Network executives face the same challenges securing storage networks as they do enterprise data infrastructures - keeping corporate information safe without slowing application performance or adding management complexity. The problem is, the range of security options isn't nearly as wide for storage as it is for corporate networks.
Storage networks link disk arrays to allow multiple applications (or servers) to access data, and more easily share unused storage than when disk drives attach directly to a server. However, as storage-area networks (SAN) and network-attached storage proliferate, security becomes a real problem. This is especially the case as more customers use IP to link storage devices instead of, or in addition to, the more secure Fibre Channel protocol customarily used in SANs.
"The prevailing perception is that because my (SAN) is behind my firewall it's safe and I don't have to worry about it," says Mark Diamond, president and CEO of Contoural, a Los Altos, Calif., storage education, consulting and incident-management firm. "The problem with that," he adds, "is a SAN has many more entry points" than direct-attached storage.
Relatively few products are designed purely to secure networked storage. This leaves most users relying on the security capabilities found in storage management software from hardware vendors such as Brocade Communications Systems Inc., EMC Corp. and McData Corp. or in storage-management tools from vendors such as FalconStor Software.
Given this, analysts recommend looking for storage-management tools that support current security standards, such as IP Security (IPSec), Remote Authentication Dial-In User Service (RADIUS) and SNMP Version 3 (SNMPv3), and emerging standards, such as the Diffie-Hellman Key Encryption Protocol-Challenge Handshake Authentication Protocol (DH-CHAP). With IPSec, which the Internet Engineering Task Force mandated be used in certain storage wares in order to be considered standards-compliant, users can add encryption and authentication capabilities into IP storage networks. RADIUS can provide a foundation for role-based security through a central database of user access information, and SNMPv3 supports encryption of management and troubleshooting data from storage devices. DH-CHAP, when it is finalized later this year, will ensure the identity of Fibre Channel storage devices, switches and managers.
Security standards in storage tools
Storage vendors offer a mixed bag when it comes to support for such standards.
McData says it will support third-party implementations of IPSec when it ships its first IP storage products later this year, with native IPSec support coming next year. In its SANtegrity security suite, McData supports RADIUS now and says it will add support for SNMPv3 and DH-CHAP later this year. In the meantime, Brocade's Secure Fabric operating system now supports IPSec and will add support for DH-CHAP, RADIUS and SNMPv3 in the second half of the year. EMC does not support any of these standards in ControlCenter; FalconStor's IPStor software supports IPSec but not RADIUS. Support for SNMPv3 and DH-CHAP will follow as they are finalized, FalconStor says.
Regardless of which security standards they use, most storage-management tool vendors support logical unit number masking, which limits the number of logical storage volumes an application or server can see; and zoning, which organizes the devices on a storage network into logical groups similar to a virtual LAN. Some also support binding, a relatively new technique that uses access control lists to determine which devices can attach to which ports.
While such functions don't secure data, they do prevent storage administrators from configuring their networks improperly. That helps keep storage networks secure, according to the Storage Networking Industry Association (SNIA). In a report released in January, SNIA said the complexity of storage networks makes configuration mistakes the No. 1 security threat for most network storage users.
Unencrypted stored data is another big security weakness. At any time, 98% of corporate data is not in transit over a network but at rest on disk or tape devices, says Steve Duplessie, a senior analyst at Enterprise Storage Group. If it isn't encrypted, that data "sits there like a big, fat elephant waiting to be shot," he says.
That reality has turned encryption of data in disk drives or on tape back-up systems into a storage security hot spot. Storage vendors can provide encryption on the server, on the host bus adapters that link the server to the storage network, on the client, or in a stand-alone appliance.
At SwapDrive, an online back-up firm in Washington, D.C., customers were swayed only slightly by assurances from the company that it had great physical security and thorough security policies, says David Steinberg, CEO. To them, he says, the lack of encryption meant "we had a hole in our system."
To fix that "hole," SwapDrive used Decru's DataFort E440 storage security appliance to encrypt customer data as it moves from SwapDrive's servers to a third-party managed storage service environment where it remains encrypted until the customer retrieves it. SwapDrive chose a stand-alone appliance rather than having customers manage their encryption keys and passwords, something it would have needed to do if it downloaded encryption algorithms to client machines. An appliance also minimized any performance hit to the network and applications, Steinberg says.
Stand-alone storage encryption products also help customers split responsibility among groups for managing storage vs. storage security. This division of labor reduces the chance of someone misusing legitimate access rights to steal or sabotage data. It also allows the outsourcing of data management while keeping security in-house, says Andy Salo, director of product marketing at Decru.
Other storage security appliances combine encryption with additional security features. NeoScale Systems' CryptoStor FC provides encryption and centralized policy management, while the CryptoStor for Tape appliance, in beta testing, will do the same for tape systems. And the as-yet-unnamed Vormetric appliance due out in mid-April will combine encryption, authentication and fine-grained access control capabilities, says David Tang, the company's vice president of marketing and business development.
Over time, vendors will incorporate encryption and other such security features into storage switches, tape drives and drive arrays, predicts Mike Alvarado, chair of the SNIA's Storage Security Industry Forum, a group that intends to lobby vendors for improved security in networked storage products. Users ultimately will have a full complement of storage security appliances and integrated security functions from which to choose, says Alvarado, who also is a senior product manager at NeoScale.
But for now, some storage vendors contend that integrated encryption isn't necessary. Paul Ross, director of storage networks for EMC, cites a lack of customer demand as the reason that the vendor doesn't offer encryption.
Some vendors say they hope to fight the storage security threat with authentication protocols and products that verify the identity of a switch, a drive array, a storage manager or anyone else before allowing network access. DH-CHAP, due out this year, will provide such authentication capabilities. DH-CHAP will be a mandatory part of the Fibre Channel Security Protocols under development at the American National Standards Institute. McData recently demonstrated the use of security protocols such as DH-CHAP to authenticate users across its own and other vendors' switches.
While DH-CHAP is aimed at Fibre Channel storage networks, IPSec can provide authentication and encryption capabilities for users building IP storage networks, says Tom Nosella, senior manager of technical marketing with Cisco's Storage Technology Group.
Beyond tools, network storage managers need to develop the same kind of threat assessment and auditing processes they have in place for enterprise data networks, industry experts say. Among other steps, storage managers should consult with their corporate or legal audit staffs to determine what legal or regulatory security requirements they face, Alvarado says.
"When people implemented network security, they didn't say 'Let's look at the vulnerabilities and let's protect them,'" Contoural's Diamond says. "People did threat-assessment models, and got a lot of experience (in what worked and what didn't). A lot of that work hasn't been done for storage security."
Scheier is a freelance writer in Boylston, Mass., who writes about storage and security. He can be reached at email@example.com.