storage for their data. As Trevor Eddells, storage analyst for research firm Xephon, says, "You need storage in the business today, because you need to make sure that the information you have today is still there tomorrow."
Protect your data, protect your business
But this evolution in storage also introduced additional levels of complexity in securely archiving and making accessible this data. As John Vitkus, IBM's worldwide program director for Linux in the Financial Services Sector, puts it: "Storage is the currency of the digital economy. You can't work without data; data needs to be protected, saved, made resilient against disaster, and available when you need it." This necessity naturally introduces specific security needs into the storage equation.
"Just because storage sits behind firewalls, networks and servers doesn't mean it is safe," explains Jon Oltsik, senior analyst at ESG. "This type of thinking is not only outdated, it is also dangerous. Most companies now have vulnerable storage networks that are accessible to many employees and can be managed over the internet. A malevolent individual with the right skills could easily interrupt business operations or steal intellectual property resulting in millions of dollars of damage from a single event."
Rules and regulations
In today's highly regulated and compliance-intensive industry, European companies are now obliged to archive and maintain specific data for some periods of time under legislation such as Sarbanes-Oxley and Basel II -- a scenario that is expected to drive uptake of storage security, just as the uptake of networked storage is being driven by the convergence of enabling technologies and needs for increased and more capable storage. In a nutshell, while it has always been bad for business not to secure the company data, it is now potentially illegal to fail to do so, whether deliberately or through negligence. The data managed in your storage network is highly sensitive and must be controlled to properly ensure confidentiality, integrity and availability. Essentially, this concept is no different than other IT infrastructures, and it is quite possible you can simply augment your current corporate security policy to include storage-specific security items.
But the enterprise should also be taking steps to develop comprehensive strategies to optimize network infrastructure with secure storage solutions. Storage vendor Brocade identifies some of the major storage security misdemeanors as inappropriate access to SAN configurations, such as changes made to zoning information that allow access to storage and read/write capabilities to data; changes to security and access control policies allowing unauthorized servers or switches to gain access to the SAN; and exposed network administration passwords allowing unintended individuals to access the SAN in the role of administrator.
The security zone
To secure your SAN, experts recommend the use of zoning, a feature offered by some, but not all, switch vendors. It allows you to automatically or dynamically arrange fabric-connected devices into logical groups or zones across the physical configuration of the fabric, with information access restricted to only the specified member devices in the defined zone. Flexibility is then increased by making individual devices members of more than one zone. This approach enables the secure sharing of your storage resources, while helping you simplify management of heterogeneous fabrics, maximize storage resources and segregate storage traffic.
Expanding upon this is the introduction of a secure fabric operating system as a complementary feature to zoning, although only offered by a few switch vendors. Secure fabric operating systems allow you to offer policy-based security on your SAN, enabling you to customize security to your needs and block unauthorized fabric-wide management changes and fabric setting changes, as well as helping to control server-to-fabric connections, and prevent users from arbitrarily adding switches to a fabric, while protecting communication between switches and management consoles.
Rules to remember
Moreover, there are a number of basic rules you should follow when deploying any storage technology over an iSCSI interface. Used separately, these may not provide much of an obstacle, but together, and combined with other security policies, they should provide a comprehensive defense against attack. Use access control lists (ACLs) to limit who can see what in the storage network, and better still, use a unique initiator name for each iSCSI host bus adapter, rather than just an IP address.
Next, use a strong authentication protocol like CHAP, perhaps combined with an authentication tool such as RADIUS for even more protection and to limit the usage to legitimate administrators. On this topic, you should always make sure to lock down the interfaces on management consoles for the storage software. This includes changing default passwords and deleting surplus accounts, as well as securing remote login options.
You should also consider some form of disk encryption. Just because data is not being used, does not mean it's not vulnerable. Available options here give you the opportunity to implement encryption at different stages, such as on client, on network or on the storage system.
Encryption could also be implemented on all iSCSI network traffic leaving the secure network, using the IPsec protocol, although, your network must be able to support the additional overhead required for such a bandwidth intensive task. Naturally, when the data is in transit on the network, you should also be guarding against all the threats typical to the IP network, although the chances are this type of network security is more at the forefront of your planning.
In a nutshell, although NAS elements are advertised purely as storage devices, they all incorporate an integrated file server to archive the data using a standard access method to make it accessible to users. And as with any file server, there are, of course, security issues related to controlling this access and protecting the data, either in the storage device itself or as it moves between the client and the storage device.
What are the vendors doing?
For their part, storage vendors have identified several goals for improving their storage solutions, including increased security from both physical and virtual attacks; and better business continuity and disaster recovery in the event of a security or other disaster.
Ultimately, if something does go wrong, due to an attack or failure, it's all about how fast your company gets back on its feet that is crucial to survival. Figures from the Strategic Research Institute reveal that companies not able to resume operations within ten days (of a disaster hit) are not likely to survive. According to Jon Collins, analyst at research house Quocirca, businesses should have an availability guarentee, and that's what storage is all about, availability.