Follow these guidelines and you’ll be on your way to secure resources, data, and media.
By LeRoy Budnik and Eric Hibbard
If storage security is not on your agenda today, it should be. Today’s threats run the gamut from affecting system availability to impacting personal privacy. Attackers are active and the SEC and other regulatory agencies are watching closely to ensure companies are following the appropriate steps to secure information assets.
Also, compounding the financial risk is the potential impact from laws, acts, and guidelines as well as negative media coverage and brand damage that may result from a public disclosure of an incident or a trial related to a security breach. In some cases, damage or loss associated with a security breach may even lead to jail time.
With such a high level of financial and business risk associated with security incidents, CIOs and administrators are seeking security solutions to protect their business.
One such area of growing importance to end users is the storage security layer. Storage security represents the convergence of storage, networking, and security technologies (see figure). Although it can be complex to implement, storage security can be an effective element of a defense-in-depth strategy, and in many cases it is the last line of defense.
In an effort to simplify some of the inherent complexities, the Storage Network Industry Association (SNIA) has subdivided storage security into the following discrete elements:
- Storage system security: Securing embedded operating systems and applications as well as integration with IT and security infrastructure (e.g., external authentication services, centralized logging, firewalls, etc.);
- Storage resource management: Securely provisioning, monitoring, tuning, re-allocating, and controlling storage resources so that data can be stored and retrieved;
- Data in-flight: Protecting the confidentiality, integrity, and/or availability of data as it is transferred across the storage network, LAN, or WAN; and
- Data at-rest: Protecting the confidentiality, integrity, and/or availability of data residing on servers, storage arrays, NAS appliances, tape libraries, and other media.
As with security in general, the specific measures required are dependent on the nature of the risks to be managed. In its analyst report, Storage Security Market: Emerging Opportunities, Unseen Threats, The 451 Group IT research and consulting firm identified the following threats as the most significant:
- Theft of privileged access (e.g., root or administrator);
- Accidental changes to storage network and storage resources;
- Privileged access abuse (authorized users doing unauthorized things);
- Data tampering (external and internal);
- Application tampering (e.g., “malware,” incorrect patch management, etc.);
- Theft of storage hardware (e.g., disk drives); and
- Theft of physical media (e.g., tape).
Building on these seven storage security concerns, compliance with data protection, privacy, and retention regulations have placed an increased emphasis on the following:
- Data privacy;
- Data protection (out-of-area disaster recovery, retention, WORM, archive);
- Monitoring and reporting (logging and access controls); and
- Controlled destruction (atomic and cryptographic).
With this understanding of the common security concerns, the SNIA has created a set of Best Current Practices (BCP).
To help organizations address these issues, the SNIA storage security activities (SNIA Security Technical Work Group and the SNIA Storage Security Industry Forum, or SSIF) have developed the following storage security BCPs:
Understand the exposures
Gain a strong knowledge of the security exposures from both the technical and business process sides. On the technical side, IT can perform penetration scans against attached elements, sniff traffic between key interfaces to identify problems, and run tests against business practices, etc. On the business process side, IT must ensure that there are proper security policies in place. There is a lot of data to support and many corporate security policies have evolved to become contracts between the organization and the employees as well as auditors.
Secure the storage management
As previously mentioned, the storage management interface is the most vulnerable to a security breach. There are many ways to help secure the management interface, ranging from the basics that are often overlooked such as changing the manufacturer’s default passwords to using separate passwords for each user on each device.
More-advanced means of securing this range from role-based access processes and implementing logging and intrusion detection to disabling Telnet, HTTP interfaces, and RS-232 management ports.
Identify/assess storage interfaces
A fundamental best practice that is also frequently overlooked is taking an inventory of where all storage interfaces are and what they are, and the management capabilities.
Create risk domains
The first task when developing risk domains is to understand the nature of content and its importance to the business. The domain is a boundary, a fence placed around your security efforts.
Monitor and control physical access
These best practices range from technological to process oriented and include restricting physical access to the data center as well as isolating the core data center from edge switches. Many times the technology side of access is addressed, but racks, cabinets, arrays, and libraries are left open with little physical security measures taken.
Avoid failures due to common mistakes
Some very basic errors often lead to significant security risks. For example, only install software/firmware from authorized sources, maintaining a Definitive Software Library (DSL) both local and in the disaster-recovery site, perform the proper maintenance on hardware and software, and disable automatic update options.
Address data security compliance
Take the time to consider and understand the impact compliance has on your business and IT operation.
There are many storage solutions available to help address compliance challenges, which include tools for authentication, authorization, and access control measures or management and event logging, data retention, integrity, and confidentiality measures.
External data requires extra protection
Don’t forget about off-site resources and your off-site business and storage processes. This may include encrypting off-site backup tapes, storing encryption keys separately, and encrypting data in-flight if it is to be sent electronically to remote data centers
Finally, enterprises should consider and plan for both significant and limited disruption events that could impact operations. This includes the development of business continuity plans as well as an active testing process to ensure the plans work in the event of a crisis or security breach.
Ultimately, the more tightly security policies, procedures, and technologies are aligned with your business plans, the better prepared your organization will be to prevent breaches. The SNIA’s security activities are focused on helping to provide users with best practices and frameworks for the establishment of information security capabilities within their storage infrastructures.
For more information, visit the SNIA at www.snia.org/security.
LeRoy Budnik is chair of the SNIA SSIF, and Eric Hibbard is chair of the SNIA Security Technical Work Group.