Putting storage on the network has brought many benefits but it
has also widened the security threat. Protecting the perimeter is
no longer sufficient
One of the shifts in IT departments over the past five years has
been the increasing use of networked data storage systems. The
emergence of a networked storage architecture has delivered many
benefits but has also brought a security threat that must be
managed.
Traditionally, storage systems have been considered secure because
deployments have been limited to part of a single datacentre in a
physically isolated environment. However, the advent of networked
storage means storage security should now move onto the chief
information officer's list of priorities.
It is not uncommon to find a San that spans outside a datacentre.
San extension technologies such as dense wavelength division
multiplexing and Fibre Channel over IP can connect devices across
multiple locations.
As the number of devices connected to a San increases and
distributed Sans become commonplace, there is an increasing risk in
depending on security through isolation. As with data networks,
security should also be a consideration when deploying a San.
San security should be considered from three viewpoints: securing
the San from external threats (hackers); internal threats,
(unauthorised staff and compromised devices); and unintentional
threats from authorised users (mis-configurations, errors).
The standard approach of granting the minimum amount of privileges
to perform a task holds true when working with a San. You can lock
down operator privileges on a switch using role-based
authentication. But minimising the probability of a disruptive
fabric reconfiguration as a result of mis-configuration is less
common.
Many of these blur the boundaries between San security,
best-practice San design and high-availability San design.
Correctly configured secure switches can help prevent
disruptions.
Securing data in the broader sense falls into two further focus
areas - data in transit (storage networking security) and data at
rest (storage data security).
Many features to enable security in these areas, including
encryption of data in transit on Fibre Channel and IP networks and
encryption of data on storage media, are being delivered by storage
technology suppliers and should be included in any security
policy.
Threats can prevent users from accessing mission-critical
applications, directly disrupt application operation or compromise
valuable information. It is essential that network managers
understand the vulnerabilities and threats to datacentre resources,
so that they can develop a robust security policy and deliver this
in an adopted architecture.
Aligning this security policy to business goals will help to define
"security zones" - areas of the datacentre separated to minimise
the impact of an attack. Following this up with a security posture
assessment will allow the business to set appropriate risk levels
for each zone based on importance and cost.
At the heart of the process should be a strategy of "defence in
depth" - not just securing the perimeter or deploying some access
controls internally, but placing security throughout the network to
defend the San - so there are layers of security before a malicious
program or hacker can reach the crown jewels.
Complementing this strategy with an automatic alert and defence
system means an attack can be isolated and contained. It is
essential to monitor the efficiency of the deployed solution by
reviewing the policy and applying changes where necessary.
Security should not be seen as an add-on - it is a continuous
process which should be integrated with datacentre operations. With
a highly resilient, efficient, and adaptive datacentre network,
CIOs can spend less time worrying about data security and more time
realigning resources by addressing competitive pressures, extending
market reach and speeding time-to-market of new services.
Ian Bond is a consulting engineer at Cisco Systems
Tom Nosella, director of engineering, internet systems at
Cisco, will be presenting "A Holistic Look at San Security" at
Storage Expo at London's Olympia on 13 October
www.storage-expo.com
This article is part of Computer Weekly's Special Report on
storage produced in association with Cisco Systems