ARN

Plugging storage security holes

Storage systems weren’t designed with security in mind. They started out as direct-attached, so if the host was secure, the storage was too. That’s all changed.

Fibre Channel storage networks often have multiple switches and IP gateways, allowing access from a myriad of points. Compound this with poor work by systems administrators, new data security laws and recent high-profile cases of consumer information theft, and the need for improved storage security becomes urgent.

But if systems administrators can’t follow the basic steps of network storage security, better tools may not help. That’s part of the reason why encryption is becoming the most widely adopted solution to the problem.

Misconfiguring logical unit number (LUN) zones and not maintaining network-access lists are two major causes of unauthorised access to storage networks, an analyst at US-based The Enterprise Storage Group, Nancy Marrone, said. Another common mistake administrators make is not bothering to change the device default password, an analyst at US-based Evaluator Group, Dennis Martin, said.

Beyond the human failings, Fibre Channel itself isn’t a secure protocol. Through it, application servers can see every device on a storage-area network (SAN). Switch zoning and LUN masking on a storage array can restrict access to devices on a SAN. Zoning segregates a network node either by hard wiring at the switch port or by creating access lists around device world wide names (WWN). Masking hides devices on a SAN from application servers either through software code residing on each device or through intelligent storage controllers that permit only certain LUNs to be seen by a host’s operating system.

Marrone said managing access through LUN masking worked on smaller SANs but became cumbersome on large SANs because of the extensive configuration and maintenance.

Encryption makes gains

Given these human errors and technology shortfalls, some users are turning to encryption.

Technical program manager for the National Center for Supercomputing Applications (NCSA), Michelle Butler, manages three SANs — two with 60TB of capacity and one with 40TB. For her, security means that data needs to be encrypted, both when it’s in transit and stored on a disk — or “at rest.”

“There are some tools out there, but there are also some big gaping holes being left that so far don’t seem that interesting to hackers,” Butler said.

Nevertheless, the NCSA plans to buy Brocade Communications Systems’ newly-released Secure Fabric operating system and Fabric Manager software.

Butler said the products would allow her storage administrators to create network management access-control lists using public-key infrastructure (PKI) technology and device access-control lists based on WWN. The software also offers authentication and encryption for control information or management data on SAN devices.

Examples of the necessity of encryption abound.

For instance, in January, a disk drive with 176,000 insurance policies was stolen from Canada-based Co-operators Life Insurance.

In response to events like this, California adopted a new law. SB 1386, which went into effect this month, requires any company that stores information about California residents to publicly divulge any breach of security affecting that data within 48 hours.

In addition, Senator Dianne Feinstein’s office is finalising a federal version of the bill — called the Database Security Breach Notification Act — that would provide similar protections to all US residents.

The only companies exempt from the California law and the proposed national legislation are those that encrypt data at rest.

Several newly-released products address concerns posed by the recent legislation. In April, Kasten Chase Applied Research announced its Assurency Secure Networked Storage platform, agent-based software that provides a stripped-down PKI-based authentication and encryption for networked storage devices. The company estimated that a complete encryption system was generally 7 per cent to 10 per cent of the cost of a SAN.

Other Vendors

Another company getting noticed is US start-up appliance vendor, Decru, which uses proprietary software to encrypt data on the storage array, but uses the IPsec protocol on the application server to encrypt data while in transit. Its DataFort security appliances work for both SANs and network-attached (NAS) storage.

US company, Vormetric, sells an appliance that encrypts data at the file level for NAS, file servers and tape archival systems but not at the block level for SANs. And NeoScale Systems sells a product called CryptoStor FC that provides wire-speed, policy-based encryption for SAN and NAS data.

Although most currently available storage security technologies offer encryption, analysts said it was important for users to make sure that the data was encrypted both at rest and while being transmitted across networks.