Leaping Hurdles to Safeguard the SAN Page 2 - EnterpriseStorageForum.com

Leaping Hurdles to Safeguard the SAN Page 2

Locking Down Your SAN

So how do you go about locking down a SAN? There are a few key points to address.

The first thing to do is implement a corporate security policy that specifically includes storage security. Organizations that set a thorough security policy for their storage environment will go a long way toward raising the level of employee awareness. Policies should encompass passwords, authentication, and access. Passwords, for example, should probably be no fewer than 10 digits and should include a mix of letters (uppercase and lowercase) and numbers.

The corporate policy should also specify how often passwords are to be changed. Don't get too silly in this regard, however. Some policies are so stringent and demand changes so frequently that they actually drive users into insecure practices.

The second part of the equation is physical security. Locked doors and security guards don't go away. SAN security needs to be safeguarded with a physical presence to prevent theft of hardware and software. Other aspects of physical security to take into consideration include tapes being lost or data not being backed up properly. Devise ways to guard against this happening.

It's also important to continue enforcing existing storage security actions. Like everything else, there is defense in depth and layers of protection. Switch vendors offer zoning, for instance, and array vendors have LUN masking. Utilize all the avenues available to keep storage under wraps.

Another key point is encrypting your SAN's data. By encrypting information before it arrives at the SAN, the organization is effectively eliminating the danger posed by a hacker attack or internal insecurity. If someone creeps past the firewall and browses around in your storage pool, they won't learn very much. Or if someone walks out the door with some of your disks or tapes, they won't be able to decrypt the content.

This only applies, though, if the encryption level is high enough. Recent tests have demonstrated that even 50-bit encryption can be cracked within a few hours using sophisticated tools. The way around this is to increase the bit rate of encryption.

"Every time you add a [single] bit, it gives you double the protection," says Kent. "And 128-bit or above is probably going to be safe for another 50 to 100 years."

While that prediction may be a little optimistic, 128-bit encryption appears good enough at the moment for most uses. The military standard is 256-bit encryption and is known as FIPS 140-2 Level 3.

IT and security managers also need to remember to control internal access.

In addition to general encryption, SAN data can also be broken down according to user constituencies, seniority, and security clearance levels. That means, for example, HR people can't get into the transactional files. Similarly, certain functions, such as storage management, need to be locked down and access restricted to only a select number of people.

Data-centric Security

The common denominator of SAN insecurity appears to be a lack of differentiation between network and storage security.

"The problem is that few IT professionals understand both security and storage," says the Yankee Group's Gruener. "People have expertise in one discipline or another, but there's not much crossover."

A combination of traditional security measures, coupled with policy and encryption safeguards, is the key. If storage professionals assume that SAN data will eventually get into the wrong hands, no matter how good the perimeter defenses, they will gain a better understanding of the steps that need to be taken to safeguard their SANs.

Feature courtesy of eSecurity Planet.

» See All Articles by Drew Robb

Page 2 of 2

Previous Page
1 2

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Storage Daily
Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date