What security tools should I be using to test the security of my storage environment?
There's a lot to this. You can use tools to look for unstructured files (alluded to in the previous question), but you often have to dig in deeper. When looking for vulnerabilities, go beyond the storage arena and consider any connected or related systems, including operating systems, Web applications, desktops, servers,
and wireless networks -- practically anything that has access into the storage environment.
There are specialized tools for testing all of these. I encourage people to actually come to my Web site
and check my resources page. I have a set of articles written mostly for a variety of TechTarget sites that I link to, and these articles discuss what tools are best to use with particular systems. I also wrote an article on this topic for SearchStorage.com titled Five must-have storage security testing tools
that outlines several notable, free products and looks for several specific vulnerabilities within storage.
Ultimately, it's important to look at the entire environment, not just the storage. Consider the application-level vulnerabilities, OS-level vulnerabilities and even your network-level vulnerabilities. If vulnerability is present in any of those areas, it can potentially allow an intruder into the storage environment. Think outside of the box. You have to have good tools and use an ethical hacking methodology to find vulnerabilities in the shortest amount of time, while spending the least amount of money.
The vendor is also involved to some extent. You depend on the vendor to write secure code initially, then develop, sell and support applications that are resilient to attacks and have layered security controls. From a practical sense, the best you can do is ask your vendors some tough security questions up front and have them make their best case for security in your particular environment. Check the quality of each vendor's support to see that they are responsive to your security questions and needs -- expect the vendor to notify you of critical issues and provide timely updates. If you haven't received security updates in years, you might want to question their concern or focus on security issues. Ultimately, don't rely on your vendor totally -- look out for yourself first.
Listen to the Storage Security FAQ audiocast here.
Go to the beginning of the Storage Security FAQ Guide.
This was first published in March 2007