Storage infrastructure requires defense in depth.
Security strategies for storage networks must take precautions against unauthorized access from the outside, DoS attacks and internal attacks, which comprise 70% of all relevant cases. Moreover, the system must be configured to protect against unintentional changes. There is no universal solution. Security in storage networks can only be achieved by a strategy that is multi-layered and that meets company-specific requirements.
Defense in Depth Strategies
Companies must deploy storage solutions that have the right security posture for the organization, enable a scalable architecture that will not have to be ripped out to deploy security, and remove traditional limits on business. The three most important components in an effective "defense in depth" strategy are people, operations and technologies. Each needs to be integrated into an extensive security strategy. If the administrative team isn't properly trained, technologies may be incorrectly deployed, nullifying their effectiveness, or the process may not be followed in a remote data center. Any of these would either weaken or remove key links in the armor protecting the IT infrastructure.
The defense in depth strategy is a layered architecture where different security technologies are deployed on top of each other to implement multiple lines of defense. The storage network security strategy should be built in parallel with a strong physical security implementation, a good network security posture, and a good server and application security posture. These include Single Sign-On support and integration, as well as processes and event logging procedures required to uncover the "chicken tracks" if a security event occurs.
Each part is essential. Any aspect of security in the storage network that is left open to attacks is a potential risk to the infrastructure. While security for networks and servers is well understood, security for storage is an emerging area that offers challenge for compliance.
The key framework for compliance integrates regulations and corporate policies, which drive standards and practices. The port scanners in the network, which expose open ports on individual IP addresses and operating systems, have tools to scan their patch level to indicate which have not been updated. These are established operational practices where the types of vulnerabilities and threats are fairly well known, and the processes for remediation and compensating controls are well established.
Technical Side of Risk Mitigation
The primary focus of today's growing number of compliance regulations is ensuring the privacy, integrity and control of electronic records. There is less tolerance for irresponsible records management, whether intentional or accidental. Organizations are being held responsible for writing a policy regarding records management, retaining records in an unaltered state and preserving them for use by others for the foreseeable future.
Records management has added a new dimension to storage management. The storage system is responsible for improving record integrity and retention while assuring only authorized access. Enterprises must write storage network security standards and prove that they have consistently adhered to organizational policies and standards, prove that they can control and track the duplication of the records, show that these records are complete, and demonstrate that archives are tamper resistant.
The challenge with storage and the storage network is that records do not correlate well to SCSI commands, sectors on disks, LUNs, partitions, etc. Since a 10-terabyte database can contain 2 million e-mail records, all with different compliance requirements and impact on the business, it is best to create a trusted environment where sensitive and non-sensitive materials can be communicated.
Consolidating storage resources can facilitate compliance, because all the information is in one storage type and location, controlled by one team. It also enables an enterprise to reduce total cost of operations while moving data from an unstructured to a structured data format. For example, the data that resides on an executive's laptop can pose the greatest risk to the organization, as it isn't protected within the confines of a structured data security program. Similarly, much of an organization's critical information isn't stored centrally, backed up, tracked or reviewed for audit purposes. By contrast, records stored in a SAN leverage the benefits of residing in a structured data store, such as a database, that then can be managed based upon the type of records that they are.
Compliance is also paramount in terms of backup and recovery for business continuity purposes. For example, if an organization decides to replicate two data centers over distance using LAN/WAN technologies that run over IP, there are significant compliance challenges around what information can be sent over the IP infrastructure.
A records management compliance methodology must begin with a trusted infrastructure for the solution to run on. For example, if a database has strong authorization and authentication technologies deployed, but anybody can make a copy of a disk via the SAN, then the information isn't secure. In order to create trusted infrastructures, companies must implement the proper application of processes, people, training and technologies to close all back doors to the essential corporate information.
Overall, it is essential that the following four key areas of technology and analysis be applied to the storage infrastructure:
* Review privacy laws that are in place to ensure that only authorized users get access to the storage network and that unauthorized people are unable to gain access to confidential records. Technologies and controls in the storage network for authorization and authentication are key to improving privacy, along with encryption of the right information in flight and at rest.
* Establish data integrity and provide documentation when items are changed (including details such as who made the changes) and track any other avenues to get at the data. Data integrity is essential as public corporations work diligently to validate their financial reports. And today, records may need to be retained in an unaltered form for many years.
* Establish and maintain adequate controls in the data center. Specifically, this includes IT processes for information assurance and the impact of those policies and requirements on the storage network a policy for secure logging and incident handling, and auditing and validating the programs for adequacy, effectiveness, and efficiency.
* Weigh how much security is "good enough." There are many terms in the various mandates that touch on this idea, and the business impact is marked. Most mandates understand that there is a proper balance between investments and risks, and that a certain degree of risk is allowable in the storage network environment. The challenge is that there are no firm rules outlining what the right level of investment is.
To compound these, as mentioned before, there are around 10,000 rules and regulations that may impact a specific business. A key idea to keep in mind is that requirements and mandates in one industry may become guiding principles in the next. This means that the practices outlined in one industry may be adopted by another industry (your compliance team and compliance consultants can provide examples).
The Focus on Security in the Data Center
Companies can improve security in the data center for the storage network through a three-step process: an audit/review, creation of a storage security standard, and implementation/installation of a security solution. Consider, for example, a data center infrastructure in a tiered model, where business operations sit at the top of the solution and where different divisions, groups or departments are running operations with the applications deployed in the data center. The applications inside the data center come from various vendors including Peoplesoft, Oracle, SAP, Exchange, etc., and provide the processing of the information that is stored in the storage network. Both of these layers focus on records in a database (whether they're individual e-mails or consumer transactions).
Each of these applications resides on, and assumes that it is running on, a trusted infrastructure. A solid security solution focuses on creating a trusted infrastructure that covers all aspects of the storage network, including the Fibre Channel communications, iSCSI, SAN Routing, and LAN/WAN protocols and connectivity solutions used. It also addresses the out-of-band management aspects of the storage network, as they are central to security in the storage network. NAS, as it attaches to the storage network for centralized storage, is also a piece of the solution. Storage arrays, HBAs, appliances and other devices that participate in the storage network also need to be integrated.
"What-If" and Gap Analyses
In order to improve security in the data center for the storage network, a company should begin with a review of the infrastructure in its current configuration, as well as its target configuration, as the storage network is built out. It includes a comprehensive "what-if" analysis that foot-prints the infrastructure and applies a threat model to it to derive a report on the gaps in the network. The "what if" analysis is essential in order to uncover the opportunities that a hacker may try to exploit.
The "what if" analysis also examines the level of training of the people in the environment, the workflow and processes already employed, how well the processes are followed, and the parts of the solution that must be formalized and documented.
Planning to Address Gaps and Build a Roadmap for a Storage Security Standard
Once the risks have been ranked and documented, the next step is to provide an architecture that includes processes, technologies and compensating controls to improve the security posture of the organization. This is a critical step since (per the McData End User Security Webinar) 84% of organizations do not have a documented storage security standard. The gold architecture for each organization will vary, as some technologies will be seen as a "must implement" in some environments and optional in others.
Again, people and process are the key aspects of security. The storage security standard needs to have processes defined and documented for workflow, deviation, change control and validation. Everything needs to be written down and documented. "If it wasn't documented, it didn't happen" is the doctrine to follow in this environment.
Training standards are also essential so that the team understands how the technologies in the data center work, how to configure the system correctly and as intended, and how to minimize the risk of accidental misconfigurations.
Finally, it is essential to implement a good set of compensating controls to ensure that there is always a backup plan to address a vulnerability that may impact operations. If a security fix cannot be implemented in a reasonable amount of time, then another layer or type of security would need to be installed either temporarily until the vulnerability is fixed or permanently.
A Plan to Improve the Organization's Security Posture
A plan or strategy is only as good as its execution. Once changes are identified, mitigation schemes must be implemented almost immediately. Specifically, if technology is not feasible to fix one set of vulnerabilities, it is up to the organization to then execute compensating controls. Storage networking vendors can be key enablers by helping enterprises respond to security gaps as quickly as possible or by suggesting compensating controls to minimize risks.
Training and assessments should be conducted on a regular basis to ensure that the organization is managing with current information and that everything is implemented as effectively as possible.
Monitoring and Control
Once a strong security posture is established in the enterprise storage environment, the security solution must help the organization remain in that secure posture. Reporting tools and software-enforced standards and policies are essential in the security methodology. Event notification, extensive logging and reporting (to show the "chicken tracks" when a security event occurs), and security administration are essential pieces of the solution. This ongoing monitoring and control of the environment shows when updates were made, how fast they were made and indicates items that may be out of policy.
This step includes reviewing and updating the security information with any new threats, processes, controls or preferred practices that have come to light. Regular updates and training to the current state of the art in storage security is essential, especially in an emerging area of security such as storage networks.
The best security solutions for storage networks are implemented in layers for one simple reason: if one is breached, the next one can stop the intrusion. Like a bank that has locks on the doors, restricted areas and locks on the safe, an enterprise's data should be protected with a layered security solution leveraging the right technology at each layer.
Security is not a point product, but an evolution in features and functionality as the storage network evolves. As companies extend their storage networks to FICON, iSCSI and FCIP, new threats will arise. Enterprises must understand these and deploy adequate policies, architectures and products to assure the security of their essential data. Security inside the data center is also an essential component of any security policy.
It is essential to implement the right levels of security that are not overly complex and that don't hinder performance. These security techniques must leverage technologies such as authentication, authorization, accounting, DoS attack resistance, encryption, intrusion detection tools and secure administration. These techniques must be implemented in the right places with open, standards-based techniques.
Brandon Hoff is a security business manager at McDATA Corporation (Broomfield, CO)
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Disaster Recovery & Backup/Restore|
|Publication:||Computer Technology Review|
|Date:||Jul 1, 2004|
|Previous Article:||The cost benefits of a SAN: an analysis of total cost of ownership (TCO) of an iSCSI SAN, fibre channel SAN, and direct-attached storage.|
|Next Article:||SAS: now and in the future.|