Conducting a storage area network security audit is a good starting point to reveal both the weaknesses and strengths of your enterprise storage network’s cybersecurity posture. When done correctly, audits are comprehensive surveys of SAN security.
Storage area networks can be challenging to secure because networks have multiple devices and systems connected. But SAN security is critical for every organization that stores sensitive data on their SANs, both to protect confidential enterprise data and to remain compliant with regulatory requirements. Follow these guidelines to prepare your business for a storage area network security audit.
How to prepare for a storage area network security audit
- Identify and document every storage system and interface
- Address governance
- Perform penetration tests on your storage network
- Know your business continuity and disaster recovery stance
- Document all backup locations and procedures
- Run a pre-audit
- Talk with SAN vendors
- Bottom line: Conducting a SAN security audit
Identify and document every storage system and interface
Identifying all storage locations on the SAN is an important way for businesses to manage their storage security. If teams have documented all storage interfaces, it’ll be easier to identify a compromised or unauthorized device. For example, a server might have multiple SATA interfaces for hard drives. When teams track each port, they can more readily locate a rogue device or strange transmission.
Third-party auditors may also expect businesses to be able to show documentation for all storage solutions on the network. Keep in mind that if you’re auditing for regulatory compliance, you may be required to identify all locations in which personal or protected data is stored.
Read more about SAN security.
Address governance
Governance, or the management of data storage policies and procedures, plays a role in a security audit as well. Organizations should be able to demonstrate how they handle data security rules. To address data governance for your storage networks, ask the following questions:
- Who in this organization is responsible for data management?
- Does our business have clearly designated and documented procedures for storing data safely?
- Do all storage users have access control limits that fit their role?
- Are strong passwords in place for all user accounts on the SAN?
Your business needs to be able to show that data is clearly managed by defined policies and that you’ve put security measures into place for all storage systems on a SAN. One way to do this is documentation. A list of all data security policies, including access control limitations, will show auditors — whether internal or external — that your storage team is handling storage network security responsibly. Ensure that you back up stored copies of documented security policies, too.
Perform penetration tests on your storage network
Enterprise penetration tests are done by professional hackers paid to find vulnerabilities and backdoors in IT infrastructure. Conducting a pen test, using either an in-house employee or a third-party vendor, is one of the best ways to prepare for a security audit.
Some providers even perform pen tests specific to storage systems like SANs and NAS arrays. They can test operating systems, storage protocols, networks, and servers. Because pen testers are themselves hackers, they’ll carry out breach exercises that represent what cyberattackers would actually do. Penetration testing reveals gaps in an organization’s storage that would allow an attacker to breach it.
Pen testing is also eye-opening for employees. Even your experienced storage personnel will learn more about SAN security if they’ve never seen a pen test take place. These tests show storage teams exactly what to address before an audit. Businesses can use pen tests to prepare for a SAN audit or employ them as part of the audit itself, since a pen test is itself an examination and a type of audit.
Learn more about preparing your employees for cybersecurity incidents and attacks.
Know your business continuity and disaster recovery stance
While SAN security typically refers to cybersecurity, an official examination like an audit needs to cover other components of data security, too. Business continuity covers enterprise measures taken to avoid loss. Losses include anything from a natural disaster destroying a data center to a malicious employee who steals data and sells it to competitors.
Disaster recovery falls into the business continuity category but specifically refers to disasters, whether natural, technological, or both. Planning for disaster recovery requires businesses to prepare for floods and tornadoes as well as server outages.
SANs are impacted by loss, including disasters and deliberate situations like data theft. A thorough storage security audit will examine how your business handles both intentional and accidental loss.
Likely, your organization will need both a broad business continuity plan and a specific disaster recovery plan. For business continuity, ask the following questions:
- Are all relevant stakeholders aware of the potential losses that can happen within our organization?
- Do we have a clearly determined business continuity team to handle risks?
- If we have a BC team, is there an established chain of command for making decisions?
For disaster recovery, ask the following questions:
- Do the storage systems on our SAN have recovery time objectives (RTOs) and recovery point objectives (RPOs), so we know when we need to recover data before unacceptable loss occurs?
- Are our backup and recovery software solutions actually capable of recovering data in those time frames?
- Do we have recovery sites in multiple physical locations in case one is destroyed or temporarily disabled?
- Have we run test scenarios yet? If so, what weaknesses does our disaster recovery testing reveal?
Answering these questions will reveal where your business continuity and disaster recovery strategies need to improve and will help your business prepare for a SAN audit.
Does your business need a disaster recovery plan? Learn more about creating disaster recovery plans.
Document all backup locations and procedures
Backup goes hand in hand with business continuity and disaster recovery, but it’s still helpful for overall cybersecurity. While backups can’t mitigate a zero-day attack or neutralize the effects of malware, they do provide businesses with an additional copy of data if a cybersecurity attack eliminates the original one.
Backups should be stored in multiple locations, too, and a SAN security audit should reveal documentation of each backup copy and location. Although this may seem excessive, it’s good in general for employees to know where backup data is stored in case they must report that to storage and security leaders. Storing documented backup copies is critical for recovery procedures. Employees will have an easier time following restoration guidelines when they know where all backups are kept.
Additionally, document thorough backup procedures. This may fall under your organization’s disaster recovery or business continuity plans. For each storage system or device on the SAN, team members should know which backup copy to use and in what time frame that system or device must be restored. They should also know which employee is in charge of each backup process.
Being able to track all backups shows that your business has a logical plan for data loss and outages, whether those outages come from cyberattacks or natural disasters.
Is your business considering a backup solution? Read about our picks for the best enterprise backup software.
Run a pre-audit
Practicing an audit in advance not only helps your storage teams be more prepared for the actual day, but it’s also a good way to observe what might come up in the official audit and correct some of those glaring errors in advance.
“Think of it as having your team go through all of the motions that you’d expect to test in the actual audit, but running through it with your own internal team first before any external audit,” said Chris Novak, managing director of Verizon’s Threat Research Advisory Center. An internal pre-audit reveals relatively easy issues that organizations can fix before they perform the official audit.
“Catching that in an internal pre-audit saves you time and money, as it’s one less area that an external auditor would have to spend time on or have to come back later and re-verify that it passes,” Novak said.
He also points out that interpretations of audits will vary regardless. “But the benefit of the pre-audit is that you can minimize that as much as possible and get through the final audit more quickly and cost effectively,” he said.
Talk with SAN vendors
It is also worthwhile to communicate with your storage networking provider, especially if they’ve recently released any new security updates. Chris Novak recommends talking with SAN vendors about their implementation advice for stronger security.
“Most vendors will have this documentation readily available and produce new versions of it as security issues are identified and addressed,” he said. “Typically, the out-of-the-box configurations are intended to be easy for setup but lacking in terms of security. The vendor is typically going to be able to give a good sense of what hardening and tightening could and should be considered from a security perspective.”
According to Novak, taking the more dedicated approach to SAN setup will result in better organizational security in the long run.
“My suggestion is to look for their highest or strictest security posture documentation. It won’t necessarily work for every organization’s individualized risk posture, but if you start from the strictest and work your way back, you are at least starting from the most secure position,” he said.
If your storage networking provider has available security documentation, make use of it. While configuring additional protections might take some time and a little more education for inexperienced employees, it also prepares your business for a better overall audit process.
Bottom line: Conducting a storage area network security audit
SAN security audits take time to perform, whether you’re doing the audit yourself or hiring a third party to perform it. But with preparation and practice, audits don’t have to be scary. They’re a highly useful tool for improving storage security. Auditing SANs in particular will reveal the security of the network itself as well as the individual storage systems on the SAN.
While an audit will not fix all your storage security problems, it’s a fantastic starting point for IT and storage professionals that want to improve their security posture but aren’t sure what steps to take.
Read more about the best cybersecurity practices to implement for your storage area networks.