Strategic Storage: Storage security -- Change old habits and stop data theft

The recent slew of high-profile stored data thefts has revealed the weak point in many enterprise networks -- storage security.

"Security for storage has been ignored by storage administrators and everyone else in charge of IT security," says Jim Damoulakis, chief technology officer of GlassHouse Technologies Inc. in Framingham, Mass.

Related articles EMC sketches out security strategy   The new vendor conundrum   Compress, then encrypt tapes   Securing the tape custody chain

Historically, added security for storage was deemed unnecessary because storage was done on relatively isolated standalone devices, according to Dennis Martin, senior analyst for storage management software and security at Greenwood Village, Colo.-based Evaluator Group. Since the physical connections of those devices to the hosts were hidden, they were difficult to find within a network. If outsiders couldn't get to the host, they couldn't get to the storage device or to the stored data.

With the advent of new storage technologies, storage is no longer so hidden. Fibre channel and iSCSI SANs are accessed and managed over IP connections, with all the risks to which IP exposes networks.

"Islands of SANs within an environment have been considered low-risk areas," Damoulakis says. "However, the SAN infrastructure connects to hosts and hosts are on the network. To do very serious damage would simply require working through a compromised host and getting access to this largely unsecured storage network."

Standard corporate network security practices -- such as password management, enforcing access controls, enabling audit trails, securing management interface points -- should all be applied to storage, the experts agree.

"Security for backup has also been very lax," says Jon Oltsik, senior information security and storage analyst at Enterprise Strategy Group in Milford, Mass. For example, Bank of America's backup tapes were stolen by baggage handlers while being shipped to another location on a commercial plane.

The fact that Bank of America's stolen data was unencrypted points to another classic oversight. "Typically, companies only do encryption on information in motion across the network from point A to point B," Damoulakis says.

Oltsik explains that encryption of stored data has been a duty shirked for two reasons: Encryption slowed networks down to a crawl, and management of algorithms and keys is difficult.

The issue of bogging down performance is old news as far as Oltsik is concerned. "Encryption is a very processor-intensive activity, but it no longer slows backup because the processors are 10 times as fast as they once were," Oltsik says.

According to Vijay Ahuja, president of Raleigh, N.C.-based Cipher Solutions, managing encryption is not the easiest task but is doable with simple best practices. The management of encryption keys should be carefully considered, with the security risks inherent in changes in personnel and company management taken into account. Ahuja counsels companies to review and test their encryption keys and algorithms on a regular basis.

Securing data may be a hassle, but it's a job that can't be ignored anymore. The experts recommend that tech professionals start by taking a holistic approach to IT infrastructure in which security and storage teams work together to examine and secure the infrastructure as a whole.

Every best practice in security that's in place for the network should be implemented for storage. Here's the experts' list of some important best practices:
@12788

• Audit and do a risk assessment on the storage infrastructure, looking for risks and vulnerabilities.
  
• Implement authentication across the storage network. Ahuja advocates using the Diffie-Hellman Challenge Handshake Authentication Protocol. "The beauty is that most Fortune 500 companies already have this protocol in their networks," Ahuja says.
  
• Implement strong role-based access controls. Assign access rights to parties on a need-to-know basis.
  
• Demand strong security from storage system vendors and offsite storage providers.
  
• Adopt and enforce data encryption policies. Best practices include classifying data, and applying encryption to private and confidential data through the lifecycle of the data. "You don't have to encrypt all data," Oltsik says, but sensitive data should be encrypted in flight and at rest.
  
• Don't forget to secure your SAN at the switch or fabric level, Martin says. Carving up your fabric by zones is one technique that limits access to various parts of the SAN.
  
• Create a policy for discarding old devices and media, and routinely do such tasks as scrubbing and destroying hard disks, Martin says.
  
• Isolate your storage management network from your corporate IT network. "The storage management network has to be secure since that network is connected to all of your devices," Ahuja says. "If you don't isolate the networks, every employee has access to your storage."
  
• Treat backup as an "orange alert" process. Adopt secure media management tracking and handling policies. "Backup literally touches everything, every bit of corporate financial information, employee data and intellectual property," Damoulakis says.