Storage systems weren't designed with security in mind. They started out as direct-attached, so if the host was secure, the storage was too. That's all changed.
Fibre Channel storage networks often have multiple switches and IP gateways, allowing access from a myriad of points. Compound this with poor work by systems administrators, new data security laws and recent high-profile cases of consumer information theft, and the need for improved storage security becomes urgent.
But if systems administrators can't follow the basic steps of network storage security, better tools may not help. That's part of the reason why encryption is becoming the most widely adopted solution to the problem.
Misconfiguring logical unit number (LUN) zones and not maintaining network-access lists are two major causes of unauthorised access to storage networks, says Nancy Marrone, an analyst at The Enterprise Storage Group. Another common mistake administrators make is not bothering to change the device default password, according to Dennis Martin, an analyst at Evaluator Group.
Beyond the human failings, Fibre Channel itself isn't a secure protocol. Through it, application servers can see every device on a storage-area network (SAN). Switch zoning and LUN masking on a storage array can restrict access to devices on a SAN. Zoning segregates a network node either by hard wiring at the switch port or by creating access lists around device world wide names (WWN). Masking hides devices on a SAN from application servers either through software code residing on each device or through intelligent storage controllers that permit only certain LUNs to be seen by a host's operating system.
According to Marrone, managing access through LUN masking works on smaller SANs but becomes cumbersome on large SANs because of the extensive configuration and maintenance.
Given these human errors and technology shortfalls, some users are turning to encryption.
Michelle Butler, technical program manager for the National Centre for Supercomputing Applications (NCSA) at the University of Illinois, manages three SANs - two with 60TB of capacity and one with 40TB. For her, security means that data needs to be encrypted, both when it's in transit and stored on a disk - or "at rest".
"There are some tools out there, but there are also some big gaping holes being left that so far don't seem that interesting to hackers," Butler says.
Nevertheless, the NCSA plans to buy Brocade Communications Systems' recently released Secure Fabric operating system and Fabric Manager software. Butler says the products will let her storage administrators create network management access-control lists using public-key infrastructure (PKI) technology and device access-control lists based on WWN. The software also offers authentication and encryption for control information or management data on SAN devices.
Examples of the necessity for encryption abound. For instance, in January, a disk drive with 176,000 insurance policies was stolen from Ontario-based Co-operators Life Insurance Co.
Several newly released products address concerns posed by the recent legislation. In April, Kasten Chase Applied Research announced its Assurency Secure Networked Storage platform, agent-based software that provides a stripped-down PKI-based authentication and encryption for networked storage devices. The company estimates that a complete encryption system is generally 7 to 10 per cent of the cost of a SAN.
Another company getting noticed is start-up appliance vendor Decru Inc, which uses proprietary software to encrypt data on the storage array, but uses the IPsec protocol on the application server to encrypt data while in transit. Its DataFort security appliances work for both SANs and network-attached (NAS) storage.
Although most currently available storage security technologies offer encryption, analysts say it's important for users to make sure that the data is encrypted both at rest and while being transmitted across networks.