Security: The Elephant in the Storage Management Room Page 2


Want the latest storage insights?

Download the authoritative guide: Enterprise Data Storage 2018: Optimizing Your Storage Infrastructure

  1. Conduct a storage security audit. During your audit take an accounting of all your back end storage resources (see tip #2) to point out where vulnerabilities are most likely to occur and include these in your report. A storage security audit can be as simple as a checklist of compliance with policies and procedures. The checklist guides a step-by-step inspection of hardware, software, logs, and records.

    Let your security goals guide your audit design and the amount of effort you put into it, and use existing checklists as models to help you with the design. Be sure to tailor your checklist to your organization and get buy-in from leaders and participants. Security experts from the Storage Networking Industry Association (SNIA) recommend these checklists as models:

    • The STRIDE risk assessment model focuses on six security risks: Spoofing, Tampering, Repudiation, Information disclosure, DoS, and Escalation of privilege. STRIDE is described in more detail in a sample chapter on Threats and Risk Assessment online from Microsoft Press.

    • OCTAVESM is a general security assessment documented by CERT at Carnegie Mellon. OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation.

    • A technical tutorial, “Storage Network Security,” is offered by SNIA and outlines ten steps to identify storage security risks.

    • A checklist of storage-specific security items is provided in SNIA's Storage Security Industry Forum (SSIF) Risk Assessment Tool.

  2. As you design your checklist and conduct your audit, look at several key areas in your storage network, including:

    • Host and application servers, for vulnerable access points where host and application servers are connected to the Ethernet backbone.

    • The transport system itself, for outside threats of wire-tapping, traffic redirection or interception, or attacks via the gateway.

    • Your storage systems and media, for data vulnerabilities. Threats to data, especially archived data not accessed regularly but still critical to the organization, can cause permanent damage to an enterprise if the threats are successfully executed.

    • How and who has access to the management console. You may have all available security systems installed in your network, but one unauthorized person or system getting into your network through the console can negate all your efforts.

  3. After you conduct your security audit, prepare a plan to address:

    • Who has access to the network and why.
    • How you will handle accidental or unintentional changes.
    • What to do about denial of service attacks.
    • What you will do if an attack comes from within the firewall.
    • How to verify the configuration of your security system is correct.

  4. Speaking of a firewall, make sure you have one installed.

  5. Be sure to install all software patches from your manufacturer as soon as they become available. The community of Microsoft Windows users learned just how critical this lesson is with the recent Blaster worm experience.

  6. Keep learning about storage security. For more information on storage security, see the SNIA SSIF Web site. General security-oriented Web sites are also adding information about storage security. See Carnegie Mellon's CERT Web site, the SANS Institute, and the Security Forum.

  7. It’s your elephant — even if you're hesitant to admit it's sharing the room with you — so the best tips about how to make security work in your enterprise are the ones only you know. If you’d like to share your ideas with your fellow security wardens, email us at feedback@enterprisestorageforum.com.

» See All Articles by Columnist Marty Foltyn of BitSprings Systems

Submit a Comment


People are discussing this article with 0 comment(s)