Because storage area networks (SANs) pool data from disparate storage sources like databases, cloud systems, and flash arrays, a security breach can expose multiple data sources in one fell swoop. Without appropriate protective measures, SANs have inherent vulnerabilities that place customer and business data at risk.
In this article, we compile storage area network security best practices and guidelines to help enterprise business leaders and storage teams protect the data stored on their SANs.
Table of Contents
Preparing a SAN for Security
To begin the process of securing your enterprise’s storage area network, familiarize yourself with every part of the network, including entry points, major weaknesses, and its physical location in the organization.
1. Know Every Network Entry Point
Ensure that storage personnel can identify and track each SAN entry point, or any computing interface connected to the network that a user can access. Keeping consistent logs of these locations gives teams a comprehensive view of where threat actors might access the network. These points should be monitored closely for any unusual traffic that could indicate a vulnerability or active attack.
2. Know Your SAN’s Vulnerabilities
Before beginning the process of securing an entire storage area network, determine its vulnerabilities. What are common risks or exploited segments of a SAN? A few examples to pay attention to include:
- Changing Fibre Channel switch zones
- Logical unit number (LUN) masking attacks
- Unencrypted data
3. Keep Physical Security in Mind
Don’t neglect physical security while managing the technicalities of networks and applications. In many organizations—especially smaller enterprises—attackers can breach networks by just walking into an office with physical access. Secure the premises, expect credentials, and keep password or server information secure.
Additionally, access to servers and physical storage media should be restricted to IT and storage personnel who have undergone data security training. Giving too many people access to hardware can be a recipe for disaster, even if they mean well.
SAN Security Best Practices
To better protect SAN storage resources, follow these guidelines. Make sure executives and IT leaders are on board—you’ll need their support in taking extra time to implement security measures.
1. Protect Your Fibre Channel Network
Although Fibre Channel network protocols are generally more secure than IP-based ones, they still have vulnerabilities that can be exploited. Fibre Channel switches require hosts to be authorized before they can access a device on the network, but they still need to be authenticated.
Authorization and authentication are slightly different:
- Authorization determines whether a user can access certain resources and systems.
- Authentication determines whether users are actually who they say they are.
Protocols like the Switch Layer Authentication Protocol (SLAP) allow administrators to require digital certificates to authenticate Fibre Channel switch ports. Authorization isn’t sufficient on a storage network, because it only determines if a user is able to access a system; it doesn’t reveal whether they should access it. Authentication is a key tool here—every user and client that attempts to access a SAN should be required to verify their identity.
2. Don’t Neglect Other Data Protection Technologies
Other technology can help secure your SAN data over the long term. Backup plays an important role in a strong SAN architecture. Although backup will not secure a network on its own, it will allow system administrators to recover data in some situations if it’s stolen.
When a threat actor accesses a storage area network with a denial of service (DoS) attack, for example, an off-site backup means the data stored on the SAN is still available elsewhere. Good backup practices like the 3-2-1 back up rule —keep three copies of your data on two different types of storage, with one of them offsite—can provide some peace of mind.
Another good way to boost security is to use SAN architecture that supports a scalable network, according to Ryan Mitchell, senior director of the enterprise integration group at HPE Storage. Doing so will simplify implementation and maintenance procedures.
Your enterprise SAN should be flexible enough to scale, easy to support, and resilient against unexpected failures, he said. With flexibility comes an increased need for protection, however—the more data moves, the more enterprises need to secure it.
Read about the best practices for overall enterprise storage security.
3. Encrypt All Data
Although encryption can be challenging for businesses to implement across their entire infrastructure, it should be a priority—particularly on a sprawling storage network. Ideally, SANs should have end-to-end encryption policies and encrypt data at rest, not just data in motion.
Even inexperienced teams can use software solutions that make encryption easier, according to Bruce Kornfeld, chief marketing and product officer at StorMagic.
“Traditionally, encryption has been an expensive and complex task, but newer technologies and management tools have brought the cost way down… even if they don’t have deep security expertise on the storage team,” he said. Enterprise-grade encryption key management tools in particular reduce the manual burden on security or IT teams.
4. Implement Intrusion Detection Systems and Intrusion Prevention Systems
If an attacker breaches an enterprise’s SAN, IT should be able to detect it quickly to begin mitigation procedures and halt the spread. An intrusion detection system (IDS) alerts businesses to strange behavior on the network, such as excessive login attempts or unusual patterns of lateral movement. An intrusion prevention system (IPS) works to halt threats or mitigate their negative effects. Often, these capabilities are bundled in intrusion detection and prevention tools.
Another option is an endpoint detection and response tool that supports network devices like routers and switches. EDR products are some of the most comprehensive tools on the security market, and they’ll give you plenty of security data to examine. But many of them won’t be very feasible for small businesses, so keep that in mind while shopping for additional protective tools for your SAN.
5. Focus on Proper Access Controls
Authentication is one of the most important pieces in a SAN security framework. Security won’t successfully happen without strong access controls. Employees should only be granted access to the hardware and applications they absolutely need to do their job. This applies to storage and IT personnel, too—they should only receive credentials to a system when it’s mission critical to view that data.
The business should regularly update access controls. If a storage team member changes roles and no longer needs the same level of access, that should be reflected in the SAN permissions granted to them. This requires storage managers to be on top of role changes and company exits. Permissions should change as soon as possible—even if nothing bad would happen, it still sets a good precedent for overall storage security.
Bottom Line: Protecting Your Business’s Storage Area Network
Enterprise SANs often store large volumes of data and pool it from multiple storage systems. It’s not wise to leave all that data unprotected—in fact, it’s absolutely critical to secure it. But how can storage teams—especially small ones—successfully secure their data when many cyberattackers have the upper hand?
It’s important for your storage team to not become so overwhelmed that it doesn’t take action at all. If you need to implement one best practice at a time, do that. Your organization’s overall security posture should be a critical business priority, and protecting scored data plays a major role in a cybersecurity strategy.
Read about the five major types of enterprise data storage next.