News

10:54 AM
Jeff Moad, InformationWeek
Jeff Moad, InformationWeek
News
Connect Directly
RSS
E-Mail
50%
50%

How Secure Is Your SAN?

The topologies that make SANs cost effective and manageable also make them more vulnerable to security breakdowns. Here's what MasterCard has already done about it, and what other companies should consider.

With all they've got to worry about these days, most IT executives don't lose a lot of sleep over whether the data stored on their companies' tape and disk devices is secure. Most have come to believe that data, particularly mission-critical data residing in the corporate data center, is capably guarded by the usual protections such as firewalls, user authentication, and intrusion-detection systems.

That confidence, however, may be about to evaporate. That's because, at most enterprises, storage devices that are directly attached and dedicated to a specific server--and therefore easily secured--are rapidly giving way to shared networked storage topologies that introduce new security exposures. As much as 70% of enterprise storage will be networked in the form of either Fibre Channel-based storage area networks or network-attached storage devices by 2006, according to Nancy Marrone, senior analyst with the Enterprise Storage Group.

SANs are rapidly gaining ground in the enterprise because it can be easier and less expensive to manage a network of storage devices that are shared by many servers than hundreds or even thousands of disk subsystems attached to individual servers.

But the same things that make SANs cheaper and easier to manage also make them potentially more vulnerable to security breakdowns. Unlike traditional direct-attached storage devices, SANs are accessed by many servers, often running different operating systems. That means it's difficult for SANs to rely on any one host's operating system for security. Also, SANs are typically comprised of many more elements such as storage arrays, switches, directors, host-bus adapters, and management consoles, to name just a few. More elements attempting to access any shared resource over a network usually increases the opportunity for security breaches. An attacker, for example, could mount a denial-of-service attack on a SAN by issuing repeated log-in requests or gaining unauthorized access to combine SAN fabrics in a way that increases inefficiencies and decreases performance. Or an attacker could gain access to key data assets by spoofing, for example, a management interface address. Stored data is particularly vulnerable to this type of attack, experts say, because it is rarely encrypted as it sits on the disk or tape medium. Once a hacker gains unauthorized access to stored data, it's generally easy for the intruder to read, copy, and reuse it.

Such storage security vulnerabilities will multiply as enterprises begin to integrate their Fibre Channel SAN and NAS networks with more easily-accessed IP networks via gateways or the new Internet Small Computer System Interface, a protocol for IP-based storage. While host-bus adapters and other gear using the iSCSI protocol are just beginning to appear, IP-based storage is expected to become more popular, particularly for disaster recovery and remote back-up applications.

But it's not just external attackers gaining access through an IP gateway that enterprise storage managers must guard against. They also must be able to stop unauthorized access to stored data by employees and other insiders. CMP Media's Computer Security Institute, in its recently-released eighth annual Computer Crime and Security Survey, said 45% of enterprises in the last year reported unauthorized access to data by insiders. In one such breach, an employee of Coca-Cola Enterprises Inc. reportedly downloaded the salary information and Social Security numbers of about 450 coworkers.

Such breaches are becoming increasingly costly, particularly as government regulators pass new laws intended to safeguard private consumer information. One such law, California's Senate Bill 1386, went into effect in July and is considered something of a model for other states and the federal government. The California bill requires businesses to publicly notify consumers within 48 hours of any compromise of their personal information. Businesses, however, are exempt from the notification requirement if they've first encrypted the stored customer records.

"Those sorts of regulations, as they spread throughout the United States and elsewhere, will certainly bring the need for storage security into sharper focus," says Simon Robinson, head of the storage and systems practice at analyst firm The451.

Despite new privacy regulations and increased security vulnerabilities introduced by networked storage, many IT managers have yet to recognize storage as a potential security vulnerability. Government agencies, concerned about safeguarding information about individuals as they place more data online, have shown the most willingness to address the potential problem, leading the way in deploying new storage-security technologies. The Italian federal government, for example, as part of a major eGovernment project, has decided to deploy appliances from start-up Decru Inc. that encrypt all data in storage and authenticate server access.

"We have to secure that only the authorized persons should access sensitive data even in the data center, so we are protecting the data at the lowest level," said Marco Pissarello, business-development manager at systems integrator AGSM Telecomunicazioni in Verona, which is working on the project.

Government agencies, though, are exceptions. A recent survey by consulting firm International Network Services Inc. indicated that 12% of storage managers believe "better security through storage centralization" is a primary benefit of moving to networked storage, not a liability. In the same survey, no respondents cited security as one of the barriers they see to implementing a networked storage strategy.

Is Everyone Prepared?

Financial-services company MasterCard International Inc. is one company that sees little need to make a concerted effort to shore up storage security. Bill Winter, VP of global information security, says all of MasterCard's SANs are protected, not only in data centers and behind firewalls, but by multiple levels of operating system, application, and database authentication, and security software, processes, and audits.

"With the infrastructure that we've built at multiple levels--the network, database, and host--any threat to storage can be confined," Winter says. "We believe that all the doors are locked."

That may be true at MasterCard, counters Mark Diamond, president and CEO of storage consulting company Contoural, but many other companies are simply imagining that their networked storage is secure.

"A lot of end users have the mistaken belief that if their storage network is behind a firewall it is secure, and that is a big mistake," Diamond says. "And, unfortunately, many of the major vendors are failing to encourage end users to take advantage of some of the existing security features in their products, like making sure ports are shut down or changing passwords. A lot of education still needs to be done." Diamond also is a member of the Storage Security Industry Forum, formed by the Storage Networking Industry Association to promote the need for storage security and develop best practices.

One reason storage security hasn't emerged as a widespread enterprise concern is the knowledge gap that separates the storage administration staff and the security team at many companies. Accustomed to beefing up perimeter security and responding to E-mail virus attacks, security team members often don't focus on securing core pieces of the IT infrastructure such as storage.

At the same time, although they may recognize that vulnerabilities exist in their SAN environments, most storage administrators have seen security as peripheral to their jobs. While most have employed common Fibre Channel management techniques such as zoning and logical-unit-number masking to attempt to control access to disk arrays, switches, and other elements of a SAN fabric, few are familiar with stronger security technologies such as encryption and authentication.

"Corporate security officials don't really understand the issues around networked storage, while the storage guys generally see security concerns as getting in the way of them doing their jobs," Diamond says.

On top of that, storage security can be a complex issue. Most enterprises live with networked storage elements from a variety of different vendors--switches from Brocade Communications Systems and McData, storage arrays from EMC and IBM, for example--and each of those vendors offers different technical options for securing their gear. Storage-security standards that could provide common, cross-platform storage-security tools are just emerging. So, for now, it's not possible to buy a comprehensive storage-security solution as one would a firewall or intrusion-detection system.

In the absence of comprehensive storage-security solutions and cross-platform storage-security standards, where should IT managers focus first? Experts say there are three points in the typical networked storage topology that today pose the most significant potential security vulnerabilities. IT managers interested in shoring up storage security should begin by understanding these vulnerabilities, assessing whether their current vendors have or will have fixes and, if necessary, look for alternative security solutions.

The three top storage security vulnerabilities are:

1. Insecure management interfaces:

Networked-storage equipment vendors are beginning to build stronger authentication technologies into their systems so that, for example, a SAN switch can confirm that a given server should have access to a storage array. Many, however, have yet to provide the same protections to the interfaces used by software-management tools and consoles. Add to that the fact that many vendors allow management tools to access SAN storage devices via LAN or IP connections--not the more isolated SAN Fibre Channel connections--and the result, say experts, is a security breach waiting to happen.

"These management ports are generally made to provide relatively easy administrator access to networked storage devices, and that's just what makes them dangerous from a security point of view," says Alan Paller, director of research at the SANS Institute, a security education and research organization. "Many of these management ports allow dial-up access and use anonymous File Transfer Protocol or even no password protection. It's a big concern."

Paller says the SANS Institute has begun to press vendors and standards organizations to come up with common ways to add encryption and authentication to management ports. And vendors are slowly beginning to respond. IBM's Tivoli division, for example, has already built Secure Sockets Layer encryption into its Storage Area Network Manager product and includes an idle time-out feature. Switch maker McData Corp. is planning to add SSL and Secure Shell software encryption to its SANavigator management suite, a move which is part of a broader initiative the company calls Secure Management Zones, according to Brandon Hoff, the company's senior manager for strategic marketing. Some vendors, however, believe SSL isn't strong enough to protect networked storage management ports. Switch maker Cisco Systems, for example, has moved to 56-bit Data Encryption Standard encryption. Competitor Brocade uses passwords or public key encryption to authenticate management access to its devices and can restrict access to only specified IP addresses.

Such solutions, however, tend to be proprietary and to vary from management platform to management platform. For a standards-based approach to securing networked-storage management interfaces, enterprises will likely have to wait a couple of years. The Distributed Engineering Task Force is working on a version of the so-called Bluefin management profile that's specifically for storage-management tasks and incorporates Web-based security techniques. The final version of the standard, however, isn't due until later this year, and broad vendor compliance will not come until 2005.

Meanwhile, some vendors are working on ways to integrate SAN management authentication with authentication services that already exist or are being developed outside the storage environment. Brocade, for example, has demonstrated its ability to tie its management tools with authentication servers using the Remote Authentication Dial-In User Service protocol. Cisco also has plans to integrate with Radius authentication, according to Silvano Gai, a Cisco Fellow.

2. Vulnerable data at rest:

While many applications--backup, for example--encrypt and compress data while it's traveling over a network, data created by most applications and stored on networked devices isn't encrypted. So, once intruders or internal employees gain unauthorized access to networked storage, they generally have free rein.

Most networked storage vendors have shied away from building encryption into their products. Vendors of NAS devices have tended to rely on the server operating system for many security functions, and SAN infrastructure vendors such as Cisco, EMC, and McData say they're concerned that encryption would reduce SAN performance and, in the long run, prove difficult for enterprise customers to manage.

With major vendors remaining on the encryption sidelines, a group of small vendors, many of them startups, have entered the market, offering appliances that either attach to a Fibre Channel SAN switch or, in the case of IP-storage, sit on a LAN between servers and storage devices. These appliances have a few things in common: They generally capture data on its way to networked storage devices and encrypt it using either the 256-bit data Advanced Encryption Standard (AES) or 192-bit Triple DES, allowing data to be encrypted as it sits at rest on networked storage devices. Most also offer clustering for business-continuity and management software, including key management.

Beyond those similarities, however, the encryption appliances from vendors such as Decru, Ingrian, Kasten Chase Applied Research, NeoScale Systems, and Vormetric incorporate some significantly different approaches to storage encryption. Those differences will require enterprises to make choices about where and how storage should be encrypted.

Some encryption appliances--including Decru's DataFort product and NeoScale's CryptoStor product--are hardware-enabled appliances that don't require hardware or software agents running on servers or switches. The hardware-only approach, these vendors say, lets their appliances operate at near-line speeds. NeoScale, for example, says CryptoStor can keep up with a gigabit data path with less than 100 microseconds of latency.

Other encryption appliances such as Kasten Chase's Assurancy SecureData products and Vormetric's CoreGuard products require hardware or software agents running on servers, in addition to the hardware appliance. While this approach generally involves a performance hit--Kasten Chase estimates 10% overall--it can be more scalable.

Existing storage-encryption products also differ in terms of the types of storage devices they support. NeoScale, for example, offers a dedicated appliance for tape storage encryption but no NAS product. Decru offers a NAS product, but no tape encryption.

While not common now, storage encryption will eventually take hold in health care, financial services, and other heavily regulated industries in which organizations must care for customer and patient records for long periods, predicts Enterprise Storage Group's Marrone. Just how quickly storage encryption will become common even in those industries is open to question, however. That's because all of the encryption appliance solutions today are proprietary. With the exception of the IETF, which is expanding IPSec as an encryption standard for iSCSI-based networked storage, encryption-related standards work for Fibre Channel SANs is just beginning. So, predicts The451's Robinson, enterprises will be reluctant to invest in products that don't interoperate from a group of vendors that are relatively small and could, in the long run, be acquired.

"We expect it will be 12 to 18 months before we see significant enterprise traction for these technologies," Robinson says. "Many of these smaller companies will be acquired."

3. Weak device authentication:

Since SAN fabrics are typically made up of many types of devices and are dynamic--with host-bus adapters, switches, storage arrays, etc., constantly being added--it's critical for enterprises to able to quickly and consistently authenticate storage elements. While switch makers such as Brocade and Cisco have recently beefed up security through strong authentication in their products, unfortunately today storage authentication standards are just emerging. Companies attempting to manage systems containing devices from many vendors will find little interoperability between SAN switch authentication schemes.

Brocade, for example, in March took a big step toward securing its switches by rolling out its Secure Fabric Operating System software which, among other things, lets administrators bind storage devices to specific ports and introduces authentication of devices attaching to its switches via a public-key encryption (PKI) scheme. Competitors such as McData and Cisco, however, are holding out for what they see as a more standard approach, based on the Challenge Handshake Authentication Protocol.

Chap is likely to emerge as the winning approach. The dominant storage security standards body, ANSI's T-11 committee, is creating a set of SAN security standards called Fibre Channel Security Protocol. At the end of last year, the committee formally adopted Chap as the first mandatory authentication approach for SANs. At this point, however, the committee also recognizes a PKI-based approach called Fibre Channel Authentication Protocol as well as a password-based approach, the Fibre Channel Password Authentication Protocol, as optional authentication mechanisms.

McData has demonstrated Chap authentication with its switch products, and Cisco has said its switches will support Chap authentication by the end of the year. A final formal standard and true authentication interoperability, however, won't come until 2004 at the earliest, however, predicts Cisco's Gai.

In the meantime, enterprises with heterogeneous networked-storage environments will have to understand and manage multiple authentication schemes.

IT managers can begin to get a jump on improving storage security. A good first step, say experts, is to apply to storage many of the same practices already used to secure other parts of the IT infrastructure. That means first developing a storage-security risk assessment that looks at both vulnerabilities and potential losses should those vulnerabilities be exploited.

"Which applications are using the SAN? What data is critical? What would happen if a failure occurs? These are the questions you need to start with," says Piers McMahon, director of architecture for Computer Associates' eTrust Group. In many cases, risk can be significantly reduced by using existing server- and application-security tools rather than deploying new storage-level encryption, McMahon says.

Another step companies can and should take now is to develop a prescribed set of responses should their storage network be penetrated. In much the same way that network administrators have a script of actions to take when a virus strikes, storage administrators should have a pre-defined set of procedures in place that will allow them contain a storage security breach and quickly turn to back-up storage.

"Technology is only going to solve 30% to 40% of the storage-security problem anyway," says The451's Robinson. "The rest will have to be done through policies, guidelines, and procedures."

Jeff Moad is a Bay Area freelance writer.

Article originally appeared in InformationWeek, Aug. 4, 2003

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Slideshows
Video