The Enterprise Storage Group
An industry analyst explains the need for increased storage security, particularly in storage network environments.
Recently, there has been a lot of buzz about storage security, but it is still a confusing issue to many IT administrators. Why? Because although security is a huge puzzle for any IT organization, the concept of focusing on security as it applies specifically to storage is a relatively new topic. The recent focus on storage security stems from a greater awareness of the value of data to an organization and the reality that security breaches can compromise valuable company information. A few start-ups have developed technologies that address the issue of secure storage, but end users have yet to fully understand the differences between securing network resources and securing storage.
There is no question that users understand that network security is an issue: If the network is breached, the company can incur serious downtime and loss of revenue. However, administrators tend to believe that if they protect resources on the front end of the storage, then the data is completely protected. In the past, this was true to a point; however, there are many trends in storage networking that introduce new security issues not addressed by common network security methods.
Why is storage security important?
This may seem like an obvious concept, but the bottom line is businesses depend on the data that is kept on their storage resources. What is at risk if data is compromised (e.g., stolen, corrupted, or deleted)? That depends on the type of data, which could be financial information, strategic plans, research analysis, design schematics, or customer information. Corruption or loss of data can result in downtime, which in turn, results in loss of revenue. Unauthorized access or "data poaching" can result in many other issues for a company, ranging from fines for violation of compliance (e.g., HIPPA regulations), or lawsuits from affected parties (e.g., stolen identity information). In the worst case, critical information about a company's products, financials, or strategy can get into a competitor's hands, compromising what could be years' worth of work.
The threats are not always from external sources; statistics show that approximately half of all security breaches are from internal sources, from people who may know how valuable specific data is to an organization. These breaches may not always be intentional; human error can inadvertently cause corruption or loss of valuable data.
None of these issues are new, although e-business is opening up additional security issues for companies doing business over the Web. Many of the security methods in place today are intended to protect company data at some level, although most are intended to protect IT resources at the perimeter of the storage infrastructure. Firewalls make sure no unauthorized outside user can access the network, protecting the network itself, the servers, and by default, the data stores attached to those servers. Virus-protection solutions ensure a software virus does not corrupt or wipe out data on hard drives. Authentication techniques make sure only certain users have access to certain resources. So what is different now? Why is there a need to focus on storage security if all of these other security measures are in place?
Storage security is more of an issue today than in the past due to new trends in the way storage resources are being used. The biggest change is the move toward networked storage and geographic distribution of data (for business continuance or data sharing purposes). Consolidation of storage resources in a networked environment opens up a number of potential security risks that should cause users to re-address their storage security policies. Also, transporting data outside of the data center puts the data at risk from a number of external sources.
In the past, storage was almost always attached directly to servers via a SCSI connection. There was one way into that data store—through the application server. If that server was secure, then so was the data. But networking storage resources together changes that model and opens up multiple paths to the data on shared resources.
Research shows that as much as 70% of storage will be networked in 2006. There are multiple ways to network storage resources for the purpose of sharing either the capacity or the data residing on the resources. Users can choose to implement network-attached storage (NAS), iSCSI storage area networks (SANs), or Fibre Channel SANs. Each of these options enables users to consolidate and share resources, and the technologies can co-exist in an organization. As users move toward implementing these technologies, they need to be aware of the security implications.
Of course, there are security protection methods for each of the storage networking technologies. However, users still need to be conscious of how networking storage affects the way they need to think about securing data.
The two key areas of concern are the concentration of data in a networked environment, and the fact that there are multiple points of entry from heterogeneous users. Consolidation of storage resources presents the issue that now much of the critical data can be located on a single (or a few) storage resource, as opposed to being spread around the environment. Again, there are multiple benefits to this type of setup, but it is extremely important to protect the storage resources, because it is possible that a great deal of data can potentially be compromised with a single security breach.
Unlike in a direct-attached storage environment, where there was a one-to-one relationship between the server and the storage, networking storage results in one-to-many relationships, where there are multiple points of entry to the data share. This has been true in the past if a company used file servers for sharing files among users; however, if they were using general-purpose file servers, at least the hosts and servers shared the same operating system.
All of the networking technologies discussed here—NAS, iSCSI, and Fibre Channel SANs—support the ability for heterogeneous hosts to access the same storage resources. Now there are multiple points of entry to the storage resource, from multiple hosts with different operating systems, using different authentication protocols and authorization schemes. This presents a significant challenge for an administrator trying to make sure all security policies are in place and effective in the networked environment.
Additional security implications arise when managing the storage network, as most network elements (e.g., switches and arrays) do provide out-of-band access for management purposes. Administrators must be very careful with management permissions, because changing network configurations and permissions could seriously impact the security of the data.
Users must also take into consideration issues surrounding geographic distribution of data, either for sharing or business continuance and data protection. Many companies need to share data for customer support or product design purposes, and recently the concept of connecting SANs via gateways is gaining momentum. Although certain security measures are built into the gateways, users need to be conscious of the fact that the transport network is out of their secure domain (if they are not using dedicated lines). New remote replication technologies, which use the public network, are becoming popular as they provide (comparatively) inexpensive methods of replicating data for business continuance and disaster recovery. Again, users must make sure the data is secure during the transmission phase.
Finally, there is one area of storage security that is an issue for everyone, regardless of the storage infrastructure: Most data at rest is not encrypted and is therefore vulnerable. You can back up data to tape for recovery purposes and even provide a secure place for it to be kept. However, if someone walks away with that tape and has the means to read the tape, he or she has that data.
There are backup solutions that offer encryption, but not all companies employ those features. This is due to issues such as performance degradation, application response impact, weak security, and the complexity added to backup, recovery, and management processes.
Data on hard drives is also at risk. Many users think that the data is secure because applications encrypt data when they talk to clients, and networks may encrypt data during transmission, but when it is stored on the back-end it's pretty much raw data (unless the company has a program to encrypt data at rest, as some government agencies do). It is easy for someone to remove a hard disk, and with the appropriate tools read the data on those drives. Users must be very conscious of the issue of data at rest, regardless of the storage infrastructure.
There are security methods in place today to protect storage, and certainly all of the "front-end" security for networks, servers, and data transmission are effective and required to make sure that no aspect of the environment is breached.
Fibre Channel SAN security
In the past few years, Fibre Channel SANs have mainly been implemented in data centers, and quite often storage resources on those SANs house mission-critical data. For that reason, security has always been a key focus area for Fibre Channel networking. Fibre Channel SANs use zoning and LUN masking techniques to provide secure access to the storage resources. However, these technologies do not provide media security or encryption of the data at rest.
Zoning—A Fibre Channel SAN fabric consists of multiple elements (disk arrays, switches, host bus adapters [HBAs], etc.) that enable the hosts to communicate over the Fibre Channel network. Zoning enables configuration of those elements into logical groups, ensuring that only members in those groups can communicate and access the specified storage resources.
There are two methods of zoning: hard zoning and soft zoning. Hard zoning, also referred to as port zoning, determines grouping by port level (i.e., only the host adapter attached to this port can talk to the array attached to this port). This is very effective but is inflexible if the network needs to be reconfigured.
Soft zoning is usually referred to as World Wide Name (WWN) zoning. Each element in a Fibre Channel fabric is identified by its WWN. WWN zoning uses the simple name server (SNS) in the switches to determine which WWN is allowed to communicate in a particular zone. This is a more flexible method of zoning, as zones don't have to be changed if the network is reconfigured. However, WWNs are subject to spoofing, so this is not as secure as port zoning.
LUN masking—Fibre Channel devices present their resources as logical unit numbers (LUNs). LUN masking essentially segments LUNs on a storage resource to specific servers. Masking is used when a number of servers are sharing the same storage resource (an array) but for one reason or another they should not have access to the same disks on that array. For example, say there is a 1TB array on the network, which is to be shared by Unix and NT servers. Because an NT server will assign a signature to any LUN it sees, it is important to mask the Unix LUNs off from the NT servers. With masking, the administrator can determine what LUNs (and thus what data) each server has access to.
Masking can be done from the host, HBA, switch, or storage array, depending on software support and how a user wants to manage masking procedures. HBA and controller-based masking use a combination of WWN and LUN information to ensure secure access (e.g., only this LUN on this array with this WWN name can be accessed).
Combining zoning and LUN masking does provide a level of security from the perspective of what node should have access to what resources. However, it's important to realize that there are no authentication or authorization processes involved here. Many switch vendors do enable additional levels of security, such as password control, Access Control Lists (ACLs), and Public Key Infrastructure (PKI)-based authentication. However, the level of security is on a vendor-by-vendor basis, and the methods are not always compatible if there are switches from multiple vendors in the same fabric.
iSCSI has yet to emerge as a significant storage networking technology for a number of reasons; however, the expectation is that iSCSI implementations will become more popular in the next few years.
The intent is for iSCSI to use the many aspects of IP network security, particularly IPSec. The IPSec standard defines multiple levels of security for transmitting data over the IP network. The key standards in IPSec that iSCSI will take advantage of are Authentication Headers (AH), which authenticate the original connection; Internet Key Exchange (IKE), which is an ongoing mutual authentication process for the duration of the connection; and the Encapsulating Security Protocol (ESP), which encrypts layer 4 and above data (the iSCSI protocol resides at layer 4). This level of protection is only for data in transmit; the encryption does not transfer to the data at rest.
In addition, iSCSI transmission over the IP network can take advantage of all other network security measures such as VPNs and firewalls. Still, this is critical information as iSCSI packets contain the actual block location of data, so extra security measures should be considered.
There are two significant differences between NAS solutions and general-purpose servers used as file servers. First, NAS devices are optimized file servers; they provide much greater performance and can store a lot more data without incurring any bottlenecks. Second, NAS enables heterogeneous file sharing, so that Unix and Windows (and other operating systems) can share the same data. So although implementing NAS doesn't change the network infrastructure at all, the large data share and various access controls present greater possibility of the data being at risk.
NAS solutions come with default settings, enabling all users access to everything. Administrators should immediately set up permissions, ACLs, and administration rights. One key thing administrators must pay attention to is that the security features on the NAS servers may be dictated by the operating system on that NAS device. For instance, if a NAS solution uses Windows-based software, which is a version of NT, then the security will be similar to that of an NT server. These NAS devices allow Unix servers to access the data; however, the administrator may also need to use native Unix commands to set up security for Unix files. On the other hand, some NAS solutions support both NFS and CIFS file permission natively, so it is important to be aware of what the NAS solutions will provide versus what needs to be done on each server.
Storage security solutions
Obviously, storage networking technologies take security into account, providing multiple means of securing data. However, these methods can be improved, and there are a number of standards organizations and industry associations focused on enhancing storage security.
Recently, a number of start-up companies have begun shipping storage security appliances. These solutions analyze data traffic, encrypt the data, and forward that encrypted data onto the storage resource, so that the data at rest is encrypted. The encryption capabilities reside on a dedicated appliance, so that encryption doesn't require valuable CPU cycles associated with software-based encryption techniques.
Appliances also offer the ability to centrally manage and enforce privacy policies. These appliances can be used to protect data on primary and secondary storage resources; the location of the appliance in the infrastructure is determined by the user's business requirements. Certain data will be deemed more important to the business and therefore warrant the use of encryption techniques. Some solutions have the ability to determine encryption requirements based on policies set up by the administrator, ensuring that critical information has better levels of encryption than non-critical data.
These solutions address many of the security holes in storage networking, and there is no need to wait for standards bodies to approve the security methods these appliances provide. Performance, latency, transparency, and integration into current storage processes will be the defining issues for adoption of these appliances.
Unfortunately, today we are more than aware of the effects of cyber-terrorism, hackers, and disgruntled employees on network and data security. Users cannot afford to allow breaches at any level of their enterprise. Certainly, as storage trends move us toward a more centralized environment, front-end security is no longer sufficient for protecting valuable data.
Security needs to be approached from a multi-tiered perspective, making sure the network, servers, and storage are protected from any type of intrusion or compromise. We suggest approaching storage security analysis from a business perspective—determine which data is absolutely critical to the ongoing operations of the business, and implement methods to best protect that data. There are multiple methods to ensure the data is secure, but all require a great deal of diligence and adherence to procedures and best practices. But no matter what, users should make sure they are effectively securing their storage resources.
Nancy Marrone is a senior analyst with The Enterprise Storage Group (www.enterprisestoragegroup.com) in Milford, MA.
NeoScale ships security appliances
By Dave Simpson
Hoping to capitalize on storage administrators' increased awareness of security issues, NeoScale Systems has begun shipments of encryption devices for primary disk storage (CryptoStor FC) and secondary tape storage (CryptoStor for Tape). CryptoStor FC provides encryption, while CryptoStor for Tape provides encryption, authentication, and data compression for tape libraries and virtual tape systems. NeoScale is primarily targeting the manufacturing, government, financial, and managed services sectors.
The company claims gigabit throughput with less than 100-microsecond port-to-port latency on the CryptoStor FC appliance, which features policy-based security and data-path transparency. The appliance can be deployed at the host, within the Fibre Channel fabric, in front of disk arrays, or behind storage gateways.
CryptoStor for Tape is compatible with leading backup software applications and encrypts data to be stored on tape cartridges.
Fibre Channel or SCSI interfaces are available.
Features that are common to both platforms include compliance with FIPS 140-2 (Federal Information Protection Standards), encryption/compression based on technology from Hifn, stateful storage processing, smartcard authentication for role-based administration, key management (generation, protection, escrow, and recovery), and clustered operation.
Unlike software-only approaches to encryption, the appliances do not consume host CPU cycles.
Pricing for CryptoStor FC and for the CryptoStor for Tape appliance starts at $35,000 and $15,000, respectively. For more information, go to www.neoscale.com.