• United States
by Robert Scheier

Security toss-up

Mar 24, 200310 mins
Data CenterEncryptionNetwork Security

Securing storage today means using security-imbued management tools or relying on yet unproven storage encryption appliances.

Securing storage today means using security-imbued management tools or relying on yet unproven storage encryption appliances

Network executives face the same challenges securing storage networks as they do enterprise data infrastructures – keeping corporate information safe without slowing application performance or adding management complexity. The problem is, the range of security options isn’t nearly as wide for storage as it is for corporate networks.

Storage networks link disk arrays to allow multiple applications (or servers) to access data, and more easily share unused storage than when disk drives attach directly to a server. However, as storage-area networks (SAN) and network-attached storage proliferate, security becomes a real problem. This is especially the case as more customers use IP to link storage devices instead of, or in addition to, the more secure Fibre Channel protocol customarily used in SANs.

“The prevailing perception is that because my [SAN] is behind my firewall it’s safe and I don’t have to worry about it,” says Mark Diamond, president and CEO of Contoural, a Los Altos, Calif., storage education, consulting and incident-management firm. “The problem with that,” he adds, “is a SAN has many more entry points” than direct-attached storage.

Relatively few products are designed purely to secure networked storage. This leaves most users relying on the security capabilities found in storage management software from hardware vendors such as Brocade Communications Systems, EMC and McData or in storage-management tools from vendors such as FalconStor Software.

Given this, analysts recommend looking for storage-management tools that support current security standards, such as IP Security (IPSec), Remote Authentication Dial-In User Service (RADIUS) and SNMP Version 3 (SNMPv3), and emerging standards, such as the Diffie-Hellman Key Encryption Protocol-Challenge Handshake Authentication Protocol (DH-CHAP). With IPSec, which the Internet Engineering Task Force mandated be used in certain storage wares in order to be considered standards-compliant, users can add encryption and authentication capabilities into IP storage networks. RADIUS can provide a foundation for role-based security through a central database of user access information, and SNMPv3 supports encryption of management and troubleshooting data from storage devices. DH-CHAP, when it is finalized later this year, will ensure the identity of Fibre Channel storage devices, switches and managers.

Security standards in storage tools

Storage vendors offer a mixed bag when it comes to support for such standards.

McData says it will support third-party implementations of IPSec when it ships its first IP storage products later this year, with native IPSec support coming next year. In its SANtegrity security suite, McData supports RADIUS now and says it will add support for SNMPv3 and DH-CHAP later this year. In the meantime, Brocade’s Secure Fabric operating system now supports IPSec and will add support for DH-CHAP, RADIUS and SNMPv3 in the second half of the year. EMC does not support any of these standards in ControlCenter; FalconStor’s IPStor software supports IPSec but not RADIUS. Support for SNMPv3 and DH-CHAP will follow as they are finalized, FalconStor says.

SwapDrive CEO David Steinberg chose one of the few storage-specific security products available — a storage encryption appliance from Decru.

Regardless of which security standards they use, most storage-management tool vendors support logical unit number masking, which limits the number of logical storage volumes an application or server can see; and zoning, which organizes the devices on a storage network into logical groups similar to a virtual LAN. Some also support binding, a relatively new technique that uses access control lists to determine which devices can attach to which ports.

While such functions don’t secure data, they do prevent storage administrators from configuring their networks improperly. That helps keep storage networks secure, according to the Storage Networking Industry Association (SNIA). In a report released in January, SNIA said the complexity of storage networks makes configuration mistakes the No. 1 security threat for most network storage users.

Encryption appliances

Unencrypted stored data is another big security weakness. At any time, 98% of corporate data is not in transit over a network but at rest on disk or tape devices, says Steve Duplessie, a senior analyst at Enterprise Storage Group. If it isn’t encrypted, that data “sits there like a big, fat elephant waiting to be shot,” he says.

That reality has turned encryption of data in disk drives or on tape back-up systems into a storage security hot spot. Storage vendors can provide encryption on the server, on the host bus adapters that link the server to the storage network, on the client, or in a stand-alone appliance.

At SwapDrive, an online back-up firm in Washington, D.C., customers were swayed only slightly by assurances from the company that it had great physical security and thorough security policies, says David Steinberg, CEO. To them, he says, the lack of encryption meant “we had a hole in our system.”

To fix that “hole,” SwapDrive used Decru’s DataFort E440 storage security appliance to encrypt customer data as it moves from SwapDrive’s servers to a third-party managed storage service environment where it remains encrypted until the customer retrieves it. SwapDrive chose a stand-alone appliance rather than having customers manage their encryption keys and passwords, something it would have needed to do if it downloaded encryption algorithms to client machines. An appliance also minimized any performance hit to the network and applications, Steinberg says.

Stand-alone storage encryption products also help customers split responsibility among groups for managing storage vs. storage security. This division of labor reduces the chance of someone misusing legitimate access rights to steal or sabotage data. It also allows the outsourcing of data management while keeping security in-house, says Andy Salo, director of product marketing at Decru.

Other storage security appliances combine encryption with additional security features. NeoScale Systems’ CryptoStor FC provides encryption and centralized policy management, while the CryptoStor for Tape appliance, in beta testing, will do the same for tape systems. And the as-yet-unnamed Vormetric appliance due out in mid-April will combine encryption, authentication and fine-grained access control capabilities, says David Tang, the company’s vice president of marketing and business development.

Over time, vendors will incorporate encryption and other such security features into storage switches, tape drives and drive arrays, predicts Mike Alvarado, chair of the SNIA’s Storage Security Industry Forum, a group that intends to lobby vendors for improved security in networked storage products. Users ultimately will have a full complement of storage security appliances and integrated security functions from which to choose, says Alvarado, who also is a senior product manager at NeoScale.

But for now, some storage vendors contend that integrated encryption isn’t necessary. Paul Ross, director of storage networks for EMC, cites a lack of customer demand as the reason that the vendor doesn’t offer encryption.

EMC’s Symmetrix and security

Every network executive knows hackers use automated “war dialing” software to find modems that will accept an incoming call and, when found, use that connection to launch attacks.

So doesn’t the Service Processor that lets EMC Symmetrix Storage Systems make and receive service telephone calls pose a security risk?

Not to worry, says Paul Ross, EMC’s director of storage networks. “There’s only a limited set of things you can do to the Symmetrix through that dial-in connection, and they all have to do with pulling” data about the configuration and functioning of the storage system, he says. If the Service Processor finds a problem with a disk in the system, for example, it can “phone home” to EMC, which will dispatch a technician to replace it. You actually can’t get to data such as customer files through the modem connection, he says.

While EMC can send software updates to the Symmetrix through the phone line, Ross says, most companies require an on-site administrator to install those updates or actually reconfigure the system. And for those customers who are still nervous about their phone lines, he says, the Service Processor also can be hooked to the more-protected corporate LAN.

— Robert Scheier

Some vendors say they hope to fight the storage security threat with authentication protocols and products that verify the identity of a switch, a drive array, a storage manager or anyone else before allowing network access. DH-CHAP, due out this year, will provide such authentication capabilities. DH-CHAP will be a mandatory part of the Fibre Channel Security Protocols under development at the American National Standards Institute. McData recently demonstrated the use of security protocols such as DH-CHAP to authenticate users across its own and other vendors’ switches.

While DH-CHAP is aimed at Fibre Channel storage networks, IPSec can provide authentication and encryption capabilities for users building IP storage networks, says Tom Nosella, senior manager of technical marketing with Cisco’s Storage Technology Group.

Storage audit

Beyond tools, network storage managers need to develop the same kind of threat assessment and auditing processes they have in place for enterprise data networks, industry experts say. Among other steps, storage managers should consult with their corporate or legal audit staffs to determine what legal or regulatory security requirements they face, Alvarado says (see related story, “Storing by the rules” ).

“When people implemented network security, they didn’t say ‘Let’s look at the vulnerabilities and let’s protect them,'” Contoural’s Diamond says. “People did threat-assessment models, and got a lot of experience [in what worked and what didn’t]. A lot of that work hasn’t been done for storage security.”

Security starting points

Storage vendors are beefing up their products with security options such as these.
Vendor Product Description
Brocade Communications Secure Fabric OS Manages Brocade’s SilkWorm Fibre Channel switches; includes port-level access control lists to prevent worldwide name spoofing, trusted switches and public-key infrastructure-based authentication.
Cisco MDS 9000 switches Support RADIUS for role-based user authentication; virtual SANs, which let administrators isolate ports and switches within a physical SAN to secure access; and SNMPv3, for encryption of management data.
Decru DataFort E440 and FC440 Encrypts data at rest in storage devices; provides audit trail for tracking access to data.
EMC ControlCenter management software for SANs Includes Source ID lockdown, which prevents unauthorized users from spoofing the World Wide Name of a host-bus adapter. Considering support for PKI or smart cards/tokens to improve authentication and access control.
Celerra for NAS environments Product architecture prevents storage administrator from viewing data or users from accessing manage-ment console. Will support stronger encryption to be included in Network File System Version 4.
FalconStor Software IPStor storage management software Requires authentication for storage administrator; supports IPSec and other IP-based security mechanisms; will support DH-CHAP for authentication.
McData SANtegrity Security Suite Includes SANtegrity Authentication to provide authentication using DH-CHAP; SANtegrity Binding uses access control lists at the port, switch and fabric levels to secure access to the storage network fabric.
NeoScale Systems CryptoStor FC for Fibre Channel net-works and CryptoStor for Tape (in beta) Provide encryption and authentication.
Vormetric Unnamed security appliance scheduled for release in April. Will combine encryption with authentication and fine-grained access control.

Scheier is a freelance writer in Boylston, Mass., who writes about storage and security. He can be reached at .