If a SAN is not properly configured and protected, it exposes data to a long list of threats: denial-of-service attacks, unauthorized access, data theft, and corruption. Most experts will put the threat of insiders –- malicious or otherwise –- at the top of this list. While most organizations concentrate solely on controlling user access to the data stored in their SAN, you must also look at all aspects of the security covering administrative access to the arrays.
Start by looking at your recruitment procedures for admin staff. To reduce the chances of a malicious insider, work closely with the HR department to ensure employees with access to sensitive SAN data are thoroughly vetted, and termination of employment procedures include removal of network and building-access rights. All administrators should be trained on storage security issues specific to SANs and be fully conversant with your SAN security policies and procedures. These must include robust logging and change-management processes. Role-based access control (RBAC) is essential to ensure separation of duties so a single administrator cannot subvert your policies and procedures.
To limit the possibility of an administrator having read or write access to data held in the SAN, limit what storage can be accessed by his or her computer. The two most common methods of doing this are zoning and logical unit number (LUN) masking. Zones are similar to VLANs in data networking in the way they establish a virtual SAN within a SAN. LUN Masking restricts access even further to specific logical storage units. For each server connected to the SAN, LUN masking effectively masks off the LUNs that are not assigned to the server, allowing only the assigned LUNs to appear to the server's operating system.
Further protection can be provided by encrypting data stored in the SAN. All management interfaces, such as the communication channel between SAN management consoles and the target fabric being managed, must be secure to prevent any type of attacker from using a management tool to access a SAN. For array management, you can use a direct serial connection with a physical Fibre Channel connection to the controller which is more secure than a TCP/IP-based LAN connection.
The security of administrative access must also include physical security. The SAN should be located in a closed, physically secure environment isolated from the LAN (and the rest of the outside world, for that matter). This, in itself, will not thwart malicious insiders. Also focus on monitoring, access controls and logging mechanisms to limit the opportunities available to anyone trying to access the physical SAN systems or its management interfaces.
Some of the controls to consider should include:
- Electronic access card
- Biometric authentication
- Surveillance cameras
- Piggyback prevention
- Alarm system for fire, flood, and break-in
- Individually locked racks
- Separate racks with physical separation for dual fabrics
The benefits of a SAN include improved performance, accessibility, lower cost of ownership, and better management of organization data, and you are taking the right approach by assessing all the possible risks and attack vectors to which this central data store is vulnerable.
This was first published in February 2009