Answering the storage security challenge.Information storage devices are gaining popularity in corporations across the country. These devices are being utilized to enable strategic business initiatives such as enterprise resource planning See ERP. (application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. (ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. ) and customer relationship management (CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. ). In addition, storage devices enable corporations to consolidate a variety of business-critical data traditionally distributed across multiple application and database servers. As a result, storage systems are an effective tool for increasing productivity, resource utilization, and return on investment while helping ensure uptime and business continuity. The demand for network-attached storage See NAS. (NAS (1) See network access server. (2) (Network Attached Storage) A specialized file server that connects to the network. A NAS device contains a slimmed-down operating system and a file system and processes only I/O requests by supporting the popular )--or shared storage on a network--is growing steadily. Research shows that more than 70 percent of storage will be networked by 2005. NAS devices are typically high-speed, single-purpose systems or components that serve specific storage needs on mixed networks, using commercial or their own operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. and integrated hardware and software. These systems are attached directly to a network and provide file-level access to data. The easy setup and management, and the platform independence of NAS devices, make them effective in keeping administrative costs administrative costs, n.pl the overhead expenses incurred in the operation of a dental benefits program, excluding costs of dental services provided. down. Risks and Challenges While storage devices such as NAS address critical business needs and offer many benefits, they also introduce new security risks and challenges. In a non-consolidated server environment, for example, if a malicious user gains unauthorized access to data, such access is limited to the type of data on the specific server. With consolidated data, access into one type of data typically provides access to other--or all--types of data. In addition, just as a security breach on a storage device puts more data at risk, it also places a greater burden on IT resources as technicians are redirected from revenue-generating pursuits to incident-recovery activities. Also, because damage from undetected malicious code in a storage system can trigger a cycle of re-introduction each time stored data is backed up, the productivity of IT personnel can be repeatedly compromised with every recovery incident. Further complicating the storage security issue are emerging industry and government regulations such as HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, that require organizations to secure any and all data. The increased availability of easy-to-use hacker tools adds another challenge as it spawns a bigger pool of potential intruders seeking unauthorized access to greater caches of consolidated confidential data. Security Tools for NAS Corporations today are successfully using a variety of general security tools within their IT environments to protect their systems and data at the server, desktop, and gateway. A closer look at storage-specific security requirements reveals that layered protection is also necessary in order to ensure the integrity of storage systems and the data they house. Securing Network Access to Storage: Because NAS is located on an IP network, it is susceptible to many threats that travel the network. The first line of defense against such network-based threats is a firewall. Placed in front of the storage device, the firewall creates a demilitarized zone See DMZ. (DMZ (DeMilitarized Zone) A middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet. Also called a "perimeter network," the DMZ is a subnetwork (subnet) that may sit between firewalls or off one leg of a ) for the storage device by halting inappropriate access by unauthorized users while allowing access by authorized personnel. Virtual private network (VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. ), encryption, and authentication tools further secure network access to storage by providing an encrypted tunnel available only to authorized users. A second line of defense is network-based intrusion detection See IDS and IPS. to identify external, as well as internal, threats with protocol anomaly A deviation from the standard protocol. An intrusion detection system (IDS) may look for protocol anomalies in order to identify attacks without a signature. Protocol anomalies reduce false positives with well-understood protocols, but may cause false positives with poorly understood or detection technology to detect known, as well as new, attacks. In addition, for more accurate detection of the significant amount of data being passed from and to the network storage device, a multi-gigabit network-based intrusion detection system This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. is a requirement. Network-based vulnerability assessment A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. helps identify potential vulnerabilities on systems visible outside the company's firewalls and enable enterprises to better understand the state of security within their organization. Network access to storage can also be addressed through security appliances that sit in front of the NAS and not only detect but stop malicious traffic before it reaches the storage device. Securing Data Storage: Even with virus protection on desktops and gateways, storage devices remain susceptible to infection from malicious code. Desktop users, for example, might turn off their desktop antivirus scanning or simply forget to update virus definitions, thereby exposing their systems to viruses and other threats. Subsequent desktop interaction with the NAS extends the potential for infection throughout the network to other systems, data, and users. As a result, securing the actual data on a storage device requires antivirus software See antivirus program. (tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. , either host- or network-based. Whether it resides on the NAS or is provided as a service by another network node (networking) network node - (node) An addressable device attached to a computer network. If the node is a computer it is more often called a "host". , antivirus protects against data corruption Data corruption refers to errors in computer data that occur during transmission or retrieval, introducing unintended changes to the original data. Computer storage and transmission systems use a number of measures to provide data integrity, the lack of errors. and virus infection. Host-based intrusion detection is also key to securing data storage. A host-based intrusion detection system A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system rather than on its external interfaces (as a network-based intrusion detection system (NIDS) would do). detects attacks on the operating system at the application level. Coupled with host-based vulnerability assessment, which helps the enterprise evaluate its exposure to threats, this technology enables organizations to safeguard the valuable data residing on the corporate NAS. Once vulnerabilities are closed, policy compliance technology can be used to ensure that storage security practices continue to be enforced. Securing Data Access/ Data Transmission: Effective and secure storage data access and data transmission is addressed through authorization, authentication, and encryption. Authorization ensures that only authorized users have access to the storage device, as well as to and from the devices with which the storage device interacts. Authentication ensures the identity of each user who accesses the storage device. Using Storage Security Tools A look at a typical security breach helps demonstrate how storage security products and technologies can be applied to effectively protect storage systems, stored data, and data transmission. Traditionally, the client, or desktop, poses the greatest risk to storage systems simply because clients are trusted sources that have access to stored data on a regular basis. Compromised by a worm, however, the client can become a vehicle for disaster. For example, a security threat might pass through a firewall and ultimately attack internal clients, creating a number of possible problems, including infecting network shares, destroying or corrupting stored data, transferring confidential data, launching a distributed denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DDoS) attack, or probing the network. The first step in responding to such a threat is to make sure that the storage system does not become a source of infection that is being passed back to the client, Implementing antivirus dramatically reduces the risk to the contents of the storage device. It does not, however, eliminate the risk to the storage system itself nor does it address more aggressive blended threats. As a result, the storage subsystem The part of a computer system that provides the storage. It includes the controller and disk drives. See storage system. continues to be vulnerable to DDoS attacks, network probing, and other internal threats. Protecting the storage system requires additional steps. The first is to introduce a network-based intrusion detection system that recognizes threats. The second step is to track the threat to its internal source in order to repair the problem at the source. The threat to the storage system must also be blocked proactively in order to limit its impact on the storage device. Using a full inspection firewall minimizes vulnerabilities and ensures complete control of information entering and leaving the enterprise, while providing partners and customers access to corporate resources. Of course, the possibility remains that a desktop can still become compromised by using outdated virus definitions or by turning off antivirus. To prevent a compromised client from attempting an attack against a storage device, a firewall is placed in front of the storage device and traffic is encrypted. Integrated Security for Enterprise Protection While products and technologies at multiple levels of the organization are necessary to fortify for·ti·fy v. for·ti·fied, for·ti·fy·ing, for·ti·fies v.tr. To make strong, as: a. To strengthen and secure (a position) with fortifications. b. To reinforce by adding material. storage security, the overall security posture of an enterprise is significantly improved through an integrated blend of products and services. This integrated approach offers a holistic security strategy that addresses the four most important enterprise security tasks: alert, protect, respond, and manage. An alerting system ensures early warning of threats, while protection is provided through intelligently deployed security solutions and services. A rapid response infrastructure enables the organization to answer threats that materialize, and security management tools allow the enterprise to protect against complex threats, as well as to maximize their existing security investments. The integration of data from multi-function and multi-vendor security products provides a more complete yet concise view of relevant security information. By obviating ob·vi·ate tr.v. ob·vi·at·ed, ob·vi·at·ing, ob·vi·ates To anticipate and dispose of effectively; render unnecessary. See Synonyms at prevent. the difficulties of overlapping or missing functionality and data that result from using non-integrated solutions, this unified approach helps keep storage devices, stored data, and the rest of the enterprise protected from both known and unknown threats. Security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the also represent a key component of any storage or enterprise security strategy. Security services are a cost-effective alternative or complement to in-house security expertise. Security providers offer a variety of services, from assessing an enterprise's security environment against its security policy to helping an organization identify and implement appropriate security solutions. There is also significant value in outsourcing early warning and response security services. Threats that can impact storage devices are typically introduced by exploiting well-known vulnerabilities that have impacted networks and systems in other parts of the world. As a result, early warning service providers often have information about those vulnerabilities before their customers are threatened and can, in turn, provide proactive protection in order to minimize customers' exposure to risk. Gary Sevounts is director of Solutions Marketing at Symantec Corporation (Cupertino, CA.) www.Symantec.com |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion