Enterprise Strategy Group
Published: 12 May 2006
Storage security focus for 2006
Storage security turned a corner in 2005. Now it's time for storage pros to get serious about security.
AS FAR AS I'm concerned, 2005 was a watershed year for storage security. EMC announced to the world that, moving forward, security would be integrated into the company and its products. Network Appliance voted with its wallet by acquiring Decru. Tape leaders such as Quantum and Spectra Logic added encryption capabilities to their systems.
Storage security victory! Well ... not quite.
Don't get me wrong. After three years of carrying on about storage security, it's great to see this new wave of progress ripple through the industry. In spite of this, IT storage managers and the storage vendor community still have a myopic view of security. Too many folks think the term "storage security" can be interpreted as either backup encryption or as a security appliance à la Kasten Chase or NeoScale.
So, my storage-centric brethren, when it comes to security there are a few things to keep in mind:
- Security must be systemic. Remember the television show Get Smart? At the beginning of each episode, Maxwell Smart (Agent 86) had to pass through a number of security checkpoints before arriving in his office. In this vintage TV example, each checkpoint is another "layer" of security, a model often referred to as "defense-in-depth." Storage security is no different; to be truly effective, encryption must be supported with things like access controls, strong authentication and monitoring.
- Security threats are always changing. Think about all the stuff you have to guard against on your PC: viruses, worms, spam, phishing, etc. The bad guys are discovering new attack vectors all the time. This means that the storage community has to remain in a constant state of security awareness. You have to make patching management servers and monitoring bug-tracking sites a priority, and ensure your staff is trained to know a scam when they see one.
- You can't manage (or in this case, secure) what you can't measure. I know this is a tired old business saying that everyone has heard from some dorky boss, but with security it's certainly a truism. If I don't capture baseline information, monitor changes and offer all this information up as reports, how can I tell how secure my storage is?
Focus areas for 2006
Storage managers and vendors need to expand their horizons in 2006 for the sake of protecting mission-critical data. Alas, the real estate of this column is too dear for an exhaustive list of security topics, so allow me to elaborate on four important storage security focus areas that professionals and vendors should pay attention to:
- Storage security standards. The biggie here is the Fibre Channel Security Protocol (FC-SP), which is set to be ratified by the American National Standards Institute's (ANSI) T11 working group any day now. FC-SP is kind of the FC equivalent of IPsec, a set of standard algorithms and protocols providing authentication, confidentiality, integrity checking and non-replay protection for IP packets. Granted, the first version of FC-SP has a long way to go, but you have to start somewhere. FC-SP will eventually provide ample protection for SAN-based data in flight as the standard gets baked into host bus adapters, switches and storage systems.
- Security by default. Historically, configuring devices for security demanded an "opt-in" model. IT technologies were shipped in an unsecured state by default, so securing them meant extra configuration steps. Given the growing number of digital threats, the technology industry is quickly morphing to an opt-out paradigm. The best example of this change is Windows XP Service Pack 2, which turns on a firewall upon installation.
Storage won't move to an opt-out security model overnight, but you can certainly expect more security configuration and installation options. Examples of this change will consist of things like ACLs on management interfaces, forced changes to default passwords, removal of unnecessary TCP services and role-based administration. When you're configuring your brand-new storage system in October, you'll see messages like, "You have not changed the default administration password, which may present a security risk. Are you sure you want to proceed?"
- Logging. Storage devices either don't log events, don't log enough events or log events in some proprietary format. As Lyndon Johnson might have said, "That dog don't hunt." Logging fits under the "you can't manage what you can't measure" category--especially when it comes to regulatory compliance and keeping the auditors happy. In other words, ever-increasing regulations move logging storage to the "gotta have" list.
- Key management. This area isn't well understood by most storage people. Heck, even a lot of security folks don't understand key management and its application. I'll probably dedicate an entire column to key management in the future, so I'll spare Storage readers from a crypto-geek explanation for now, but here's a simple explanation for the burgeoning key management requirement. Key management goes hand in hand with encryption. Encryption keys can be seen as random numbers used to encrypt data--no keys, no data. Because of this, keys must be protected, backed up, rotated offsite, etc. Now suppose you have six separate storage devices (disks, tapes or appliances) that do encryption. That means you have six key management systems to operate. This means that in the event of a disaster, you have six systems that must be restored before the data is useful. Does anyone else see an operations nightmare approaching? Centralizing key management can help you avoid these issues and is why Enterprise Strategy Group advocates a proactive plan.
User plan for 2006
Each of these focus areas demands security knowledge and an action plan. Storage professionals should:
- Assess SAN configuration and administration against FC-SP. In many shops, SAN deployment is limited to specific data centers and trusted members of the storage team, so authenticating storage devices and encrypting FC communications might be overkill. On the other hand, enterprise SANs can have hundreds of FC ports and distributed devices crossing data centers and public networks. Storage managers need to assess risks and SAN topology strategies, and then map FC-SP accordingly.
- Understand the ramifications of "secure" configurations. Examine the tradeoffs between security and operational processes. For example, if storage administrators log into devices from their homes, assigning ACLs associated with internal IP addresses alone won't work. In other words, it's important to look at all existing processes, procedures and technology needs before simply locking down storage boxes.
- Map storage security with compliance obligations. This is true with regard to access controls as well as logging, where log files can eat up a lot of storage. Grab the compliance auditors and determine what data they need, in what format and how often they need it. Because this is a new activity, expect several iterations before you get it right.
- Approach encryption with your eyes open. Scrambling bits on backup tapes is just the tip of the iceberg. As vendors pitch encrypted storage devices, make sure you understand what they provide for key lifecycle management. Do they have Federal Information Processing Standards (FIPS) certification? Do they adhere to standards? Can their products be integrated into a centralized service? Upfront work here will prevent a serious operational headache down the line.
Security isn't industry rhetoric--it's serious business. Given the increased emphasis on security, every vendor is bound to have a story, so it's incumbent upon storage professionals to be knowledgeable enough to spot a phony. As you increase your knowledge, make sure to include chief information security officers or other security people with a keen eye for security smoke and mirrors.
One other note: It's one thing to offer secure products, it's a completely different thing to embrace security. Does your vendor have security included in its software development process? Are its field engineers trained in storage security? Is the company providing secure remote support? If the answer to any of these questions is "No," you should immediately find out when they will address these shortcomings. It's best to avoid equivocating vendors that lack definitive roadmaps and schedules.