Defence in depth

Putting storage on the network has brought many benefits but it has also widened the security threat. Protecting the perimeter is...

Putting storage on the network has brought many benefits but it has also widened the security threat. Protecting the perimeter is no longer sufficient

One of the shifts in IT departments over the past five years has been the increasing use of networked data storage systems. The emergence of a networked storage architecture has delivered many benefits but has also brought a security threat that must be managed.

Traditionally, storage systems have been considered secure because deployments have been limited to part of a single datacentre in a physically isolated environment. However, the advent of networked storage means storage security should now move onto the chief information officer's list of priorities.

It is not uncommon to find a San that spans outside a datacentre. San extension technologies such as dense wavelength division multiplexing and Fibre Channel over IP can connect devices across multiple locations.

As the number of devices connected to a San increases and distributed Sans become commonplace, there is an increasing risk in depending on security through isolation. As with data networks, security should also be a consideration when deploying a San.

San security should be considered from three viewpoints: securing the San from external threats (hackers); internal threats, (unauthorised staff and compromised devices); and unintentional threats from authorised users (mis-configurations, errors).

The standard approach of granting the minimum amount of privileges to perform a task holds true when working with a San. You can lock down operator privileges on a switch using role-based authentication. But minimising the probability of a disruptive fabric reconfiguration as a result of mis-configuration is less common.

Many of these blur the boundaries between San security, best-practice San design and high-availability San design. Correctly configured secure switches can help prevent disruptions.

Securing data in the broader sense falls into two further focus areas - data in transit (storage networking security) and data at rest (storage data security).

Many features to enable security in these areas, including encryption of data in transit on Fibre Channel and IP networks and encryption of data on storage media, are being delivered by storage technology suppliers and should be included in any security policy.

Threats can prevent users from accessing mission-critical applications, directly disrupt application operation or compromise valuable information. It is essential that network managers understand the vulnerabilities and threats to datacentre resources, so that they can develop a robust security policy and deliver this in an adopted architecture.

Aligning this security policy to business goals will help to define "security zones" - areas of the datacentre separated to minimise the impact of an attack. Following this up with a security posture assessment will allow the business to set appropriate risk levels for each zone based on importance and cost.

At the heart of the process should be a strategy of "defence in depth" - not just securing the perimeter or deploying some access controls internally, but placing security throughout the network to defend the San - so there are layers of security before a malicious program or hacker can reach the crown jewels.

Complementing this strategy with an automatic alert and defence system means an attack can be isolated and contained. It is essential to monitor the efficiency of the deployed solution by reviewing the policy and applying changes where necessary.

Security should not be seen as an add-on - it is a continuous process which should be integrated with datacentre operations. With a highly resilient, efficient, and adaptive datacentre network, CIOs can spend less time worrying about data security and more time realigning resources by addressing competitive pressures, extending market reach and speeding time-to-market of new services.

Ian Bond is a consulting engineer at Cisco Systems

Tom Nosella, director of engineering, internet systems at Cisco, will be presenting "A Holistic Look at San Security" at Storage Expo at London's Olympia on 13 October

This article is part of Computer Weekly's Special Report on storage produced in association with Cisco Systems

Read more on IT strategy