Dore Rosenblum

Subscribe to Dore Rosenblum: eMailAlertsEmail Alerts
Get Dore Rosenblum: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Proven Strategies for Protecting Storage Data at Rest, in Flight, and Offsite

C-level executives are quickly realizing that in today's increasingly regulated and distributed environments

Based on recent incidents, C-level executives are quickly realizing that in today's increasingly regulated and distributed environments, it's no longer sufficient to rely on status quo barriers of protection for critical corporate information. Instead, security executives are now faced with developing a comprehensive, ground-up strategy to protect critical information at all times from attack. This includes security for data-at-rest and data-in-flight. It also extends to data managed at offsite locations by outside service providers (e.g., disaster recovery services). Regardless of where the data resides, companies are expected to assure their customers that their sensitive information is being handled with the best security practices and procedures.

Why is demand now stronger for storage security solutions? Regulatory compliance, security de-perimeterization, and storage consolidation are combining to increase the urgency of implementing information privacy solutions.

  1. Regulatory compliance is driving companies to implement stronger security to protect consumer privacy in the event of a breach. California Senate Bill 1386 has recently been in the news because it requires companies to disclose the loss of personal information from a California resident unless the information is encrypted. Without this regulation, many of the recent identity theft stories would never have become public. Lawmakers in Washington are working on legislation that would mandate similar identity theft disclosures on a nationwide scale. Other regulations that protect sensitive information are usually industry specific, including HIPAA for the heath care segment and GLBA for the finance sector.
  2. Security de-perimeterization works to address insider threats, which are often greater than outside threats, with respect to information privacy. Instead of relying solely on external perimeter security at the corporate firewall, companies are now building security layers to protect internal servers and storage resources. Conceptually, all users are treated as outsiders and must be authorized to access resources. This new security model requires stronger protection of stored information.
  3. Storage consolidation minimizes storage costs by leveraging shared resources (e.g., tape silos, disk arrays) and outside providers (e.g., vaulting, disaster recovery services). While saving costs, consolidation opens new threats by allowing data to be shared by many different servers. In the past, a hacker would have to compromise each server to access information. With networked storage, a hacker can potentially gain access to all stored information without having to compromise any servers.
With the threat of public exposure it's easy to see why companies are focused on building security layers to protect their networked storage. These resources represent prime targets, because regulated data is usually stored on these networks. As with IP networks, storage networks are susceptible to published security threats such as system breach, spoofing, denial of service, unauthorized access, internal attack, and data theft. Many such threats are being explored and are in varying stages of being addressed by a variety of industry consortiums and standards bodies including the Storage Network Industry Association (SNIA), Internet Engineering Task Force (IETF), and the International Committee for Information Technology Standards (INCITS) Technical Committee T11 for device-level interfaces.

Network Storage Threats
There are three threat zones that affect networked storage regardless of the network protocol employed (see Figure 1). These threat zones are systems/connections; storage fabric and management services; and subsystems/media.

The system/connection threat zone includes computer systems such as application and management servers, and gateway devices that connect to storage infrastructures. The storage network may become vulnerable to unauthorized data access, denial of service attack, and/or service loss if the administrative or application access to the system or device is compromised. Unauthorized systems access is often obtained through poorly managed configurations, unused services, or default settings. Once overcome, these systems can attempt to compromise media servers or issue abusive requests to storage subsystems for the purposes of data theft, corruption, or service denial.

Storage Fabric
The second threat zone is storage fabric and transport. In the case of Fibre Channel networks, this includes the directors/switches along with SAN extension solutions across MAN/WAN networks. Threats at this layer include:

  • Data access from an unauthorized server: Storage administrators can direct specific storage traffic through segregated switch ports - essentially configuring which storage sources and destinations can communicate. Zoning and LUN masking are used to create the logical isolation, although determined hackers can bypass these security measures by spoofing or attacking the fabric management. This attack could result in material compromise of the storage network and pose a serious threat to data integrity.
  • Eavesdropping of data-in-flight: As storage networks are extended across public MAN/WAN networks, data should be encrypted to ensure privacy. Encryption solutions are typically used to securely tunnel storage data across lower-speed IP WAN networks using IPSec. However, due to the stringent performance and latency demands of real time applications (e.g., synchronous mirroring), companies have often utilized WDM or SONET networks without encryption.

More Stories By Dore Rosenblum

Dore Rosenblum is vice president of marketing at NeoScale Systems.

Comments (1)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.