Storage Security, the Last Line of Defense
We have all heard about the high-profile cases of groups hacking into a system and making off with the loot. Once the hacker gets into a system, it is pretty clear that anything the hacker wants is fair game. Of course, that starts with getting root access, and once the hacker gets root access, any files that were yours are, in most cases, the hacker's. This begs two questions:
- Should the datapath be made more secure?
- If the datapath should be more secure, how do we make it so?
Should the Datapath Be Made More Secure?
As crazy as it seems, people have told me there is no need for storage security; all that is needed is network and OS security, and securing the file system and data path is not important. Their argument is that storage security is far too hard to manage. Of course, I ask what they mean and I do not seem to get a straight answer very often. What I think people are concerned about is the complexity of key management for disk drives, but this is only one aspect of storage security. Disk encryption allows the easy destruction of a disk once it has been removed from a system. Disk encryption does not prevent anyone getting into the system from accessing data from your system, as the encryption is done by disk drive when written and it is decrypted when read. The argument that the OS and network, including user passwords, is all the security that is needed is a flawed argument in my opinion.
If hackers want access to your system, there must be multiple levels of security to prevent total access and limit damage if someone does break into the system. If you have valuable data, think of it as when someone breaks into the system -- as an attempt will likely be made, and hackers have been very successful of late.
How to Increase Security
I believe storage security needs must start at the file system and have multiple layers, including some for large systems, potentially the Fibre Channel network, but I believe storage security must begin at the file system. The current framework with user (UID), group (GID) and potential access control lists (ACLS) does not provide the needed security. Once someone gets root access, the game is over, and all of the files are available. Of course, users could encrypt the data, but without a standard for per-file encryption and key management that everyone agrees on for every file system from MVS to Linux to Windows to whatever, this becomes a problem for management, which might need access to the files of a fired employee or an employee who goes on a four-week vacation and forgets the encryption key. I use an encrypted disk partition with TrueCrypt that has more than a 20 character key -- but what if I have a stroke next Monday? How will anyone get my files off of my computer? Honestly, they cannot without great difficulty because no one is going to guess my key, and it will have to be cracked the hard way and at a large cost in terms of time and money.
The answer in my opinion is SELinux (Security Enhanced Linux) and MLS (multi-level security). The history of proprietary security enhanced operating systems is a sordid one. From UNICOS on Cray Research machines to Secure Solaris, Secure IRIX and a long list of other vendor-secure MLS operating systems, no system has ever gone on to commercial success. None of these operating systems or any other have had broad market acceptance outside of a few sites. Rarely, if ever, have they been considered in the commercial world. There could be many reason why. Here are a few I can think of:
- Market timing for the OS and the specific hardware did not meet requirements because the performance requirements exceeded what the vendor could offer
- Limited feature set where an OS supported only a local file system with performance that did not match application requirements and backup, and HSM applications did not work.
- People did not care much about security except for a few government sites
- Administration costs too much, given specialized training needed for each operating system
Those are some of the reasons, but I think likely the most important reason is MLS systems are difficult for users trying to do things the way they have done in the past, given security constraints. Users can no longer share files the way they are used to, as each file will have a set of security constraints based on the security level specific to that user. Even if two users are at the same level, they still might not be able to share files as easily as they had before as the administrator could set many other security constraints. Logging in as a superuser (root) does not mean if setup properly that you can see all of the files or even any of the files, and changing things on the system without everything being logged is impossible. If a hacker gets superuser access in a system, he might have access to everything from the files to the system logs. This will allow the hacker to erase traces of what was done.
Fixing the Mess
My modest proposal is that SELinux become the base for all systems and that we all adopt it and make it work with things like NFS CIFS, shared file systems and NAS file system. Operating systems should support this hierarchy. This will require changes to the way everyone does business, from the vendors that will need to make some changes, to the standards bodies that will have to adopt new frameworks to access, to administrators and users to how they exchange files, to how systems are administered. Changes will need to be made to file systems to support the new security requirements. This will be a major change for things like shared file system, which will require authentication.
What about network access to file systems with NFS and CIFS? I expect they will likely have to have additional authentication to support these new security frameworks and new standards. SELinux is not the be-all and end-all to solve all security problems and issues, but it surely is a step in the right direction, addressing something that has gotten little attention in the current hacker-rich environment. SELinux helps protect the security of the data if someone gets into the system. Of course, if SELinux is poorly configured or people use absurdly simple passwords, such as abc123 or something similar, all bets are off, as all the hacker has to do it log in as each user. It is a bit more difficult, but it is still pretty easy. I think with all the recent hacks from Sony, to news outlets, to government sites all over the world, it is time we all turn up the level of effort and stop just depending on perimeter security. We must get serious about end-to-end security with IPv6 and IPSEC, much stronger passwords as a requirement and SELinux. The whole area of strong passwords and strong authentication must be addressed so employees forget them can be authenticated and able to get into the system.
None of this is going to be simple, but today a single, unsecure outside-facing machine with network access allows inside access to myriad machines. We must move to much stronger authentication in operating systems and for data access, and I believe SELinux is a very good step in the right direction.
Henry Newman is CEO and CTO of Instrumental Inc. and has worked in HPC and large storage environments for 29 years. The outspoken Mr. Newman initially went to school to become a diplomat, but was firmly told during his first year that he might be better suited for a career that didn't require diplomatic skills. Diplomacy's loss was HPC's gain.