While other industries take a reactive approach to security, storage experts are looking to get ahead of the curve, according to the founder of a new site dedicated to a vendor-neutral discussion of SAN security. Will Spencer, founder of SanSecurity.com as well as its sponsor, Network System Architects Inc., in Denver, said his effort comes from a belief that storage security will soon be as vital as storage management.
Unlike in the networking and server industries, where security always seems a step behind the crackers, “in this instance, the industrys beating the hackers for saying theres going to be a problem,” Spencer said. “Fibre Channel is very attackable. There are many vulnerabilities that are not going to be that hard to exploit. Many are configuration issues.”
Rather than force users to deal with storage security point products, there are several areas where the original storage hardware and software makers could make native improvements, Spencer said.
For example, “if youve got Web servers that are serving dynamic content from databases and those databases are reading from your storage area network, [then] you have to consider your SAN wide open,” Spencer said. Customers of dedicated hosted storage arent any safer, as the overload or spike capacity often is shared, he said.
One way to crack a SAN is to “change the address of your host bus adapter, which you can do just by launching the GUI,” Spencer said. Or “I would do SQL calls instead of sharing storage, or I would just [copy] the data using FTP” instead of going through a firewall and Web servers, he said.
Nolan Hennesee, manager of technical services at Lexington Medical Center, in West Columbia, S.C., recently switched from Hewlett-Packard Co. gear to 9 terabytes of EMC Corp.s Clariion and Centera series.
“At the end of the day, a SAN is nothing more than a hard drive for a server. I need to protect my server long before you get that close to it,” Hennesee said. But when the purchasing decision was made, “no one ever sat down and said, What about security? It is a different conversation,” he said.