One of my guilty pleasures is watching the postgame interviews after a professional baseball or football event to see how many sports cliches a single athlete can weave into a single interview, such as, "We take it one game at a time," "It was a team effort," "Ya gotta give the other guys a lot of credit," and, my personal favorite (usually heard after a loss), "We just need to stick to the fundamentals." Like most cliches, of course, each carries a measure of truth, and in particular, it is easy to run into problems if you ignore the basics.
In storage, there is a fundamental gap when it comes to security. For years, storage and security groups behaved like they were in separate worlds and had little to do with each other. Storage groups focused on issues like making storage-area networks (SAN) and backups work, while the security team was dealing with the challenges of intrusion protection, viruses, malware and the like. This began to change early last year, when various highly publicized cases of lost backup media resulted in a sudden focus on data encryption.
While encryption is a very important element, it is really only one piece of an overall storage security strategy. There are a number of fundamental security considerations that are regularly applied to traditional networks and servers but are often overlooked in Fibre Channel storage networks. Here is a brief checklist of some of those basic items:
-- Password good practices: Are default passwords to storage switches being used?
-- Access controls: Are the role-based functions provided by switch vendors implemented, or is does everyone have administrative or root access?
-- Secure management interfaces: Are the access consoles to storage arrays and SAN devices on the public network, or can management elements of an array be accessed in-band through any connection on the SAN?
-- Audit trails: Can you tell specifically who made changes and when? Is this history maintained?
-- Review and harden all zoning: What type of zoning are you using? Can World Wide Names be spoofed by someone with malicious intent?
Nothing listed here is new to the world of networking, but they are often overlooked in storage networking. If you are trying to address security holes in the storage infrastructure, basic networking best practices would be a good place to start.
Jim Damoulakis is chief technology officer of GlassHouse Technologies, a leading provider of independent storage services. He can be reached at firstname.lastname@example.org.