Changes, including new architectures and regulations, can increase your security vulnerability.
By the SNIA Storage Security Industry Forum
Data storage and networking technologies are changing. Some of those changes could increase your risks of data loss, damage, or unauthorized disclosure of sensitive data.
How do you assess and manage those risks? Are you expanding data storage facilities and adding new products from new vendors? Are you linking storage area network (SAN) islands for data sharing or resource consolidation? Are you evaluating new technologies such as storage virtualization, global file systems, intelligent fabric switches, and iSCSI connections? Any of these changes could expose your business to serious security threats, recovery costs, and legal risks.
At the same time, new laws and regulations require stronger protection of stored information about customers, clients, and patients.
For example, if you are in the healthcare industry, you need to comply with new regulations protecting the privacy of patient records. Meanwhile, new technologies are enabling wider sharing of diagnostic images and patient data, stored in digital form and accessed remotely for faster medical care decisions and more-efficient clinical workflow. Under these changing conditions, one key objective is to ensure confidentiality of patient data. Your storage security audit must help ensure appropriate protection of data when it is stored, accessed, and shared within the organization and its network.
The integrity of the data—preventing damage, alteration, or loss of medical records and business data—is another key objective. And availability of the networked storage infrastructure is also important to the quality of patient care and to business survival.
In another industry, such as investment banking, security goals might include the integrity of employee e-mail archives, as well as the confidentiality of customers' financial transaction records.
Benefits and risks
Technology and configuration changes bring important benefits, but, like most changes, they can also bring unexpected risks. A storage security audit is a vital tool for managing change and reducing risk.
Storage security is a new topic, combining aspects of separate technology and management domains. For example, if you have a data storage background, you may need to learn about network management and security practices. If you are a corporate security officer or network administrator, you may need to learn about certain aspects of storage networks.
This article provides a high-level map that will help you navigate the terrain. But you should prepare by updating your knowledge base, reading about best practices, and collecting useful checklists and tools. For a growing list of resources focused specifically on storage security, visit the Storage Networking Industry Association (SNIA) Storage Security Industry Forum Website at www.snia.org/ssif.
General security-oriented Websites provide useful tools and approaches and are also adding information specific to storage security concerns. For example, see Carnegie Mellon's CERT Website at www.cert.org, the SANS Institute at www.sans.org, and the Security Forum at www.securityforum.org.
Build on what you have
A security audit is a tool for managing change and reducing risk. If your organization already has a security audit procedure and associated policies and role definitions, you might choose to expand existing procedures to encompass the storage infrastructure. Or you might start by developing a storage security assessment and audit procedure as a separate initiative and then integrate it with other security practices once the major elements of storage security have been defined appropriately for your organization.
Some aspects of a storage security audit will seem familiar and obvious. For example, if your storage management applications were installed with default passwords, you should replace them with secure passwords. This sounds obvious, but such simple measures are often overlooked when new technologies are introduced. A good storage security audit will help you spot those opportunities for immediate improvement, as well as the areas that may require sustained effort.
But storage security is not just about applying well-established IT security practices to a new area of technology. You must also address security aspects that are unique to the storage infrastructure—the media, devices, networks, and management applications.
However, before you dive into a detailed audit, the first step is to assess the current situation and set your security goals and priorities.
Set goals and priorities
Computer and network security experts typically identify three main objectives of IT security practices:
- Confidentiality—Maintain data privacy, and minimize the risk of unauthorized access or disclosure, internally or externally;
- Integrity—Prevent unauthorized alteration or loss of data; and
- Availability—Minimize downtime and recovery delays.
The focus of your storage security audit and the amount of effort you apply to the task should reflect the importance of these objectives to your business survival and success.
Different classes of data may have different security requirements. In the healthcare industry, for example, security measures such as data encryption may be appropriate and even required for patient records, may be less appropriate for other business records, and may be unnecessary for reference documents and routine communications.
The relative importance of the storage security goals may also differ by functional department. One key goal-setting step is to work with the managers who own the business functions and the data to determine appropriate objectives, data classifications, and policies.
Another key step is to obtain top-management buy-in and support for the storage security process—from initial assessment to regular audit.
If this is your organization's first storage security audit, begin with an initial assessment. This is a larger task than the routine audit and requires a broad look at the business data and processes and the underlying technology elements. You want to identify potential security threats, vulnerabilities, and risks and establish appropriate policies, procedures, and countermeasures—which can then be verified and enhanced with periodic audits.
To conduct an initial assessment, you can build on security resources and tools that exist within your organization or leverage procedures and checklists provided by industry organizations, publications, and consultants.
The storage security community provides a number of useful references and resources. For example, SNIA offers a technical tutorial on Storage Network Security. The chapter on "Storage System Risk Assessment" outlines a 10-step process for identifying security threats and risks, as well as appropriate countermeasures.
For a useful checklist of storage-specific security items to consider, see the Risk Assessment Tool provided by SNIA at the SSIF Website, www.snia.org/ssif.
Once you have identified potential security threats, vulnerabilities, and risks—and established appropriate policies, procedures, and countermeasures—you can conduct periodic audits to ensure compliance and to manage ongoing changes.
The storage security audit
The storage security audit is a vital tool for managing change, reducing risk, and ensuring compliance. A periodic audit process will help identify any new situations or changes that need to be addressed.
In its simplest form, a storage security audit relies on a checklist that structures and documents the inspection of actual hardware and software configurations, operational logs, and records to verify compliance with established policies and procedures. The auditor documents any items or areas that require correction and then develops an action plan and follows up to verify completion of corrective actions.
When developing your storage security audit checklist, consider adding appropriate items from the storage security audit checklist (see sidebar on p. 45).
The checklist illustrates some issues that a storage security audit might address. Work with your colleagues from different functional areas to create a document that reflects their input and agreement.
If you customize it for your company's situation and get buy-in from key leaders and participants, you will increase the likelihood that the audit methodology will be successfully adopted—and effectively employed.
If your server and storage network configurations are very complex, or if you must ensure compliance with industry-specific laws and regulations, you may also want to bring in an IT security firm with experience in storage security.
An alternative way to leverage outside expertise is to outsource the design or even the operation of critical applications and storage environments, relying on a tested and proven solution that has been specifically designed to meet industry requirements. In the healthcare industry, for example, many organizations have adopted Picture Archive and Communication Systems (PACS) for medical images such as x-rays and MRI or diagnostic ultrasound scans. These specialized systems are designed and tested to meet evolving industry requirements.
But, even when the implementation is based on turnkey solutions, each organization must ensure that its own staff's interactions with the system are properly authorized and that any required changes and upgrades are correctly implemented and managed.
A storage security audit is not a one-time event, or even a static checklist. Things change, and changes can create new risk exposures. So plan and schedule future audits and follow-ups.
Part of the audit process is to look for changes in the organization, the business goals and environment, or the available technologies inside and outside the data center.
Make sure to identify any new vulnerabilities and threats, assess their importance, and install appropriate countermeasures, controls, procedures, and training. And remember to add those new requirements to the audit checklist.
If you have questions about storage security, post them on the SSIF Website, or e-mail them to firstname.lastname@example.org.
Storage security audit checklist
This list illustrates some issues that an audit might address. These examples can be used as a starting point for discussion when developing a document that reflects the technical environment and business objectives of a specific organization.
- Verify that storage security is covered by appropriate written policies and procedures.
- Confirm that storage security goals are clearly stated and up to date, including provisions for IP/NAS security if appropriate.
- Verify that data classes are clearly and appropriately defined and consistent with current business needs and requirements (e.g., public, sensitive, private, confidential).
- Conduct an awareness program for key employees to keep them up to date with potential threats and approved countermeasures.
Access Control, User Authentication, And Management
- Confirm that data centers, servers, storage, and networks are physically secure. Identify recent changes, and assess potential security impact.
- Verify compliance with specified controls and procedures.
- Change default passwords before equipment is connected to a production storage network.
- Ensure that passwords are required by policy and/or enforced by configuration.
- Use dedicated user IDs for storage network maintenance access.
- Use separate credentials and PKI authentication for infrastructure configuration functions, and management access to storage.
- Limit access to specific zones as appropriate.
- Consider adopting switch-based access controls for authorization and authentication.
- Use available LAN security tools (e.g. VLANs, IPSec, and perimeter security methods such as routers, firewalls, and intrusion detection).
- Assess security impact of new technologies, such as iSCSI or storage virtualization, aggregation, sharing, and management schemes.
Configuration and Change Control
- In Fibre Channel SANs, ensure zoning and LUN masking are appropriately defined and managed to meet business needs for sharing and separation.
- Use hard zones in preference to soft zones.
- Define zones containing the smallest possible number of components.
- Use different zone sets for different system loads, such as the off-hours backup time.
- Verify that needed updates are tested, authorized, and applied to switch firmware, host bus adapters, drivers, operating systems, etc.
- "Harden" key interfaces, such as switch management ports and applications.
- Create a separate infrastructure (network) for out-of-band management, and control terminal interfaces to the storage network.
- If connectivity is required to the corporate LAN, provide it via a firewall or a secure router.
- Provide a dedicated remote access facility if this type of access is required, and use all of the appropriate network security tools, such as VPNs.
- Verify that remote sites have installed appropriate security policies, controls, and audits.
- Implement HBA-to-port locking via access control lists (ACLs) or other methods.
- Use cryptographic methods for port authentication in Fibre Channel SANs (and initiators and targets in IP networks).
- Restrict production configurations to approved vendors and certified or tested configurations.
- Formally re-check security measures after a storage reconfiguration, or any other change that could introduce security exposures.
- Use data encryption if needed for selected data classes; consider whether sensitive data should be encrypted with different keys.
- Review legal and regulatory requirements for data privacy and protection, and recommend changes required for compliance.
- Implement "secure erase" for highly confidential data, if needed.