Despite the rise of the cloud, storage area networks (SANs) remain the backbone of many enterprises. They are used to store vast amounts of data and serve it to a wide range of user throughout the organization.
SAN security has risen in prominence of late, given the propensity of cybercriminals to be able to break into just about every nook and cranny of the enterprise. Here are some of the top trends in SAN security:
1. SANs are vulnerable
Gil Hecht, CEO of Continuity, points out that SANs are just as vulnerable to cyberattacks as the rest of the infrastructure. This is a change from years ago when SANs were considered to be back-end systems that weren’t under much threat. That has changed completely.
“Some ransomware – Locky and Crypto – now bypasses parameter systems altogether, and goes straight for the data center core, like storage and backups,” said Hecht. “This has forced storage teams and CISOs to look again at potential holes in their safety nets, by reviewing their primary and secondary storage systems.”
2. SAN security is mission critical
There’s always a great emphasis on firewalls and securing the obvious networks and communications infrastructure. But enterprise storage is now mission critical, too. It is where the data resides that is the lifeblood of the organization.
“All companies should be able to quickly restore data from their primary and secondary storage resources as part of an effective cyber resilience strategy,” said Hecht.
3. Check for common storage weaknesses
Hecht added that most vulnerability scanners and patch management systems focus on operating systems and applications. They do a fine job identifying the presence of Common Vulnerabilities and Exposures (CVEs), misconfigurations, and other weaknesses found in OSes and apps. But they typically miss badly on such problems found in SANs, backup systems, and other storage technologies.
Some of the most common vulnerabilities and security misconfigurations discovered in storage systems, according to Hecht, include:
- Use of storage vulnerable protocols or protocol settings. Cybercriminals can use such configuration mistakes to retrieve configuration information and stored data, and in many cases, can also tamper with the data itself, including the copies used to protect the data.
- Unaddressed storage CVEs. Each CVEs details the possible exposures and outcomes it presents – and these span a rather wide range. Among the risks identified were the ability to exfiltrate files, initiate denial-of-service attacks, and take ownership of files and block devices.
- Insecure user management and authentication. This can allow cybercriminals to take full control over the storage device, up to, and including exfiltration and destruction of the data and its copies.
- Incorrect use of ransomware-protection features. Limited or no protection from ransomware, cybercriminals can easily circumvent or disable protection mechanisms.
Tools are now available that are designed to find such areas of risk.
“Scanning your storage environment for vulnerabilities and security misconfigurations is a critical part of a storage security strategy,” said Hecht.
4. Recovery is vital
Ahsan Siddiqui, Director of Product Management for Arcserve, advises anyone running a SAN to ensure that their security plan includes a robust data backup and recovery strategy to ensure the organization stays operational even after a ransomware attack. However, this may not be enough as cybercriminals are realizing that organizations are relying on backups, so they are now targeting all copies of backup data, including primary, secondary, and backup data, and then encrypting the primary data.
Organizations, then, had better put a good recovery process in place for SAN data including adequate protection for their backups.
5. Air gapping
One good way to protect SAN data is via comprehensive backups and the use of air gapping.
“One of the most practical and effective ways to secure backup data against a ransomware attack in a SAN is air gapping,” said Siddiqui. “The beauty of air gapping is that it makes it nearly impossible for ransomware to compromise data backups.”
There are two types of air gapping. The first is traditional, physical air gapping, in which an organization disconnects the digital asset from all other devices and networks, creating a physical separation between a secure network and any other computer or network. Using a physical air gap, organizations store backup data on media such as tape or disk, then disconnect these media entirely from their production IT environment.
The second type of air gapping is called logical air gapping. A logical air gap relies on network and user-access controls to isolate backup data from the production IT environment. It’s like a one-way street on which data is pushed to its intended destination, whether a storage device on-premises or a custom appliance. The key here is that the control and management of that data, such as how it is retained or who can modify it, is not available through that same system or path. Anyone who wants to manage or alter the data must go through entirely different authentication channels.