Most companies routinely assess their data security with overall security policy health checks, site surveys, ethical hacking for penetration testing and reviews of processes, systems, networks and applications. Yet each of these activities rests on fundamental assumptions about where the data lives and how the data "behind the server" is secured.
When a company implements a distributed storage area network (SAN), these routine corporate security practices do not go far enough; companies must extend their security awareness and practices to encompass the storage environment. There's no question that SAN solutions bring unparalleled benefits to the organization--including documented return on investment of over 40 percent to 60 percent--but they can also introduce trust relationships and unmeasured and unmonitored security risks to applications and data center services. So companies must go a step further; they must also implement a security program that goes beyond traditional reviews to assure total system security.
The following are some of the technology considerations involved in implementing a SAN security program, as well as problems encountered by McData while working with some of the largest Fortune 100 companies as they deploy enterprise SAN solutions.
Security in storage networks should be approached incrementally as layers of security that protect the storage network at every possible point of vulnerability. And because real-world storage networks comprise components from many different vendors, the security solution must be applicable to multivendor, multiprotocol storage network environments.
Since a security strategy is only as good as its weakest link, it must include interoperability, support by partners and implementation of mandated minimum requirements for interoperability. Currently, there are two primary standards for security: Fibre Channel-Security Protocol (FC-SP), which applies to Fibre Channel Protocol (FCP) and fiber connectivity (Ficon), and Internet Engineering Task Force (IETF IPS), which applies to iSCSI, iFCP and FCIP gateway specifications from Internet Protocol block-based networks to Fibre Channel block-based networks. Many other security attributes are covered by Fibre Channel-Switch (FC-SW), Fibre Channel Generic Services (FC-GS), Fibre Channel-Single Bit (FC-SB) and others either approved or in development.
A security solution is only as good as the management of each individual security feature. Each feature must be secure and managed from a single point of control.
Authentication for multiprotocol storage networks is covered by two standards: the iSCSI gateway and the FC-SP are due in early 2004. Both of these standards mandate challenge-handshake authentication protocol (CHAP) (RFC 1994), or DH-CHAP with a "null" option, as mandatory for interoperability. Both the block-based IP storage access and FC storage access use the same type of authentication standard for an end-to-end single standard for authentication in storage networks (a key customer requirement).
Once the devices have been authenticated and have proved who they are through the FC-SP or iSCSI standards, the next step is the authorization or access control for each device that participates on the fabric. The techniques either have been or are being defined in the form of policies, including fabric membership lists and switch connection controls. These are in addition to hard zoning enforcement.
The encryption of block data can be executed for both data at rest and data in flight. Encryption for IP is well understood and commonly deployed. The standards require IPSec for confidentiality for iSCSI, iFCP and FCIP. For FC data, FC-SP is considering use of an ESP (Encapsulating Security Payload) encryption (similar to ESP in IPSec) solution for confidentiality. Encryption of data at rest requires an advanced key management system, for which there are several solutions on the market today. Right now there is no standard for encryption of FC data in flight or data at rest.
It is essential that a security solution be implemented end-to-end. Standards for security must be open, interoperable and easy to understand, learn and administer. Customers will prefer solutions that fit this model, and solutions that leverage best-in-class standards and technologies are expected to be the most successful in the market.
By implementing the security techniques discussed here, companies should have a good security solution foundation for their storage networks, leveraging well-known technologies, completely interoperable and based on open standards.
Brandon Hoff is manager of Strategic Marketing at McData Corp. (Broomfield, Colo.).
See related chart