SAN security: Are you prepared?

SNIA's Storage Security Industry Forum provides guidelines for ensuring storage network security.

By Brandon Hoff

Companies of all sizes have discovered the benefits of storage area networks (SANs). But with the introduction of new information technologies, the maturation of business processes, and the ever-increasing importance and quantity of business data, IT executives have new challenges. They must continue to increase storage capacity, implement fail-safe business continuity and disaster-recovery plans, improve the use of corporate resources, and support corporate compliance policies—all without increased budgets.

To complicate these tasks, government entities are changing the rules by driving compliance and security discussions to the executive level and even into the boardroom.

According to an article that appeared in the Harvard Business Review last year, nine out of 10 companies are affected by data security breaches annually, costing a staggering $17 billion in damages. And 70% of these financial losses can be attributed to insiders, according to a 2002 CSI/FBI survey—a fact that makes internal security a top priority for most enterprises.

In an Ernst & Young Global Information Security survey, 90% of companies report that risk mitigation is a primary corporate objective, yet only 34% report being compliant. For most corporations, there is a lot of work to be done.

What's more troubling for today's executives are the significant penalties and fines that can result from regulatory violations. This concern filters down to IT departments, which must report to upper management the risk that their networks face as well as give assurances that their enterprise complies with appropriate laws. With SANs, the tasks become even more challenging.

Networked storage can introduce security vulnerabilities. To counter these weaknesses, it is important to adopt storage-specific security policies and practices. To do this, data infrastructures must be evaluated from end to end and secured at every point of vulnerability.

Given these realities and the regulatory climate, how can you reduce the risk to your storage network, protect your company's data assets, and better align with the requirements of your operating environment?

The Storage Networking Industry Association's Storage Security Industry Forum (SSIF) has created documents detailing best practices for network managers and administrators to combat security shortfalls. The documents, which are available via download at www.snia.org/ssif, include The SSIF Risk Assessment Toolkit, and Minimum Security Requirements for IP Port Device Security, among others.

The SSIF Risk Assessment Toolkit

There are several keys to evaluating your storage network. The logical place to start is with your technology road map, identifying your current and projected requirements, and planning/building a network to meet expectations. A current assessment is part of this process and helps you to get a clear picture of the devices, connections, and software applications that currently make up your network. The SSIF Risk Assessment Toolkit can assist in starting the assessment process. The goal is to identify threats, gaps in the current storage security strategy, and a road map to improve SAN security. Since any security strategy is 80% planning and 20% implementation, this is the most important step in the process.

Minimum Security Requirements for IP Port Device Security

This document addresses vulnerabilities associated with IP management ports on storage network devices.

Storage network devices can introduce specific IP-management security problems. For instance, network management may be made unavailable or compromised, leading to unauthorized data access or negatively impacting data availability. A few threats to consider are the following:

  • Hacking of the IP port can take the device down through a direct denial of service (DoS) attack;
  • Known IP port weaknesses can allow unauthorized persons to gain access through the management IP port;
  • Alternate and/or hidden IP services can provide a means around a secured IP configuration;
  • Hijacking of the IP port connection can cause DoS or other attacks;
  • Spoofing or redirection can allow attackers to collect data or management information; and
  • Injection of viruses or Trojan Horses through the IP port or hidden IP services can occur.

Preferred practices

A good security policy is an important tool for creating good security. Here are some key considerations in building one:

  • Identify all of the interfaces to your storage network;
  • Create a separate infrastructure for out-of-the band management and control terminal interfaces to the storage network;
  • Maintain a formal set of company best practices for storage security;
  • Protect data "in flight" and "at rest;"
  • Use dedicated user IDs for network maintenance access, and enforce the use of passwords either by policy or by configuration;
  • Use available LAN security tools (e.g., VLANs and IPSec);
  • Restrict access to infrastructure configuration functions. Control access to all unused ports in the storage network;
  • Always change default passwords before equipment is connected to a production storage network. Ensure that passwords are required by policy;
  • Monitor the storage environment; and
  • Keep in mind that port zoning has no cryptographic strength or attributes.

Organizations have a choice: They can either manage the risks or manage the consequences. With the possible penalties and consequences becoming more severe, the solution should be risk mitigation and reduction.

Brandon Hoff is the marketing chair for the SNIA's SSIF, and a security business manager at McData.

This article was originally published on June 01, 2004