Facing Up to the Need for Security in Storage

Direct-attached storage and SANs have many security weaknesses--and the situation could get worse.

High-end database integrity vendor Acxiom Corp. basically sells peace of mind, so its especially important that it have peace of mind about its own stored data, totaling nearly 600 terabytes. However, Acxiom is among many organizations finding that feeling of security tough to come by.

"[Storage vendors] shy away from us whenever we start to talk about locking things down. ... This is something we have to do on our own," said Dennis Peacock, Unix systems engineer at Acxiom, in Little Rock, Ark.

"We are concerned about security," Peacock added. "Were putting together a plan to actually change file IDs and the passwords on the Fibre Channel switches and then patrol that within an encrypted database where only we have access."

Security is among the hottest and most well-researched of all IT concerns, but in the enterprise storage industry—one of the oldest IT businesses—security is still in large part about jumping over hurdles and hype.

Todays direct-attached storage and SANs (storage area networks) have far more security weaknesses than most users are aware of—or that storage vendors admit. And experts say the situation will get worse as the newest storage technologies—such as Fibre Channel over IP, virtualization and NAS (network-attached storage)—become more common.

Because a SAN typically runs on a Fibre Channel network separate from a companys main IP network, physical access is required to make changes. A virtual break-in is theoretically nearly impossible, a theory driven home by sellers of disk arrays, such as EMC Corp.; of NAS, such as Network Appliance Inc.; and of storage as a hosted service, such as BellSouth Telecommunications Inc.

All these vendors do offer safeguards: EMCs LUN (logical unit number) masking and zoning software; NetApps SSH (Secure Shell), SSL (Secure Sockets Layer) and Kerberos support; and BellSouths dedicated servers and virtual LAN-based tape backup services, among other measures.

All also admit that theres no such thing as unhackable.

"The potential might be there ... for somebody to figure something out," said Ken Steinhardt, director of technology analysis for EMC, in Hopkinton, Mass. Keith Brown, director of technology at NetApp, in Sunnyvale, Calif., put it more strongly: "I wouldnt claim that [our systems cant be hacked] because that would be insane."

Bill Schroeder, president and CEO of storage security startup Vormetric Inc., pointed out the source of some problems. "Fibre Channel does not have a built-in authentication or security paradigm," said Schroeder, in San Jose, Calif. "When [Fibre Channel] was originally conceived, it wasnt needed: One way in, one way out—its easy to guard. Then some guy got the bright idea to turn it into a switch."

Exploiting such weaknesses isnt just theoretically possible; there are a variety of techniques for compromising SANs, said Himanshu Dwivedi, managing security architect for security consultancy @Stake Inc., in Cambridge, Mass.

"Ive done this before," Dwivedi said, adding that most organizations have only one or two so-called demilitarized zones, or DMZs, between their Internet- facing network and their SAN and that @Stake frequently finds misconfigurations in storage switch zones, unauthorized user access to LUN maskings and incorrect file system privileges.

SAN viruses could also become a concern, Dwivedi said. A virus could be written to notice if its backed up to a SAN, and it could then propagate itself.

Some safeguards are on the way. For example, the Fibre Channel Security protocol currently in development by T-11.3, the software division of ANSIs Fibre Channel working group, can likely be used to secure Fibre Channel over IP.

However, vendors and standards bodies will have to move quickly to secure the many new storage technologies poised to enter the mainstream, including storage virtualization, object-based storage and heterogeneous storage management software.

Acxioms Peacock, for one, is bracing to do the heavy security lifting himself, with or without vendors help.

Senior Writer Evan Koblentz can be reached at evan_koblentz@ziffdavis.com.

Related stories:

  • Sun to Roll Out SAN Tools
  • Caution: NAS, SAN Merge Ahead
  • Switch Rivals Move on Fibre Channel, IP