Market Analysis: Storage Security
You wouldn't hire any old security service to guard your company's important physical assets, would you? We outline areas of vulnerability and present questions to get you thinking about the
April 8, 2005
Security professionals are largely unfamiliar with the SANs and databases they're supposed to be protecting. Although they surely realize that Fibre Channel is not a new health-food spin-off of Food TV, they're less aware that data running over an FC SAN is as readily readable as data running over an IP network.
Lemonade, Anyone?
Smart storage pros will make the most of this situation by working with their security teams to build a storage-security system that will protect data with minimal impact on uptime.
The first step in locking down your critical stored data is to determine which type of security best suits your organization. Stored data is vulnerable in more places than you might think, including at the application, host, switch, and LUN or block levels. Fortunately, there are plenty of products to address these problem areas. With offerings from vendors like Ingrian and Protegrity, you can encrypt select database columns. Alternatively, you can implement SAN access control from switch vendors, or SAN encryption and access control from vendors such as Cisco Systems, Decru, Kasten Chase and NeoScale. Some products also limit access by application (see "Securely Stowed,").Fact is, there's no single solution. Generally, data still comes to the host unencrypted--even products that encrypt and decrypt right on the host or database server must hold unencrypted data in memory. And access control at the host, application, database and SAN levels can only mitigate risk.
So what does good enough storage security look like? Compliance requirements are growing in every field, but if your enterprise works with the federal government, is a financial institution, hospital or credit-card issuer, or maintains a presence in California, you could be under the gun. For example, you may be required to produce records of what access rights were changed, when they were changed and who changed them. You may also need to prove you took steps to limit access and protect data if a breach does occur.
The following questions will help you get to the heart of storage security--what you are trying to protect, and at what points in the architecture.
• Do you need encryption, or just access control? If you encrypt data on the SAN, must you encrypt it across the entire SAN? If the decryption is performed off-host, can your network handle the additional traffic? If the decryption is performed on-host, are you willing to touch each server that must act as a host for encrypted data to install either client software or a decryption accelerator card?
Different products decrypt at different locations, with most of them passing data unencrypted from the switch to the host. Only 11 percent of readers surveyed don't use encryption, saying it's not worth the bandwidth; 32 percent prefer to encrypt on the host. Encryption on the host is CPU-intensive unless you have dedicated encryption processor cards in each host. Encryption on the SAN, be it on the switch or on an appliance, puts unencrypted data on the SAN when it's passed to and from the encryption engine.• If you encrypt database columns, where should they be decrypted, and where should the keys be stored? If the keys are in the database and double-encrypted, is that good enough? We don't like storing keys with the data they protect, but if the encryption keys are encrypted, many professionals think that's acceptable. If encryption and decryption are done in the database with stored procedures, be careful about access controls to those procedures. Putting keys, the encryption engine and data all on one box does ensure that you won't lose data if the network goes down midtransaction.
• If you limit access to specific LUNs by host, do you need protection from WWN spoofing, where the World Wide Name of a host with access is copied onto a host without access so an attacker can pretend to be on a valid host? Do you need logging of attempted access by unauthorized hosts? Do you need to tie a specific port to a specific device's WWN? Are you willing to maintain this association throughout time, across the entire SAN? Tying ports to specific WWNs is a good way to protect against WWN spoofing, but the maintenance is higher because you must keep those relationships live.
• Do you need role-based access control? Access control to data on the SAN is implemented by 60 percent of poll respondents, with authentication and management access control close behind, at 55 percent and 57 percent. Role-based access control does make management of rights much easier, but you'll incur more overhead.
• Do you need to ensure that an attacker who gets physical control of your disks or tapes won't be able to read them? Don't dismiss this possibility--in February, Bank of America announced that tapes were lost during shipment to a backup data center. The tapes contained unencrypted customer and account information for 1.2 million federal employees, including some very unhappy senators. Encryption of a tape introduces complexity because you have to ensure the decryption key will be available should you ever need the data on that tape. But storing the key on the tape is counterproductive.
When asked which areas of storage security they want to bolster, a whopping 73 percent of our poll respondents named hosts. These, along with applications residing on hosts and IP gateways, were considered the weakest links in SAN security.Nearly all enterprise SANs run on optical Fibre Channel networks. FC is designed to handle high-speed, high-volume data transfers. For our purposes, we're focused on high-speed, high-volume transfers between disk subsystems (targets) and servers (hosts), generally through an FC switch that behaves much like an IP switch.
The competing iSCSI is a protocol that wraps SCSI commands and responses in IP packets. Because of the overhead of IP and differences between the IP protocol's expectations and those of SCSI, iSCSI's performance can't match FC's. 10-Gigabit Ethernet will bring performance in line with Fibre Channel, and consequently, we think iSCSI will grow in popularity.
Here's a breakdown of other vulnerable areas, beyond hosts and applications, in both Fibre Channel and iSCSI storage infrastructures. See our diagrams for visuals.
Fibre Channel
• Fibre Channel switches: An FC switch is a networked switch. Although the mechanics aren't as well understood, they suffer from all the vulnerabilities plaguing other switches. WWNs can be spoofed, the switch can be physically replaced, and IP management ports can be broken into. Gaining administrative access to a switch through the management port can open the entire SAN to intrusion.
Fibre ChannelClick to Enlarge |
• Fibre Channel management host: With the advent of Web-based management, dedicated management hosts are used less frequently. However, Web-based administration systems are prone to the thousands of attacks that can happen on any TCP/IP-based network. Gaining administrative access to the management host or interface can allow an attacker to turn off all security on your SAN.
• Fibre Channel storage arrays: Physical storage can be threatened by several different routes. Because most LUN masking and virtual routing is done in the switch, replacing the switch can allow access to the drives on the physical array. Someone walking out of the building with your physical array is also within the realm of possibility.
• Tape backups: As mentioned, tapes are a point of vulnerability because they leave your building and are stored off-site.
iSCSI |
iSCSI
• iSCSI switches: These are prone to all the vulnerabilities you're used to in IP. For example, an unauthorized user who gains administrative access can turn off VLANs (virtual LANs) and security. This is more of an issue with iSCSI than with FC because iSCSI uses off-the-shelf IP switches that don't have specialized storage security built in.
• iSCSI storage arrays: These can be more vulnerable to attack than FC storage arrays, for no other reason than that any machine on the IP network can see them. If there's a route between a given host and an IP storage box, there's a direct attack vector. ISCSI storage arrays suffer from the same physical access problems that affect FC storage. And in an iSCSI network, more security information is on the array, so gaining administrative access is more of a threat than in FC.
As we mentioned, most readers are worried about the security of their hosts and the applications running on them. The bad news is that once an attacker has access to a host on the storage network--be it Fibre Channel or iSCSI--he or she has access to all the data the host can see. Luckily, many of the products we looked at in "Securely Stowed" limit access rights by LUN, to limit what each host can see. Database encryption tools offer the added security of knowing your data is not accessible to any users except the ones that certain applications run as.
This is not a cure-all, but it does mean that an attacker taking over a box does not necessarily have access to all the data the box can "see." Decru offers an add-on application that lets admins limit which applications can run on a host, and what storage--down to the individual file level--each application can see. This is useful to keep an attacker from using applications like SQL*Net to access data in your database, even if the intruder has compromised the login of a database user.The recent bad press about SHA-1, even though the attacks were mostly contrived in situations where the keys or data had to conform to a certain set of criteria, guarantees that you'll be using one of the new hashing standards. Make sure the product you choose is expandable--in security, the only certainty is change.
Costly, but Prudent
Overall, there are no real surprises in the cost of data security. Encryption of data costs you in terms of bandwidth and latency, though not as much as you might expect. Access control and authentication cost you in terms of the management hours required to set up and maintain access-control lists, though group-based management does save you time. Choosing a product that mitigates the cost through support for RADIUS is a good idea if you're maintaining a large network.
In fact, not securing your data at rest could end up costing you more than even a fleet of expensive encryption appliances. By the end of next year, failure to encrypt credit-card numbers stored in databases will be considered negligence in civil cases arising from unauthorized disclosures, according to Gartner.
Already, ChoicePoint shareholders are suing after the company's shares plummeted on news that consumers' personal data had been stolen. Identity theft costs U.S. businesses and consumers $50 billion to $60 billion a year, according to the Federal Trade Commission. It's not a stretch to expect more consumers to sue the companies that let their data be pilfered. What's more, the California Database Security Breach Act, which applies to any business with customers in that state, requires disclosure even if a break-in is only suspected.Just the thought of the adverse publicity such a notification would generate should be a wake-up call to any organization not taking protection of data at rest seriously.
Don MacVittie is a technology editor at Network Computing. He previously worked at WPS Resources as an application engineer. Write to him at [email protected].
It's crucial that storage pros work closely with their security counterparts to protect data at rest. This is no time to get territorial: Given the recent rash of personal-data theft, today's data-security regulations may be only a taste of what's to come. Sen. Dianne Feinstein (D-Calif.), for example, has introduced a bill that would set national standards for database security, require businesses and government entities to notify individuals if they even suspect an attacker has obtained unencrypted personal data, and empower the Federal Trade Commission to impose fines of $5,000 per violation or up to $25,000 per day.
In this cover package, you'll learn what network engineers, database administrators, SAN engineers and security professionals can do to store data more securely. "Who's Minding the Storage" outlines areas of vulnerability and provides a list of questions to get you thinking about the level of storage security that's right for your organization.
"Securely Stowed,", examines encryption products and storage switches from Brocade Communications Systems, Cisco Systems, Decru Systems, Ingrian, Kasten Chase, McData Corp., NeoScale Systems and Protegrity, which we tested in our Green Bay, Wis., Real-World Labs®. We didn't issue a report card or pick an Editor's Choice, though we did take a special shine to Cisco's MDS 9216i Storage Switch. Rather, we sought to outline what vendors can do for you in the storage-security arena. We liked what we saw overall and look forward to delving deeper into some of these products in the coming months.
0
Read more about:
2005You May Also Like