Interview

Storage security client concerns

SearchStorageChannel.com editors
When soliciting vendors for storage management solutions, what are the top five questions to ask them about security as it relates to storage?
  1. What type of authentication are you supporting? The T11 FC SP draft recommends support of DH CHAP with RADIUS server.
  2. What type of encryption is used to secure traffic between the management entities? They may use SSL, SSH and in certain environments VPN/IPSec may help.
  3. How the encryption keys are stored and secured?
  4. How the secrets (e.g. passwords) are secured while in storage?
  5. What kind of access control (RBAC etc.) is supported?
Remember that the management network has several components -- and you want to probe the security for each component: managed entity (switches, ports, etc.), management server, management admin workstation and the network over which they are connected. Also, the traffic may traverse over Fibre Channel (FC) or IP -- you need to address both.

Ask expert Greg Schulz how to keep your stored data

    Requires Free Membership to View

    Login

secure at SearchStorageChannel.com. I want to create a secure SAN with data encrypted in flight over FC. I think the host and disk side will need some hardware for encryption. Is my thinking correct?
Your thinking is correct in the sense that customers have started thinking of protecting information over the FC network. Such information comes in two types: the management traffic and the customer data traffic. The management traffic often has less data to be encrypted and is considered more critical.

Get more technical advice about Fibre channel at SearchStorageChannel.com. Is there anything similar to Domain Controller that stores user names, separately or with WWN, port numbers and domain names, and verifies against them when the user logs into to a particular server? I didn't see any user credentials in SNS table of the switch.
The WWN and port numbers may be saved in the individual devices. However, the security credentials should be saved in the RADIUS Server -- assuming the vendor implements the CHAP protocol for authentication.

Ask Vijay Ahuja your data storage security question at SearchStorage.com. What are the best options for VARs to help customers who want to ensure secure backup?

VARs and channel professionals can help ensure their customers data is being protected by defining data protection and security strategies along with aligning applicable technologies, techniques and best practices to defend against applicable threat risks. For example, VARs can work with their clients to identify which system, applications and data are essential to keep a business running and aligning different data protection techniques such as remote data replication for critical data, regular backups combing point-in-time copy snapshots and other techniques for important data.

Cutting through the confusion of when to rely on backup to disk or tape, snapshots, off-site replication combined with where to leverage CDP or data deduplication or VTLs can be a daunting task that a VAR can assist their clients with. Consequently, a VAR can help their customers with risk assessment, technology alignment, best practices and looking for ways to help cost justify data protection solutions. One of the first things VARs should do however is make sure that their own environment is adequately protected using solutions, techniques and best practices that they would be selling to a client. Likewise if I'm a client of a VAR, one of the first questions I'm going to ask in addition to other references is how does a VAR protect its own business and data from various threats and risks.

Ask expert Greg Schulz how to keep your stored data secure at SearchStorageChannel.com. In light of the plethora of removable storage devices, such as flash drives, etc., what do you recommend for reducing the possibility of data being accessed by the "wrong people?" Also, what are the best methods and practices for encryption and password protection for these devices?

The proliferation of removable, high-capacity storage devices and fast data connections, such as USB and FireWire ports, make controlling data transfer at the desktop a major security issue. The threat of uncontrolled portable media devices is of particular concern because they can be used to remove confidential files from the network, bypass security systems and introduce malicious software.

As always, layered security is the best way to protect your data, and at the heart of your defenses has to be strong authentication and access control lists so you know who has access to what data. When using Windows, this requires that all data be stored on NTFS drives, which also allows you to encrypt sensitive data. With regard to your PCs, keep their cases locked and maintain control over physical access to them. They should all have the BIOS set to only boot from the hard drive to prevent users from booting them to an operating system stored on a portable device. The BIOS should also be password protected. You can use the Windows device manager to disable unwanted ports, such as FireWire or Bluetooth, to prevent their misuse. Your security policy should cover and restrict the use of privately owned devices within your organization, and where portable devices are allowed, the policy should state the need for passwords and encryption of any stored data.

Get more information about data security and backup at SearchStorageChannel.com. It seems that a blind eye is being turned to removable storage devices because of their portability and ability to transfer large amounts of data (such as over 25 million veterans' personal data). Not many places seem to understand the true risks that removable storage devices pose. So I question, if you're responsible for information security, where do you draw the line between convenience and strict security guidelines?

Unfortunately, it's impossible to draw a line that works for every organization. Choosing between security and business functionality has always been a struggle and it is up to the security officer, or whoever has been delegated this type of position, to decide what is best for the organization. There will be times when security needs outweigh business functionality needs and vice versa.

It is true that removable devices usually fly under the security radar. This is because security teams are too busy attempting to secure the more traditional methods used for data transfer, and removable storage devices have not fully hit the consciousness of those responsible for securing sensitive data, yet. Do not overlook PDAs, digital cameras, smartphones, Bluetooth and infrared devices. These are all potential points of danger; all allow data into and out of your environment, and must be properly identified and controlled.

It is also necessary to make users accountable for their actions. This is where most organizations fall short. Integrate removable storage risks into your security policy. Provide configuration standards for the type of product you choose to purchase and implement. Integrate these types of risks into your security awareness training programs and when people do not do as they are told, management should hold them accountable and potentially make an example out of them. Sadly, users will usually ignore the rules unless the rules are accompanied with repercussions. Since organizations can now get hit with penalties themselves (SOX, GLBA, HIPAA, Privacy laws, etc.) users need to be forced to act responsibly.

Read the rest of Shon Harris's answer on SearchSecurity.com.


Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top