Tech Guide: How Secure is Your SAN? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:11 AM

Tech Guide: How Secure is Your SAN?

The topologies that make SANs cost effective and manageable also make them more vulnerable to security breakdowns. Here's what to do about it.

Tech GuideWith all they've got to worry about these days, most IT executives don't lose a lot of sleep over whether the data stored on their companies' tape and disk devices is secure. Most have come to believe that data, particularly mission-critical data residing in the corporate data center, is capably guarded by the usual protections such as firewalls, user authentication, and intrusion-detection systems.

That confidence, however, may be about to evaporate. That's because, at most enterprises, storage devices that are directly attached and dedicated to a specific server--and therefore easily secured--are rapidly giving way to shared networked storage topologies that introduce new security exposures. As much as 70% of enterprise storage will be networked in the form of either Fibre Channel-based storage area networks or network-attached storage devices by 2006, according to Nancy Marrone, senior analyst with the Enterprise Storage Group.

SANs are rapidly gaining ground in the enterprise because it can be easier and less expensive to manage a network of storage devices that are shared by many servers than hundreds or even thousands of disk subsystems attached to individual servers.

But the same things that make SANs cheaper and easier to manage also make them potentially more vulnerable to security breakdowns. Unlike traditional direct-attached storage devices, SANs are accessed by many servers, often running different operating systems. That means it's difficult for SANs to rely on any one host's operating system for security. Also, SANs are typically comprised of many more elements such as storage arrays, switches, directors, host-bus adapters, and management consoles, to name just a few. More elements attempting to access any shared resource over a network usually increases the opportunity for security breaches. An attacker, for example, could mount a denial-of-service attack on a SAN by issuing repeated log-in requests or gaining unauthorized access to combine SAN fabrics in a way that increases inefficiencies and decreases performance. Or an attacker could gain access to key data assets by spoofing, for example, a management interface address. (For more on possible types of attacks, see White Paper: Towards Securing Information End-To-End: Networked Storage Security Update and Best Practices .) Stored data is particularly vulnerable to this type of attack, experts say, because it is rarely encrypted as it sits on the disk or tape medium. Once a hacker gains unauthorized access to stored data, it's generally easy for the intruder to read, copy, and reuse it.

Such storage security vulnerabilities will multiply as enterprises begin to integrate their Fibre Channel SAN and NAS networks with more easily-accessed IP networks via gateways or the new Internet Small Computer System Interface, a protocol for IP-based storage. While host-bus adapters and other gear using the iSCSI protocol are just beginning to appear, IP-based storage is expected to become more popular, particularly for disaster recovery and remote back-up applications.

But it's not just external attackers gaining access through an IP gateway that enterprise storage managers must guard against. They also must be able to stop unauthorized access to stored data by employees and other insiders. CMP Media's Computer Security Institute, in its recently-released eighth annual Computer Crime and Security Survey, said 45% of enterprises in the last year reported unauthorized access to data by insiders. In one such breach, an employee of Coca-Cola Enterprises Inc. reportedly downloaded the salary information and Social Security numbers of about 450 coworkers. (See Hacker may sit in next cubicle; 5/14/2003, The Atlanta Journal-Constitution )

Such breaches are becoming increasingly costly, particularly as government regulators pass new laws intended to safeguard private consumer information. One such law, California's Senate Bill 1386, went into effect in July and is considered something of a model for other states and the federal government. (See story, California Security Law Background ) The California bill requires businesses to publicly notify consumers within 48 hours of any compromise of their personal information. Businesses, however, are exempt from the notification requirement if they've first encrypted the stored customer records.

"Those sorts of regulations, as they spread throughout the United States and elsewhere, will certainly bring the need for storage security into sharper focus," says Simon Robinson, head of the storage and systems practice at analyst firm The451.

Despite new privacy regulations and increased security vulnerabilities introduced by networked storage, many IT managers have yet to recognize storage as a potential security vulnerability. Government agencies, concerned about safeguarding information about individuals as they place more data online, have shown the most willingness to address the potential problem, leading the way in deploying new storage-security technologies. The Italian federal government, for example, as part of a major eGovernment project, has decided to deploy appliances from start-up Decru Inc. that encrypt all data in storage and authenticate server access.

"We have to secure that only the authorized persons should access sensitive data even in the data center, so we are protecting the data at the lowest level," said Marco Pissarello, business-development manager at systems integrator AGSM Telecomunicazioni in Verona, which is working on the project.

Government agencies, though, are exceptions. A recent survey by consulting firm International Network Services Inc. indicated that 12% of storage managers believe "better security through storage centralization" is a primary benefit of moving to networked storage, not a liability. (INS Press Release: Survey by International Network Services Shows Adoption of Storage Networks Continues Unabated) In the same survey, no respondents cited security as one of the barriers they see to implementing a networked storage strategy.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 4
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
A Strategy to Aid Underserved Communities and Fill Tech Jobs
Joao-Pierre S. Ruth, Senior Writer,  7/9/2021
10 Ways AI and ML Are Evolving
Lisa Morgan, Freelance Writer,  6/28/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll