Storage area networks connect storage solutions, like databases, cloud systems, and flash arrays, allowing storage personnel to access data from geographically distributed locations. But not everyone should have access to the data on a SAN, and they need to be protected from threat actors. However, SANs have vulnerabilities, too, which place both customer and business data from multiple systems at risk.
The storage area network security best practices and guidelines below give both enterprise business leaders and storage teams recommendations as they work to secure their SANs:
How to secure a SAN
To begin the process of securing your enterprise’s storage area network, familiarize yourself with every part of the network, including its entry points, major weaknesses, and physical presence in the organization.
Know every entry point on the network
Ensure that your storage personnel can identify and track each SAN entry point — each place where users access the network. Keeping a log of these points gives teams a comprehensive view of where threat actors could also access the network. These points should be monitored closely for unusual traffic that indicates a vulnerability or a cyberattack.
To learn more about vulnerabilities in storage environments, read Storage Vulnerabilities: The Neglected Cybersecurity Frontier at CIO Insight.
Know your SAN’s vulnerabilities
Before beginning the process of securing an entire storage area network, your enterprise must first determine the SAN’s vulnerabilities. What are common risks or exploited segments of a SAN? A few examples to pay close attention to include changing Fibre Channel switch zones, logical unit number (LUN) masking attacks, and unencrypted data.
Keep physical security in mind
Don’t neglect your company’s physical security while managing the technicalities of networks and applications. In many organizations, especially smaller enterprises, attackers are still able to physically hack by just walking into an office. Secure the premises, expect credentials, and keep password or server information secure. Access to servers and physical storage media should be restricted to IT and storage personnel who have undergone data security training.
SAN security best practices
Protect your Fibre Channel network
Although Fibre Channel network protocols are generally more secure than IP-based ones, they still have vulnerabilities that can be exploited. Fibre Channel switches require hosts to be authorized before they can access a device on the network. However, they still need to be authenticated.
Protocols like the Switch Layer Authentication Protocol (SLAP) allow administrators to require digital certificates to authenticate Fibre Channel switch ports.
Authentication is a key tool here: every user and every client that attempts to access a SAN should be required to verify their identity. Authorization isn’t sufficient on a storage network, because it only determines if a user is able to access a system; it doesn’t reveal whether they should access it.
Don’t neglect other data protection technologies
Other technology can help secure your SAN data long-term. Ryan Mitchell, senior director of the enterprise integration group at HPE Storage, believes that backup plays an important role in a strong SAN architecture.
“Incorporate the 3-2-1 storage rule: have three copies of your data, on two different types of storage, and one off-site backup,” Mitchell said.
Although backup will not secure a network on its own, it will allow system administrators to recover data in some situations if it’s stolen. When a threat actor accesses a storage area network and causes an outage, through an attack like denial of service (DoS), an off-site backup means the data stored on the SAN is still available elsewhere.
Mitchell also cited the importance of developing a SAN architecture that supports a scalable network.
“Getting the right architecture in place, based on an assessment of your current and future needs, will make implementation and maintenance much easier,” he said.
“Design your enterprise SAN to be flexible enough to scale (in capacity and compute), easy to support, without any latency bottlenecks, and resilient against unexpected failures. Build an architecture that provides the flexibility to move data back and forth between edge, data center and cloud.”
With flexibility, however, comes an increased need for protection. The more data moves, the more enterprises need to secure it. And data both in motion and at rest are vulnerable to attacks. Although moving data between environments should involve multiple security measures, one of the most simple is encryption.
Encrypting all data
Although encryption can be challenging for businesses to implement across their entire infrastructure, it should be one of IT’s greatest priorities, particularly on a sprawling storage network. Ideally, SANs should have end-to-end encryption policies. They should encrypt data at rest, not just data in motion.
Even if a team is inexperienced in encryption technologies, there are software solutions that make that process easier, according to Bruce Kornfeld, chief marketing and product officer at StorMagic.
“Make data encryption really easy and affordable for all users. In the world of security, bad things are bound to happen,” Kornfeld said.
“It is very hard to keep bad actors away from all systems. However, every organization should be prepared for the worst case and encrypt all of their data, particularly in their storage area networks.”
Kornfeld acknowledges the difficulties of encrypting all data in the past but encourages companies to take advantage of the encryption management solutions that are now available to them.
“Traditionally, encryption has been an expensive and complex task, but newer technologies and management tools have brought the cost way down and make it easier for any IT department to handle – even if they don’t have deep security expertise on the storage team,” he said.
“There are enterprise-wide encryption key management solutions that eliminate the pain of managing all of the encryption keys.”
Kornfeld used Morgan Stanley’s recent fine as an example. The financial firm didn’t properly encrypt their hardware. When Morgan Stanley disposed of the hardware years ago, the data on the drives and servers wasn’t encrypted nor was it appropriately destroyed. The firm was then fined $35 million. Failing to encrypt customer data can subject businesses to significant fines, especially if they break major regulations, like the GDPR.
Learn more about encrypting data in motion and at rest: What is At-Rest and In-Transit Encryption? | Fit Small Business
Implement intrusion detection systems and intrusion prevention systems
If an attacker does breach an enterprise’s SAN, the IT or storage team should be able to detect it quickly, so they can begin mitigation procedures and halt the attack’s spread. An intrusion detection system (IDS) and an intrusion prevention system (IPS) alert businesses to strange behavior on the network, such as excessive login attempts or unusual patterns of lateral movement.
Learn more about IDPS in Best Intrusion Detection and Prevention Systems from eSecurity Planet.
Focus on proper access controls
Authentication is one of the most important pieces in a SAN security framework. Security won’t successfully happen without strong access controls. Employees should only be granted access to the hardware and applications they absolutely need to do their job. This applies to storage and IT personnel, too: they should only receive credentials to a system when it’s mission critical to view that data. The business should regularly update access controls: if a storage team member changes roles and no longer needs the same level of access, that should be reflected in the SAN permissions granted to them.
Learn more about storage security specifically for cloud environments in Cloud Storage Security Best Practices.
