Cathy Gilbert at American Electric Powe isn't too worried about security on her 2-year-old storage-area network (SAN). There are "very few people in our building that would actually know what to do" to reconfigure her Fibre Channel SAN -- assuming they could reach it on its internal private network, which can be administered only from a locked room, says Gilbert, a senior IT architect at the Columbus, Ohio, energy producer.
She uses the built-in configuration capabilities of her EMC Corp. Symmetrix storage arrays, McData Corp. Intrepid Directors and McData Enterprise Fabric Connectivity Manager 6.0 software to control which servers can access which storage devices.
But protecting SANs will become more difficult, and more important, as customers begin deploying SANs more widely, to enable the money-saving consolidation of servers, applications and data. And as more SAN traffic migrates from the relatively unknown Fibre Channel protocol to IP, it will become vulnerable to the same well-known attacks used against the Internet and corporate networks.
A recent survey of IT professionals by InfoWorld, a sister publication of Computerworld, found that security is a source of anxiety when it comes to SANs. Fifty-six percent of the 123 survey respondents who have implemented a SAN -- or are planning to -- said they're concerned about security. And 63 percent of the respondents indicated that "improving security through storage centralization" was a factor in implementing a SAN in the first place.
"Like any security, it's something we have to take seriously," says Akhbar Tajudeen, IT director at Alloy Inc., a New York-based marketing company. "We are identifying issues that may not be a problem now but may be a problem two months from now."
Vendors are planning more sophisticated tools such as advanced forms of storage "zoning" and the use of key-based authentication to create "trusted" switches and administrators. Another item on the agenda is the encryption of management traffic.
But how can corporate storage managers prepare for the looming security issues? They can audit their management and configuration policies to ensure that overzealous administrators don't inadvertently cripple their SANs. And they can figure out how to explain SAN security issues to department heads, chief financial officers and security auditors.
With most SANs in relatively small-scale use, many customers can still handle security concerns with common storage management techniques.
One technique is Logical Unit Number (LUN) masking, which limits the logical units of storage (such as volume on a disk) that each server can access. Another is zoning, which divides a SAN into areas where only specified devices (such as hosts, switches and storage arrays) can communicate with one another. In zoning, a device may be identified by its port number or by its World Wide Name (WWN), a unique 64-bit number assigned to each device that's roughly comparable to the Media Access Control address for devices on a data network. And port-type configuration restricts the ability of switches on a port to configure other switches or ports, making it harder for a hacker (or an overzealous administrator) to destabilize the storage fabric by adding devices.
Tajudeen is using IPStor from FalconStor Software Inc. in Melville, N.Y., to link Alloy's 3TB Fibre Channel SAN to its IP-based Ethernet corporate network. Since the storage and corporate networks run on separate network segments, "it would be practically impossible" for a hacker to bridge the two, he says.
Tajudeen says he's more concerned with mistakes, such as an administrator assigning the wrong storage volumes to a host or "removing a client accidentally from the storage that has been assigned to it."
Once you begin attaching multiple systems to a SAN, a key security issue is to make sure those systems don't get in each other's way, says Scott Robinson, chief technical officer at Datalink Corp., a Minneapolis-based firm that designs and implements storage systems.
Simply tracking down and solving such problems is difficult using the different management applications now needed to manage each vendor's products, says Tajudeen, which is why he likes IPStor's single management interface. The complexity of a SAN also makes it important to maintain good change management policies, he says, so the storage staff can easily determine which changes in zoning, or LUN masking, caused a conflict.
SAN security will become a larger problem as companies cut costs by forcing different departments to share storage networks, says Wayne Lam, vice president at FalconStor. In most companies, IT managers from one department don't have the authority to manage data from other departments. But companies often need to commingle data from multiple departments on a single SAN to drive down their storage costs. "You can't afford to have five islands of SANs," he says.
The need for more granular control over who can manage which portions of a SAN is one of the features customers ask for most frequently, says Kamy Kavianian, a product marketing director at Brocade Communications Systems Inc. in San Jose. He says customers also need the following:
-- Stronger authentication to verify the identities of both administrators and devices.
-- The ability to use a wider variety of methods, such as Telnet and Simple Network Management Protocol, to manage SANs.
-- Encryption to protect SAN data from eavesdropping if it crosses public networks such as the Internet.
Authentication -- the ability to prove the identity of a person or device -- becomes crucial as more users are able to tap into SANs and as data from more sources is commingled in corporate storage networks. Spoofing the identity of a person, or even of a device such as a host bus adapter, is a real threat, Lam says.
Spoofing the identity of a device should be impossible because manufacturers give each device a unique WWN that identifies it to other parts of the storage network, says Lam. But manufacturers deliberately let customers change the WWN through an upgrade to the firmware in the device, he says. That makes it easier, for example, for a customer to replace a switch in a storage network without having to update every device that communicates with that switch's new WWN.
Many vendors are planning key-based authentication to create "trusted" administrators with the authority to manage only a subset, such as a zone, of a corporate SAN. This might be overkill in small environments such as Alloy's, but Tajudeen says, "I could see it being an issue if you have a larger set of administrators."
Encryption may increase in importance as more SAN data migrates from Fibre Channel to IP and as storage over IP allows data to travel farther outside the data center than is possible with Fibre Channel. "It is nice to have certain types of data encrypted," says Tajudeen, but only if the encryption isn't too expensive and doesn't exact too much of a toll on performance.
Building the Business Case
Storage managers must also get ready to explain the intricacies of SAN security to their less-technical peers, says John Webster, a senior analyst at Data Mobility Group Inc. in Nashua, N.H. Some pioneers looking to consolidate corporate data on SANs are facing tough questions from department heads worried about how their data will be kept separate from data generated by other business units, and from chief security officers worried about whether the SAN will be secure from outside threats.
First, "you've got to figure out how, or if, you can overcome" such objections, says Webster, and be prepared to defend your plan in understandable terms. "If you're not prepared to answer them, you can be in trouble," he says.
Scheier is a freelance writer in Boylston, Mass. He can be reached at email@example.com.
SAN Security Glossary
Fabric: The hardware and software that connect a network of storage devices to one another, to servers and eventually to clients.
LUN masking: Using the Logical Unit Number (LUN) of a storage device, or a portion of a storage device, to determine which storage resources a server or host may see.
Port: A physical connection on a storage switch that links that switch to storage devices, servers or other switches. Many SAN security techniques limit which devices a port can connect to or the manner in which it connects to those devices.
Spoofing: Impersonating the identity of an individual (such as a storage administrator) or of a device (such as a storage switch) to gain unauthorized access to a storage resource.
Trusted switch: A switch within a storage network that uses a digital certificate, key or other mechanism to prove its identity.
VSAN: A virtual SAN, which functions like a zone but uses a different layer of the Fibre Channel protocol to enforce which devices in the fabric can speak to other devices.
World Wide Name: A unique numeric identifier for a device on a storage network, such as a disk array or a switch.
Zone: A collection of Fibre Channel device ports that are permitted to communicate with each other via a Fibre Channel fabric.