Is the Clock Ticking for SAN Break-ins?

IT managers seem to be having a tough time making a solid business case for increased security of their Fibre Channel storage area networks. A security expert thinks that's a problem in the long run.

Security appears to be off the radar of SAN customers. But is the reason that theres no real security threat or that security just doesnt sell in todays storage market?

In my previous column, I looked at SAN security from the perspective of consultant Himanshu Dwivedi. Hes the managing security architect at @stake Inc.> and presented "Security Issues with Fibre Channel Storage Networks" at this weeks Black Hat USA 2003 conference in Las Vegas.

Dwivedi is sounding an alarm about the current state of preparedness by many storage managers around Fibre Channel SAN security—specifically for the types of threats with which were all-too-familiar on the IP side of the network. That lack of urgency shouldnt be too surprising, since so far there have been no fires to put out. Perhaps just a whiff of smoke, and at worst something like a controlled burn.

"Storage pros have predicted there will be an attack soon," Dwivedi said. "There has been unauthorized access. And some of my customers have accidentally set incorrect parameters and were then given access to data that they didnt mean to have. And there have been times when access was presented in a wrongful way—but it wasnt to a hacker," he admitted. Still, "unless vendors come out with better zoning procedures and authorization, and some kind of authentication these attacks will exist."

According to Dwivedi, the difficulty and obscurity of Fibre Channel technology affords IT managers and storage vendors a perhaps unique opportunity to get out in front of the attackers. "Historically, thats not been the case. The crackers, the black hats, have been pushing one step ahead, and vendors have been playing catch up," he said.

For the most part, however, security appears to be way down the list of concerns for customers, which sends a mixed message to storage vendors. While everyone recognizes that security is important, customers are already preoccupied by the need for beefier storage-management software and interoperability for heterogeneous environments.

For example, in an article earlier this spring by my eWEEK colleague Evan Koblentz, EMC Corp. Senior Technologist David Black mentioned that the company had conversations on a "regular basis" with large customers about providing additional security features. But "EMC does not view security as a product or an ROI we will sell," Black said. (For more information, see "Storage Security: Cause for Concern?")

In addition, current methods to improve SAN security against these potential threats run straight up against the item at the top of customer wish lists: easier management via software. Dwivedi said many of these improvements are enabled by soft zoning. To compound the dilemma: The very practice of hard zoning provides the highest level of security, but its also the hardest to manage and will lead to extra work and overhead expenses for the already overburdened IT department.

"At that point, you have to step back and talk about data classification, and thats foreign to many storage managers," Dwivedi observed. Instead of taking a global approach to storage resources, managers must look at the users, data and applications that use the SAN and then make decisions about the level of security each requires—or that will be ignored.

"They need to ask themselves, Whats the risk of this data being compromised? " Dwivedi said. "If its high, then maybe I need to bite the bullet and go with hard zoning. But if its not, and the hard zoning costs three times the amount for maintenance, then theres no case for hard zoning. Only after that analysis can they make the educated informed decision whether they want to take the risk," he said.

Sometimes knowledge is power. In this case, I predict it will be closer to inaction.

David Morgenstern is a longtime reporter of the storage industry as well as a veteran of the dotcom boom in the storage-rich fields of professional content creation and digital video.

More from David Morgenstern: