Time to focus on storage

IT security has long been the focus of corporate attention, while storage security has been, perhaps unnoticeably, absent from the limelight. So it might come as a surprise to find that the data held in storage environments is often left vulnerable simply because security in this area is so often overlooked.

Indeed, a report last year from industry researcher Enterprise Strategy Group (ESG) on organisations with revenues of between £30 million and £3 billion concluded that storage security remains an exposed island, outside of mainstream security activities.

The company found that 30 per cent of storage professionals who responded said that their organisational security policies and procedures do not include storage technologies.

This rather alarming mindset could be due in part to the fact that storage, in some shape or form, has always been an inherent part of IT, even before the days of networks and internet connectivity, and has grown, little by little, as the business has grown.

But storage itself has also evolved over the years, and operates in varying degrees of complexity, which might not always be comprehended by those signing off the security budget.

Back in the days before the dawn of modern computing, technology for external data archiving, backup and restoring was directly attached to the computer system. If you needed more storage, you simply stuck another server with a big disk drive in it onto your mainframe or network. Indeed, because it is so old school and obvious, Direct Attached Storage (DAS) is still very much the storage choice today.

However, over the years we have come to realise that this model is inefficient in terms of how best to use space, while it required a lot of time, effort and people to keep it ticking over.

The modern, data-dense landscape of today, with its proliferation of online information that needs to be accessible 24x7, demands much more efficient technologies that can be better integrated with business processes. This paved the way for two networked storage models – Network Attached Storage (NAS) and Storage Area Networks (SANs) – which evolved out of necessity, because all companies in the information age, big or small, need to invest in some form of storage for their data.

As Trevor Eddells, storage analyst for research firm Xephon, says: "You need storage in the business today, because you need to make sure that the information you have today is still there tomorrow."

But this evolution in storage also introduced additional levels of complexity, in securely archiving and making accessible this data.

As John Vitkus, IBM's global program director for Linux in the Financial Services Sector, puts it: "Storage is the currency of the digital economy; you cannot work without data. It needs to be protected, saved, made resilient against disaster, and available when you need it." And it is this necessity which naturally introduces specific security needs into the storage equation.

"Just because storage sits behind firewalls, networks, and servers doesn't mean it is safe," warns Jon Oltsik, senior analyst at ESG. "This type of thinking is not only outdated, it is also dangerous. Most companies now have vulnerable storage networks that are accessible to many employees and can be managed over the internet. A malevolent individual with the right skills could easily interrupt business operations or steal intellectual property resulting in millions of dollars of damage from a single event."

According to ESG's research, seven per cent of organisations have experienced a storage security breach, while another 20 per cent did not know or could not tell if they had experienced a storage security breach. Furthermore, security breaches were widespread, impacting firms of all sizes regardless of their overall security commitments.

But in today's highly regulated and compliance-intensive industry, European companies are now obliged to archive and maintain specific data for certain periods of time under legislation such as Sarbanes-Oxley and Basel II – a scenario that is expected to drive the uptake of storage security, just as the uptake of networked storage is being driven by the convergence of enabling technologies and the need for increased and more capable storage.

In a nutshell, while it has always been bad for business not to secure the organisation's data, it is now potentially illegal to fail to do so, whether deliberately or through negligence. The information managed in your storage network is highly sensitive and must be controlled to properly ensure confidentiality, integrity, and availability.

Essentially, this concept is no different than other IT infrastructures, and it is quite possible you can simply augment your current corporate security policy to include storage-specific security items.

But the enterprise should also be taking steps to develop comprehensive strategies to optimise network infrastructure with secure storage solutions.

Storage vendor Brocade places the blame for some of the worse storage security howlers on inappropriate access to SAN configurations, such as changes made to zoning information that allow access to storage and read/write capabilities to data; changes to security and access control policies, allowing unauthorised servers or switches to gain access to the SAN; and exposed network admin passwords allowing unintended individuals to access the SAN in the role of administrator.

Meanwhile, potential threats to your storage infrastructure from the outside are the inappropriate use of resources through Denial of Service (DoS) attacks, and use of a compromised dual-homed host with a Host Bus Adapter (HBA) to read, store, or distribute SAN files.

To secure your SAN, experts recommend the use of zoning, a feature offered by some, but not all, switch vendors. It enables you to automatically or dynamically arrange fabric-connected devices into logical groups or zones across the physical configuration of the fabric, with data access restricted to only the specified member devices in the defined zone.

Flexibility is then increased by making individual devices members of more than one zone. This approach enables the secure sharing of your storage resources, while helping you simplify management of heterogeneous fabrics, maximise storage resources, and segregate storage traffic.

Expanding on this is the introduction of a secure fabric operating system as a complementary feature to zoning, although only offered so far by a few switch vendors.

Secure fabric operating systems allow you to offer policy-based security on your SAN, enabling you to customise security to your needs and block unauthorised fabric-wide management changes and fabric setting changes, as well as helping to control server-to-fabric connections, and prevent users from arbitrarily adding switches to a fabric, while protecting communication between switches and management consoles.

Moreover, there are a number of basic rules you should follow when deploying any storage technology over an iSCSI interface. Used separately, these might not provide much of an obstacle, but together, and combined with other security policies, they should provide a comprehensive defence against attack.

Use access control lists (ACLs) to limit who can see what in the storage network, and better still, use a unique initiator name for each iSCSI host bus adapter, rather than just an IP address.

Next, use a strong authentication protocol such as CHAP, maybe combined with an authentication tool such as RADIUS for further protection, and to limit the usage to legitimate administrators.

On this topic, you should always make sure to lock down the interfaces on management consoles for the storage software. This includes changing default passwords and deleting surplus accounts, as well as securing remote login options. All this sounds obvious, but sometimes one of these points slips through, and that mistake lets intruders slip through.

You should also consider some form of disk encryption. Just because data is not being used, does not mean that it's not vulnerable. Available options here give you the opportunity to implement encryption at different stages, such as on the client, network, or storage system.

Encryption could also be implemented on all iSCSI network traffic leaving the secure network, using the IPsec protocol, although your network must be able to support the additional overhead required for such a bandwidth-intensive task.

Naturally, when the data is in transit on the network, you should also be guarding against all the threats typical to the IP network, although the chances are that this type of network security is more at the forefront of your planning.

In a nutshell, although NAS elements are advertised purely as storage devices, they all incorporate an integrated file server to archive the data using a standard access method to make it accessible to users. And of course, as with any file server, there are security issues related to controlling this access and protecting the data, either in the storage device itself or as it moves between the client and the storage device.

So what are the storage vendors doing? They have identified several goals for improving their storage solutions, including increased security from both physical and virtual attacks; and better business continuity and disaster recovery in the event of a security or other disaster.

The inherent benefit of networked storage is that it can be used to mirror and replicate data, enabling improved availability in almost all circumstances with no single point-of-failure.

Ultimately, if something does go wrong due to an attack or failure, what is crucial to your company's survival is the time it takes to get back on its feet. Figures from the Strategic Research Institute reveal that companies that are not able to resume operations within ten days of a disaster hit are not likely to survive.

According to Jon Collins, analyst at research house Quocirca, businesses should have an availability guarantee. And isn't that what storage should be all about – availability?