According to legend, when bank robber Willie Sutton was asked why he robbed banks, he replied "because that's where the money is." In his autobiography, Sutton denies ever having made that statement, but the quote nevertheless persists.
Regardless of its truth, this story has important security implications for enterprise storage managers. Widely distributed storage such as traditional direct attached storage (DAS) doesn't present much of an attraction to hackers, since it requires too much work for a low chance of return.
But with server consolidation, Network Attached Security (NAS), and Storage Area Networks (SANs) bringing a corporation's intellectual assets into one location (virtual or otherwise), these attractive data depositories must be protected like Fort Knox. Unfortunately, organizations have been slow to realize this.
"Direct attached storage has good security, but NAS has definite security issues and weaknesses," says Brandon Hoff, McDATA Corp.'s advisor to the Storage Networking Industry Association's (SNIA) Storage Security Industry Forum (SSIF). "Centralizing and globalizing storage means that it is exposed on the network."
Perimeter defenses such as firewalls and honey pots (sometimes) keep out hackers, and intrusion detection systems (hopefully) catch invaders before they do too much damage. At least that's the theory. Ninety percent of respondents to the FBI/Computer Security Institute's 2002 Computer Crime and Security Survey, though, reported that they had detected computer security breaches within the previous 12 months. We don't know whether the other 10% had adequate security protection or lacked adequate means of detecting breaches.
While most of these attacks are small scale, some are large enough to make the headlines, such as the incident this past February where someone hacked into a database containing 8 million Visa, MasterCard, and American Express credit card account numbers.
Then there are all the internal jobs, such as the case where an employee of credit report processing firm Teledata last year was arrested for accessing the credit reports on more than 30,000 people and selling them to criminals for $60 each, and the case of an ISM Canada employee who was accused of stealing a hard drive containing personal information on more than one million customers.
"Consolidation of resources opens storage up to a number of security risks that did not exist in the past," says Nancy Marrone, senior analyst for the Enterprise Storage Group. "Administrators now need to make sure each client is secure and that each portal to the storage itself cannot be breached."
Although companies have their own business reasons for protecting storage assets from destruction or illegal access, these days there is now outside pressure to ensure they do so. At least two of the above incidents, for example, have resulting in the filing of class-action lawsuits.
In addition, there are a growing number of laws regulating the field. Companies doing business in Europe must comply with the EU Data Privacy Directive, which lays out strict rules regarding the gathering, storage, and transmission of personal data.
In the United States, there is the Health Insurance Portability and Accountability Act (HIPAA), which similarly sets data privacy standards, and the Gramm-Leach-Bliley Act, which applies specifically to financial records.
Further, the State of California last September passed Senate Bill 1386, which mandates that, beginning July 1, 2003, companies must notify California residents whenever there is a security breach resulting in their personal data being acquired by an unauthorized person. This applies whether or not the data is stored in California. Such announcements could have severe implications on stockholder as well as public confidence.
"CEOs and CFOs have recently become far more interested in storage security," says Hari Venkatacharya, senior vice president of Secure Networked Storage for Mississauga, Ontario-based data security firm Kasten Chase, "since they have to sign off on it for regulations such as HIPAA."
Storage Security Scramble
According to analysts, there's no quick fix that will instantly protect enterprise storage assets. Instead, it requires a comprehensive, end-to-end enterprise solution.
"Companies need to assess the vulnerability of storage from multiple perspectives," maintains Marrone. "After assessing, they need to make sure they have every access point secured, and if they have particularly sensitive data, they should look into further protecting it through encryption of the data at rest."
Several companies have released appliances specifically designed to perform this type of encryption, including NeoScale Systems, Inc.'s CryptoStor FC, Vormetric, Inc.'s CoreGuard, and Decru, Inc.'s DataFort.
Kasten Chase Applied Research, meanwhile, takes a non-appliance approach with its Assurency Secured Network Storage.
"The vulnerability in using an appliance is that it doesn't scale as well," says Venkatacharya. "In addition, an encryption appliance can affect LUN masking [Logical Unit Number — an identifier used on a SCSI bus to distinguish between devices sharing that bus]."
In addition to the new storage security software and devices which are coming out, SNIA has also been working with the industry to formulate much needed standards for security.
"The Storage Security Industry Forum is working to establish best practices and to educate customers," says Hoff. "Security is 80% planning and 20% implementation."
The American National Standards Institute (ANSI), too, is addressing the area of security standards through the Fibre Channel Security Project (FC-SP). FC-SP operates under ANSI's Technical Committee T11, the body which works in the fields of Fibre Channel and storage network management.
The Internet Engineering Task Force (IETF) is also involving itself in the issue through its IP Storage Group (IPS). IPS is not developing its own standards so much as it is adapting those set by T11 and T10 (SCSI) for use in transmitting storage blocks over an IP network, rather than over Fibre Channel or SCSI. In particular, it is addressing the areas of security, naming, discovery, and configuration.
"The industry wants to establish one standard for security," Hoff continues. "We want to take the established networking best practices and adapt them to storage since network administrators already understand those standards."
With all these new standards, devices, and software hitting the market, security then comes down to that final 20% Hoff spoke of — implementing it on individual storage systems.
As the SQL Slammer worm illustrated, getting people to keep their systems secure is still a weak point. But if you don't, the IT-savvy progeny of Willie Sutton are standing by to pay your storage a visit.
This feature originally appeared on Datamation.