Securing storage area networks (SANs) has always been necessary, but it’s even more important in the current business cybersecurity climate. SANs connect multiple storage systems, including solid-state arrays, databases, and servers that run virtual machines. If a cyberattacker infiltrates a SAN, multiple sources of data are compromised. A distributed-denial–of-service attack could take down the storage network, even if the data itself isn’t stolen.
Implementing thorough security controls on your SAN helps protect both customer and proprietary data. It also improves procedures like audits and enables organizations to recover more quickly from disasters. This checklist covers major steps that your enterprise should take when securing the multiple layers of storage area networks.
1. Change all admin and default passwords.
All admin passwords on storage devices and servers must be changed from default settings. Often, storage arrays, servers, and routers are manufactured with simple default passwords. Threat actors commonly know these passwords or find them easy to guess, which puts the entire storage network at risk. IT and storage teams should change these passwords to strong, difficult-to-guess credentials. They should also be stored cryptographically, such as in a password management system.
Note that some network technology, like routers or servers, come with hard-coded passwords. Hard-coded passwords are embedded into the software that manages the hardware, and they’re extremely difficult to change. If your enterprise can help it, avoid using any devices with hard-coded passwords, and if you must, ensure that experienced IT personnel immediately patch the software so that the password can be changed.
2. Take inventory of every storage solution.
To take inventory of your business’s storage, follow these steps:
- Account for all storage solutions on the network. This means that the company should quickly be able to identify each storage device, array, and virtual machine on the network and there are no unexpected or unapproved devices connected.
- Account for all other storage locations. These include Google Drive items and Excel spreadsheets.
- Find a centralized, secure location (preferably cloud-based) to list each storage solution, and link to its access portal so users can navigate there and log in if approved to do so.
Learn more about the basics of storage area network security.
3. Implement internet security strategies.
Any SAN that’s connected to the internet needs protective protocols, like IP allowlists or blocklists, and technology like malware scanning. When a SAN is connected to the internet, it is susceptible to any internet vulnerabilities, like unsecure web pages and downloadable malware. All traffic entering the storage network from the public internet should be closely inspected and permitted or rejected based on preset security protocols or dynamic packet inspection.
4. Secure all on-premises devices.
While SANs include geographically disparate storage environments, each device or array that can be physically touched must be protected. If an attacker is able to access a server connected to the SAN, they not only have access to the data on that server but also may be able to access the entire network.
To secure devices physically, require keycards to enter your business’s data center or office. Include a secure vault or locked room within the building that requires another key for access, and limit it to certain IT or storage managers who need to physically access the servers and storage systems to keep them running. No employees who don’t explicitly need to access those servers or systems should have access to this vault.
5. Secure individual storage solutions and servers.
Similarly, all individual servers and computers on the SAN should have individual controls. If an attacker breaches the network, they shouldn’t be able to laterally move between computer systems or storage devices. Set access controls, at least a username and password, on each individual storage solution or server.
6. Set all approved access controls.
All access controls should be approved by any business IT and security teams. These restrict employee access to all storage systems on the network. These access controls should operate on a least privilege basis, too: employees only receive the access they need to do their job. Using others’ logins should be prohibited unless approved case-by-case by IT or security teams.
7. Configure all network protocols for best security.
All network sessions should use Transport Layer Security (TLS), the most recent version of the protocol Secure Socket Layer (SSL). TLS helps secure HTTPS connections for internet sessions. Other security protocols include IPsec, which authenticates connections between two IP addresses and secures virtual private networks (VPNs). Protocols like these encrypt data transmissions to keep them unseen by unauthorized users.
8. Examine your network for any side doors or back doors.
SANs should be tested for back doors. To do this, hire a penetration testing company to thoroughly examine the network. Pen testers effectively hack an organization’s infrastructure or computer system to reveal security weaknesses. Once a network back door has been identified, close it. This can be done by configuring additional security protocols or changing access control requirements.
9. Set a firewall.
All networks, including storage networks, should have a firewall installed at their entrance. Firewalls do initial work to inspect network traffic and deny or allow access depending on the enterprise’s preset protocols. Although firewalls don’t catch every threat actor or malicious transmission, they’re a good initial preventive mechanism.
To learn more, read How Does a Firewall Work? Guide to Understanding Firewalls next.
10. Create blacklists and allowlists.
Aside from setting a firewall to catch any initial malicious traffic, storage network administrators should also blacklist IP addresses from known malicious sites. This is especially important for SANs that are always connected to the public internet. One of the most stringent security methods is to simply set the network protocols to only accept IP addresses from an allowlist: all others not on the approved list are automatically denied. If this is too strict for your business, then your IT team should create a highly comprehensive blacklist instead.
11. Ensure that all storage on the network is compliant with all relevant regulations.
Storage systems must comply with data protection and privacy standards like the GDPR and CCPA. Storage solutions are a major target for ransomware vendors and other threat actors, but stored data can be compromised without an attacker ever touching it. Businesses should not only set stringent security controls for each storage system, but they should also checklist their storage against regulations like the GDPR. If your organization has customers in the European Union, you’ll have to fully comply with the GDPR. If you have California customers, you fall under the CCPA.
Read more about complying with GDPR, PIPL, and CCPA.
12. Run antivirus and malware scans through all systems.
Although scanning traffic and other sources from the internet is critical for network safety, businesses shouldn’t stop there. Ensure that your IT and security teams run regular scans on all systems connected to a storage solution. This includes employee devices.
It’s easy for users to download malware onto a computer, and once in the system, this harmful code can infiltrate multiple software solutions. That includes storage management consoles, cloud databases, and Google Drive. Teams should run malware scans at least weekly on all company devices and all systems connected to the storage area network.
13. Plan backup and recovery processes thoroughly.
All storage systems can be compromised and go down entirely, even SANs. When this happens, your organization must be prepared. Determine data backup procedures for each storage system on the network, and decide where backup copies will be stored. At least one copy should be stored in the cloud or off-site.
Also ensure that your IT teams have a clearly defined disaster recovery plan. When a SAN goes down or a critical cloud storage system like Azure fails, each team member should know exactly what to do and when. Creating a disaster recovery plan with input from executives and IT personnel alike will help your business recover data and restore storage systems more efficiently. Set appropriate RTOs and RPOs for each storage solution, too.
Read more about creating a disaster recovery plan for your business.
14. Use high levels of encryption for all cloud solutions.
Implement AES-bit encryption, either AES-128 or 256, for all the cloud databases and storage systems connected to your SAN. If an attacker breaches the storage network, they’ll be hard-pressed to steal data from connected cloud systems when it’s encrypted.
Encryption is a critical enterprise security technology, essential for stores of sensitive data. Also consider implementing encryption for data in transit when your teams send data across the SAN. Data can be intercepted while traveling across a network, too.
Learn more about best practices for your enterprise’s SAN security.
15. Train all employees thoroughly.
Training is one of the most important cybersecurity practices. If your employees don’t know how to identify and circumvent security breaches, all the other technologies on this list could fall apart with a well-placed malicious file opened on the wrong network.
Train all team members to recognize and halt attacks, hosting biannual or quarterly sessions that cover popular breach methods. Your enterprise should alert employees to tactics like phishing, unapproved storage devices, and entering physical premises.
One other benefit of training every team member — including ones who aren’t on IT or storage teams — is the accountability it engenders. It’s incredibly tempting for employees to ignore security best practices, especially ones like password protection. But if they’re being reminded more than once a year and all their coworkers have learned the same practices, they have better accountability with each other, which may be more effective than hearing security talk from executives. Make it personal for your employees, and make the benefits of protecting data undeniably clear.
Read more about training storage personnel and preparing them for cyberattacks.
16. Document everything.
Whenever your IT team runs a network security test or discovers strange activity on the network, take note of it. Teams should keep logs of consistent testing. And anomalous data, once compiled, could eventually provide insights about threats to the network. Also, documenting SAN security practices will make the audit process easier, allowing your IT team to show exactly how they’ve been maintaining data protection.
Does documentation require even more storage? Yes, documentation needs to be stored and protected too, but it’s worthwhile — those documents not only help teams prepare for audits but also are good practice for noticing network traffic patterns.
Learn more about the importance of documentation in security.
Bottom line: Implementing SAN security
Although achieving overall storage network security takes time, effort, and significant investment in your storage and IT teams, it’s worthwhile long-term. Over time, your business will develop a reputation for solid cybersecurity practices and a commitment to protecting customers’ data. But SANs store proprietary information, too — you’re protecting your own organization’s data as well as your clients’.
If your IT and storage teams feel overwhelmed while trying to follow all these steps, take time to gradually implement them. Not all security procedures need to be set at the same time, especially if your teams are small or the business doesn’t currently have the financial resources to purchase new security solutions. Making slow improvements over the course of months and years is better than making no movement at all. By steadily implementing security protocols and solutions and regularly, consistently training your employees, your business will be better set to protect its SAN than ever before.
Learn more about the importance of securing storage area networks.