Are you covering your back end?
Tips on securing your storage network

August 2007

The storage network is now of the utmost importance to any enterprise; not only does it hold essential data, the lifeblood of any organisation, it also provides the capacity for running business-critical applications and services. Unfortunately this makes it a potential target for malicious attacks from outside the organisation and also renders it vulnerable to accidental damage from within the company.

Storage security has never been more important, with business and regulatory compliance demanding security of confidential data. Yet while regulatory issues are an important driver for storage investment, the issues that result from security breaches, such as financial loss and brand damage, can be just as serious as receiving a fine or legal action for non-compliance.

A carefully planned and well-executed security strategy throughout the enterprise is essential, so what should organisations take into consideration to reduce the risk of data corruption and loss?

Don’t assume your data is secure

It is a common belief amongst managerial and technical personnel alike that, because the storage network exists far from the many entry points and is not on an Internet Protocol (IP) network, it doesn’t need additional security.

This assumption is often what makes the storage network the weak link in the security chain. While your average employee may have little idea of how the storage environment operates or how to access key data, a malicious attacker will often take advantage of this attitude to the storage environment.

Securing, hardening and frequently monitoring the storage system is crucial to prevent unauthorised individuals obtaining and potentially misusing valuable data.

Ensure your technical team understands the storage network

Storage networks are often looked upon as simple systems that merely provide data storage. This can lead to misconfiguration of the system, making it vulnerable to accidental security breaches. Those in charge of the storage network need to understand how to secure all parts of the environment in order to prevent this. In a small or mid-sized organisation a lack of technical knowledge or training can result in perfectly adequate equipment operating without proper protection because one element has been left unsecured.

In larger enterprises it is also often the case that one or two experts administer storage security but a number of other technical personnel have access to the storage environment to carry out other tasks.

There are cases where otherwise well-secured storage networks have been compromised by a technical team member ‘borrowing’ a cable from part of the storage network, having assumed it was an insignificant test environment, taking down part of the service by accident and leaving the entire system vulnerable.

Implementing a company-wide labelling system of cables and other vital equipment will enable the relevant employees to see what they are being used for and whether or not they are safe to remove.

Secure the management network

The management network can serve as the easiest point of attack within a storage system as this is what allows control of the storage network environment. Often it is a simple box that acts as a bridge between the storage network and the company IP local area network (LAN) and it is frequently improperly secured at the IP end.

The management network should operate at the same security level as other entry points, as well as utilising controlled access management and authentication procedures to make unauthorised use as difficult as possible. This will prevent an opportunistic attacker exploiting this common weakness.

Segregate security domains properly

It is now standard practice to separate and firewall the organisation’s network into appropriate security domains, ensuring that data can only be seen by authorised personnel. Unfortunately in many cases the storage system is connected in an unprotected way to multiple networks throughout the enterprise. This means that a single attack on the storage system puts all networks at risk.

The solution is to install different servers and applications with different data sets and ensure that the storage volumes at the back end are protected from rogue applications and servers. If this is done incorrectly, a new box plugged into the network without the correct security installed may try to take ownership of the disks around it. This can potentially cause problems with overwriting and loss of valuable data.

Encrypt portable data

Encrypting data on portable storage devices should be an essential component of any organisation’s security strategy. Many organisations, however, are wary of losing encryption keys and rendering their data useless. In fact, 43% of companies admit they do not have a data encryption policy at all.

The risk of losing encryption keys is far outweighed by the benefits of the security given by encryption when data is transferred to a portable device. If the portable data storage device is lost or stolen it will be virtually impossible for that data to be viewed or used by the wrong person.

Align storage security with enterprise-wide security strategy

An effective security strategy will cover people and processes in addition to technology. Clear policies and procedures that are regularly enforced will encourage employees to realise that data security is their responsibility also.

Only 53% of firms report having an internal policy for the security of data stored on mobile devices. This is a surprising statistic given recent reports of lost laptops, disks and USB keys. Companies need to apply and enforce security strategies which cover data-at-rest as well as data stored on mobile devices.

Advocate skills and knowledge sharing

Often storage administrators and the security team exist as separate divisions within an enterprise. This can mean the administrators have little knowledge of security best-practice and the security personnel do not have a sufficiently in-depth knowledge of storage to be able to see the weaknesses in the network.

This can be the result of a lack of training, a territorial attitude or simply a lack of contact with one another. Cross-pollination of skills and knowledge is essential to prevent storage being the weak link in the security chain and it is important for companies to promote these practices.

Physical security

Electronic and logical security can be extremely effective in preventing malicious or accidental attacks on storage networks but this is only part of the story.

Physically securing equipment is a frequently neglected part of storage security and some organisations have paid the price for this. Regularly reviewing storage security practices as part of the company’s overall strategy is fundamental to preventing attacks.

For a large enterprise, include a review of how many people have keys to the data centre and how secure the room is; for a small or mid-sized enterprise, check that the keys to the storage rack haven’t been left in the lock. Taking time to remind all employees that an attacker doesn’t need to get through layers of electronic security to get hold of data if he or she can simply walk in and take it will pay dividends.

Following these tips will help you protect one of your most valuable assets: the data your organisation relies on to complete its mission-critical activities. Bear in mind that implementing a set of policies that help all employees in keeping company data secure is just as important as ensuring your technical team has taken the necessary steps to secure the data electronically.

Andrew Wilson, UK Sales and Marketing Director, Hitachi Data Systems.