Securing storage area networks (SANs) has become more important than ever in the current business cybersecurity climate. Because SANs connect multiple storage systems, a cyberattack could compromise multiple sources of data—and a distributed-denial–of-service attack could take down the entire network, even if the data itself isn’t stolen.
Implementing thorough security controls on your SAN helps protect customer and proprietary data. It also helps your organization recover more quickly from disasters. This checklist covers the steps your enterprise should take when securing storage area networks.
Table of Contents
Change All Admin and Default Passwords
Change all admin passwords on storage devices and servers as soon as you deploy them. Most devices ship with simple default passwords that are widely known or easy to guess. IT and storage teams should change these credentials, following secure password best practices, and store them cryptographically—for example, in a password management system.
Some network technology comes with basic hard-coded passwords embedded into the software that manages the hardware. These can be difficult to change. Avoid using devices with hard-coded passwords, and if you must, patch the software so that the password can be changed.
Inventory Every Storage Solution
A storage inventory should cover all the major types of storage your enterprise uses to help you quickly identify each storage device, array, and virtual machine on the network in case of trouble. Follow these steps:
- Identify and list all storage solutions on the network; disallow any unexpected or unapproved devices.
- Don’t forget to account for any cloud- or web-based storage locations, including Google Drive items.
- Find a centralized, secure location (preferably cloud-based) to list each storage solution, and make sure it’s available to approved users.
Learn more about the basics of storage area network security.
Implement Internet Security Strategies
Any SAN connected to the internet needs protective protocols, like IP allowlists or blocklists. When a SAN is connected to the internet, it’s susceptible to any internet vulnerabilities, like unsecure web pages and downloadable malware. All traffic entering the storage network from the public internet should be closely inspected and permitted or rejected based on preset security protocols or dynamic packet inspection.
Secure All On-Premises Devices
While SANs include geographically disparate storage environments, each device or array that can be physically touched must be protected. If attackers can access a connected server, they may be able to access your entire network.
Require keycards to enter your data center or office. Include a secure vault or locked room within the building that requires another key for access, and limit it to authorized people who need physical access to keep servers and storage systems running.
Implement Zero Trust
Implementing a zero trust framework limits attackers’ opportunities to move laterally to other storage systems on the network if they gain access to a server on the SAN. Zero trust assumes that no one on the network should automatically be trusted. All users must prove their identity—not just at the perimeter of the network, but for every application.
If one system on the network is breached, zero trust means that all the other systems aren’t automatically breached as well. All individual servers and computers on the SAN should have individual controls with at least a username and password. Two-factor authentication is preferable, as it requires more information than just a password and is much harder for attackers to get around.
Set All Approved Access Controls
All access controls should be approved by business IT and security teams. These controls restrict employee access to all storage systems on the network and should operate on a “least privilege” basis—employees only receive the access they absolutely need to do their job. Reducing admin privileges to only what’s necessary reduces the chance that an attacker will exploit an admin-level account simply because there are fewer such accounts.
Using others’ logins should be prohibited unless approved case-by-case or done through IT-verified systems like password managers. While it seems harmless, it can lead to sloppy password use (writing passwords on paper or sending them through messages that can be intercepted).
Configure All Network Protocols for Best Security
All network sessions should use Transport Layer Security (TLS), the most recent version of the protocol Secure Socket Layer (SSL). TLS helps secure HTTPS connections for internet sessions. Other security protocols include IPsec, which authenticates connections between two IP addresses and secures virtual private networks (VPNs). Protocols like these encrypt data transmissions to keep them unseen by unauthorized users.
Check for Network Side Doors or Back Doors
SANs should be tested for back doors—hire a penetration testing company to thoroughly examine the network. Pen testers effectively hack an organization’s infrastructure or computer system to reveal security weaknesses. If any network back doors are identified, close them by configuring additional security protocols, changing access control requirements, or applying patches.
Set a Firewall
All networks, including storage networks, should have a firewall installed at their perimeter. Firewalls do initial work to inspect network traffic and deny or allow access depending on the enterprise’s preset protocols. Although firewalls don’t catch every threat actor or malicious transmission, they’re a good initial preventive mechanism.
A firewall should be one protective tool in a toolbox of security controls, not relied on exclusively. Consider advanced firewalls like next-generation-firewalls (NGFW) that do more than just packet inspection—enterprise-level products have more security features than standard firewalls.
To learn more, read How Does a Firewall Work? Guide to Understanding Firewalls next.
Create Blocklists and Allowlists
Storage network administrators should also blocklist IP addresses from known malicious sites. This is especially important for SANs that are always connected to the public internet. One of the most stringent security methods is to simply set the network protocols to only accept IP addresses from an allowlist. All others not on the approved list are automatically denied. If this is too strict for your business, consider a highly comprehensive blocklist instead.
Keep Network Storage Compliant with Relevant Regulations
Storage systems must comply with data protection and privacy standards like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Storage solutions are a major target for ransomware vendors and other threat actors, but stored data can be compromised without an attacker ever touching it.
Businesses should not only set stringent security controls for each storage system—they should also checklist their storage against regulations like the GDPR. If your organization has customers in the EU, you’ll have to fully comply with the GDPR. If you have California customers, you fall under the CCPA. Businesses with customers in multiple countries must check all relevant regulatory standards in each country to determine whether they’re compliant.
Run Antivirus and Malware Scans On All Systems
Although scanning traffic and other sources from the internet is critical for network safety, businesses shouldn’t stop there. Ensure that you run regular scans on all systems connected to a storage solution, including employee devices.
It’s easy for users to download malware onto a computer. Once in the system, this harmful code can infiltrate multiple software solutions. That includes storage management consoles, cloud databases, and Google Drive. Teams should run malware scans at least weekly on all company devices and all systems connected to the storage area network.
Plan Backup and Recovery Processes Thoroughly
All storage systems can be compromised and go down entirely, even SANs. When this happens, your organization must be prepared. Determine data backup procedures for each storage system on the network and decide where backup copies will be stored. At least one copy should be stored in the cloud or off-site.
Also ensure that your IT teams have a clearly defined disaster recovery plan. When a SAN goes down or a critical cloud storage system like Azure fails, each team member should know exactly what to do and when. Create a disaster recovery plan and appropriate recovery time objectives and recovery point objectives (RTOs and RPOs) for each storage solution.
Read more about creating a disaster recovery plan for your business.
Encrypt All Cloud Solutions
Encryption is a critical enterprise security technology, essential for stores of sensitive data. Implement AES-bit encryption—either AES-128 or 256—for all cloud databases and storage systems connected to your SAN. If an attacker breaches the storage network, they’ll be hard-pressed to steal data from connected cloud systems when it’s encrypted.
Also consider implementing encryption for data in transit when your teams send data across the SAN. Data can be intercepted while traveling across a network, too. End-to-end encryption, which encrypts data while it’s traveling and at rest, is the best possible scenario.
Train All Employees
Training is one of the most important cybersecurity practices. If your employees don’t know how to identify and circumvent security breaches, all the other technologies on this list could fall apart with a well-placed malicious file opened on the wrong network.
Train all team members to recognize and halt attacks. Host biannual or quarterly sessions that cover popular breach methods and alert employees to tactics like phishing, unapproved storage devices, and entering physical premises.
One other benefit of training every team member—including those not on IT or storage teams—is the accountability it engenders. It’s incredibly tempting for employees to ignore security best practices, especially ones like password protection. But if they’re being reminded more than once a year and all their coworkers have learned the same practices, they have better accountability. In the end, that may be more effective than hearing security talk from executives. Make it personal for your employees, and make the benefits of protecting data undeniably clear.
Whenever your IT team runs a network security test or discovers strange activity on the network, take note of it. Keep logs of consistent testing. Anomalous data, once compiled, could eventually provide insights about threats to the network, and documenting SAN security practices will make any audits easier, allowing your IT team to show exactly how they’ve been maintaining data protection.
Does documentation require even more storage? Yes, documentation needs to be stored and protected too, but it’s worthwhile—those documents not only help teams prepare for audits but also are good practice for noticing network traffic patterns.
Bottom Line: Implement SAN Security Gradually
Although achieving overall storage network security takes time, effort, and significant investment in your storage and IT teams, it’s worthwhile long-term. It’s also critical for your organization’s success. Over time, your business will develop a reputation for solid cybersecurity practices and a commitment to protecting customers’ data. But SANs store proprietary information, too—you’re protecting your own organization’s data as well as your clients’.
If your IT and storage teams feel overwhelmed while trying to follow all these steps, take time to gradually implement them. Not all security procedures need to be set at the same time, especially if your teams are small or the business doesn’t currently have the financial resources to purchase new security solutions. Making slow improvements over the course of months and years is better than making no movement at all. By steadily implementing security protocols and solutions and regularly, consistently training your employees, your business will be better set to protect its SAN than ever before.
Read more about best practices for your enterprise’s SAN security next.