The five A's of functional SAN security

Because so many kinds of entities are involved in a SAN, it is useful to approach SAN security from a functional perspective rather than through the entities involved. This means starting with a list of functions that must be achieved and applying that function list to all the entities rather than attempting to secure each entity separately. One such list of SAN security functions is the "Five A's": Authentication, access, audits, alarms and availability.

Authentication is making sure that only authorized personnel can access the SAN. This is usually implemented with a challenge-response protocol, most often based on userids and passwords. However other methods, such as biometrics, could be used. Like all of the Five A's, authentication involves a number of subsidiary issues. For example if userid-passwords are used, the usual password-control procedures apply, including changing passwords regularly and making sure they stay secure. In addition to the 'social engineering' involved in implementing proper password procedures among users, there are a number of technical issues, such as not transmitting unencrypted passwords over the net, especially out of band channels. For all that, personnel authentication issues are probably the best understood of the various SAN security issues because they are common to so much of computer security.

Access is making sure that only the appropriate people gain access to the SAN and its information at the appropriate level. Here the technical issues loom larger than they do with authentication, and storage administrators have more control over the situation. The most basic part of access is determining and enforcing who will have access to what information and what privileges they will have with the data and the SAN itself. Since SANs can differ considerably in their access control capabilities and how they are implemented, the first step is to determine what tools and utilities are available to the admini

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Auditing access, configuration changes and user activity are important not only to detect security breaches, but to keep track of changes to the network and trends that may affect network performance. An effective auditing plan would include maintaining logs for access to the SAN, configuration changes and user activity. Based on that information, the auditing system should identify both normal and anomalous behavior and include procedures for reacting to violations. Like access control, auditing is usually a matter of inventorying the available tools and applying them effectively. All SANs have audit utilities and additional SAN auditing packages are available from vendors. However it is likely to take some thought and study to develop an effective auditing plan for your SAN.

Alarms are reactions to the results of the audits. They should vary from a simple, non-intrusive notification of minor incidents to full-blown crisis plans in the event of a major threat. It is especially important to set alarms that identify serious problems without crying wolf. Again, this takes study and planning on the part of the storage administrators. The first step in developing an effective alarm strategy involves determining what constitutes a normal pattern of activity on the SAN. In addition to traffic data, this could include use of administrative tools and making changes to the SAN. It is best to think broadly when gathering data on what is normal. Once 'normality' has been established, the next step is to determine how far the SAN activity should deviate from normal before it becomes cause to issue an alarm. Besides the obvious analysis of variance in the SAN activity parameters, this should include consideration of patterns of business activity and possibly external events. For example if a blizzard shuts down transportation in your area, it is logical to expect more people to log onto the SAN remotely as they try to work from home. On the other hand, you wouldn't expect a lot of attempts to change the SAN configuration in the middle of a blizzard. Like access, effective alarm procedures require constant monitoring and frequent change and updating to keep them in synch with the realities of the enterprise.

Availability isn't usually considered as part of SAN security, but it has an important relation to it. Availability is primarily an architectural issue and refers to the degree of redundancy, fault tolerance and fail-over built into the SAN. However availability also involves disaster recovery and that is usually seen as part of security. In the security context, availability includes developing and maintaining an effective disaster recovery plan to handle incidents that could shut down the data center or destroy data. Disaster recovery requires careful planning and frequent practice to make sure the plan covers everything and will actually work when things go seriously wrong.

Among the resources available to help you implement effective security on your SAN are:

Hitachi Data Systems presentation titled: .

Brocade Communications; presentation at HP World 2002 titled: "Fabric Security: Securing the SAN Infrastructure".

Storage Network Industry Association presentation titled: "Toward End-to-End Security: A Storage Security Update".