Features - Enterprise Data Insights:
STORAGE SECURITY -- WHAT, HOW, WHY (PART 2)
By Scott Gordon,
VP Of Marketing, NeoScale Systems Inc
In the first half of this two part article covering the broad topic of storage
security, we covered drivers, applications and risk reduction methods, as well
as threats within networked and distributed storage. Let's continue down the
path of securing storage resources and business-critical information by
examining available security capabilities and practices, industry progress,
data encryption advances and general storage security best practices.
Threats And Defenses (continued)
Management security at the storage application and device level is by nature
critical. This is especially important given the availability, centralization
and management capacities offered by NAS, SAN, directory, routing and backup
services. Additionally, most storage applications and devices can be managed
remotely (opening up once closed environments). Should the switch, management
server or management application be breached, the attack could result in
material compromise of the storage network and pose a serious threat of data
corruption. Therefore, most storage systems implement secure access controls,
authentication and communications means to reduce the threat of application or
device hi-jacking or administration error. Even with these security
provisions, it is possible that a misconfigured storage device, newly
initialized device, or a device with unchanged default settings and passwords
could lead to service interruption and data loss/corruption.
Storage vendors have completed, or are in the process of, implementing such
security capabilities as remote login using SSH or Web using SSL for secure
connections, two-factor authenticated access, role-based administrative
privileges, granular monitoring and alerting, PKI and strong password
protection and auditing capabilities. More recently, the industry has made
advancements concerning SAN entity authentication and the use of encryption as
a means for protecting the storage infrastructure and stored data. The IETF
has proposed IPsec protocols to be implemented in FC-IP to enable fabric
tunneling. The FC SAN community, through the T-11 technical committee, has
specified ESP (Encapsulating Security Payload) to secure transmissions between
SAN devices. It provides message authentication and optional encryption using
keys/passwords to determine how devices will be allowed to attach and
communicate in the fabric.
This will require switches, hosts and devices to manage keys and session key
lifetime. For entity authentication, T11's FCSP committee recently settled on
DH-CHAP (Diffie-Hellman Challenge Handshake Authentication Protocol). DH-CHAP
employs a shared password based scheme with administration offloaded to a
centralized RADIUS type service. In addition, vendors can also incorporate
there own digital certificate based authentication schemes. Given the location
and role of intelligent switches in network storage, it would make sense to
enforce authentication at the switch. Vendors are making progress towards
adding this standard authentication capability -- successfully driven by the
larger storage switch manufacturers.
iSCSI is a storage networking protocol to enable SCSI commands to be sent over
IP networks. Since iSCSI can connect hosts locally or over long distances to
storage resources utilizing existing data networks, it offers a new means to
extend storage infrastructures. Another promise of iSCSI is to leverage the
internet for said storage communications -- which would require strong data
network transport security methods such as IPsec and virtual private networks.
Therefore, both IPsec (which incorporates ESP) has also been proposed for
iSCSI (Internet Small Computer System Interface) through the IETF. Ultimately,
these security services will be eventually built into iSCSI devices/gateways
by leading storage vendors.
Advances In Data Privacy
Given the transient risks of data in-flight, the risks associated with
data-at-rest are more enduring. While link encryption protects data only while
it is in transit between two tunneling devices, encrypting stored data extends
protection all the way to the physical media. Encryption can prevent a user or
system from accessing sensitive, trusted and regulated information. Storage
vendors are exploring means to provide data encryption and advanced access
control services to both primary and secondary storage without adding high
costs, impacting performance or increasing complexity.
Three factors driving additional encryption and access control services are
consolidation, remote data storage and data privacy compliance. Encryption can
be used to better segregate different communities of interest that have been
consolidated on arrays or tape. Encryption can be used to alleviate access
risks with remote data storage -- whereby data is leaving the primary data
center or source to be consolidated. And as mentioned above, emerging
compliance regulations (e.g. HIPAA, SB-1386, Directive 2002/58/EC…) have
access and privacy requirements. Data privacy compliance generally has the
following parameters: only authorized user(s)/system(s) can access and modify
only certain information that they are authorized and necessary to access; the
privacy of the information is maintained; the integrity of the information is
maintained; and auditable records are maintained which attests said access,
privacy and integrity. The less discrete access to systems and storage
resources, the more difficult and challenging it may be to comply. Again, this
is especially true for storage in regard to complex storage networks,
replication, consolidation, offsite data transfer and vaulting, tape media
management, and third party applications services such as D.R.
Data storage encryption must take into account the media type, algorithm/key
strength, key manageability, reliability, performance and expense.
Encryption algorithms determine the encryption strength (able to withstand
brute force attack) and how fast the algorithm works. The application that
incorporates standard encryption and best practices will determine
implementation, how keys are qualified, implemented, exchanged, protected and
maintained. The two popular strong encryption algorithms are the AES (Advanced
Encryption Standard and Triple Data Encryption Standard (3DES). Additional
security services can also include data integrity and authentication --
preventing tampering and repudiation.
Many storage application-level access control and privacy capabilities
significantly vary. It may not be possible, or may be difficult, to enforce a
uniform data protection policy within heterogeneous environments (in regards
to both platforms and storage applications). Some systems use different
authentication capabilities that may not support delegated and strong
authenticated administrative access. Some systems that incorporate encryption
technology may use algorithms of low strength (attackable by brute force),
unique algorithms (variations from standards), and a variety of key management
methods. Some systems require additional products or services to achieve the
desired level of security -- that will impact storage processes and
procedures. It is important to determine where and how added encryption and
access controls are needed and what vendor security capabilities and options
are available.
Encryption can be implemented by the application, at the host or through a
storage security device; both at the file level, record level or the block
level. Encrypting stored data-at-rest requires maintaining file meta data
(e.g. routing and other attributes) and compression rates for block data going
to tape - so as to be non-disruptive. Application or software-based encryption
processes can provide strong, application data protection; encrypting files or
block-based data on the host. Among considerations associated with application
or software-based encryption include the impact on system and application
response, as well as key management and protection. Use of host-based
encryption cards may offer a means to off-load encryption and authentication
processing.
Record-level data protection approach is applying encryption processes to the
respective portions of a database. This approach, which only covers database
information, offers a very granular means to protect sensitive data, but may
have similar considerations to that of application-based encryption.
Dedicated appliances for storage security services, implemented as an inline
proxy or pass-thru device for primary and secondary storage, provide an
alternative route for data protection and access control. By employing the
encryption and access control functionality and processing in a
built-for-purpose device, policies can be enforced, key can be protected, and
management centralized while the server or application storage processing
remains in-tact. Among considerations associated with storage security
appliances include reliability, performance, scalability, interoperability,
transparency and compression.
Summary And Action
Storage-centric threats can and do exist within SAN, NAS and DAS environments.
The issues supporting initiatives for storage security and the applications
for adoption: growth of more complex, networked and distributed
infrastructures; demand for greater capacity and accessibility; server and
storage consolidation; business continuity and storage leaving the data
center; and adherence to emerging compliance guidelines. Existing storage
security capabilities and practices, emerging standards and advanced
technologies can extend a layered defense model to address primary and
secondary storage protection. Stored data encryption, access control, auditing
and data integrity capabilities can be used to mitigate or eliminate
unauthorized access to sensitive, trusted or regulated information. Since
storage security is relative to the business application and its supporting
storage infrastructure, a risk mitigation methodology is a sound way to
strengthen storage availability, reliability and privacy.
What IT professional can do right now:
-
Assess, Plan and Document
Determine where and how to implement storage security practices and
components
based on risk analysis -- by business necessity, storage function,
infrastructure threat and mitigation cost. Policies and procedures should then
be documented, tested and updated.
-
Secure System Access
Employ physical security (guards, locks, gates); perimeter defenses (firewall,
IDS); system configuration scanning; authenticated system/application access.
Lock down storage device configurations. Test, monitor and audit.
-
Shield Physical and Logical Storage Connections
Tighten access to business critical information with secure connections
(SSL,
TLS, dark fibre, IP tunneling) and authenticated access to storage devices.
Configure, document and manage port zoning and LUN masking.
-
Enforce Administrative Access
Classify data storage by application or information. Appropriately restrict
administrative and user access to pooled storage resources. Enforce tiered
administrative privileges to storage devices and applications.
-
Safeguard Information with Secondary Storage and Business Continuity
Protect information and operations with tiered backup, replication and
snapshot technologies, disaster recovery capabilities and outsourced
resumption services.
-
Data Storage Protection
The final layer of security is data encryption and authentication of
storage
in-flight (transport) and at-rest (disk and tape) -- enabling more secure
storage consolidation, expansion and management.
|
