Answering the storage security challenge - Security

Computer Technology Review, August, 2003 by Gary Sevounts

Information storage devices are gaining popularity in corporations across the country. These devices are being utilized to enable strategic business initiatives such as enterprise resource planning (ERP) and customer relationship management (CRM). In addition, storage devices enable corporations to consolidate a variety of business-critical data traditionally distributed across multiple application and database servers. As a result, storage systems are an effective tool for increasing productivity, resource utilization, and return on investment while helping ensure uptime and business continuity.

The demand for network-attached storage (NAS)--or shared storage on a network--is growing steadily. Research shows that more than 70 percent of storage will be networked by 2005. NAS devices are typically high-speed, single-purpose systems or components that serve specific storage needs on mixed networks, using commercial or their own operating system and integrated hardware and software. These systems are attached directly to a network and provide file-level access to data. The easy setup and management, and the platform independence of NAS devices, make them effective in keeping administrative costs down.

Risks and Challenges

While storage devices such as NAS address critical business needs and offer many benefits, they also introduce new security risks and challenges. In a non-consolidated server environment, for example, if a malicious user gains unauthorized access to data, such access is limited to the type of data on the specific server. With consolidated data, access into one type of data typically provides access to other--or all--types of data.

In addition, just as a security breach on a storage device puts more data at risk, it also places a greater burden on IT resources as technicians are redirected from revenue-generating pursuits to incident-recovery activities. Also, because damage from undetected malicious code in a storage system can trigger a cycle of re-introduction each time stored data is backed up, the productivity of IT personnel can be repeatedly compromised with every recovery incident.

Further complicating the storage security issue are emerging industry and government regulations such as HIPAA that require organizations to secure any and all data. The increased availability of easy-to-use hacker tools adds another challenge as it spawns a bigger pool of potential intruders seeking unauthorized access to greater caches of consolidated confidential data.

Security Tools for NAS

Corporations today are successfully using a variety of general security tools within their IT environments to protect their systems and data at the server, desktop, and gateway. A closer look at storage-specific security requirements reveals that layered protection is also necessary in order to ensure the integrity of storage systems and the data they house.

Securing Network Access to Storage: Because NAS is located on an IP network, it is susceptible to many threats that travel the network. The first line of defense against such network-based threats is a firewall. Placed in front of the storage device, the firewall creates a demilitarized zone (DMZ) for the storage device by halting inappropriate access by unauthorized users while allowing access by authorized personnel. Virtual private network (VPN), encryption, and authentication tools further secure network access to storage by providing an encrypted tunnel available only to authorized users.

A second line of defense is network-based intrusion detection to identify external, as well as internal, threats with protocol anomaly detection technology to detect known, as well as new, attacks. In addition, for more accurate detection of the significant amount of data being passed from and to the network storage device, a multi-gigabit network-based intrusion detection system is a requirement.

Network-based vulnerability assessment helps identify potential vulnerabilities on systems visible outside the company's firewalls and enable enterprises to better understand the state of security within their organization.

Network access to storage can also be addressed through security appliances that sit in front of the NAS and not only detect but stop malicious traffic before it reaches the storage device.

Securing Data Storage: Even with virus protection on desktops and gateways, storage devices remain susceptible to infection from malicious code. Desktop users, for example, might turn off their desktop antivirus scanning or simply forget to update virus definitions, thereby exposing their systems to viruses and other threats. Subsequent desktop interaction with the NAS extends the potential for infection throughout the network to other systems, data, and users. As a result, securing the actual data on a storage device requires antivirus software, either host- or network-based. Whether it resides on the NAS or is provided as a service by another network node, antivirus protects against data corruption and virus infection.