For more than 50 years, Auerbach Publications has been printing cutting-edge books on all topics IT.

Read archived articles or become a new subscriber to IT Today, a free newsletter.

This free newsetter offers strategies and insight to managers and hackers alike. Become a new subscriber today.


Partners




Contact

Interested in submitting an article? Want to comment about an article?

Contact John Wyzalek editor of IT Performance Improvement.

 

Securing Storage

Greg Schulz

Like securing networks, securing storage involves logical and physical approaches. Given that there are different types of storage devices, systems and mediums to support various applications and usage from high performance online to low cost removable, multiple approaches are needed. Protecting the end-points—on one side the applications and servers (virtual and physical) that access storage and on the other end the storage itself —is part of the solution. Also involved is protecting the network on a local and remote basis.

In general, techniques for protecting data on storage include physical safeguards, protecting access to storage systems, and monitoring fixed or removable media. Removable media includes hard disk drives (HDD), flash solid state devices (SSD) and magnetic tape (tape). Other forms of removable media include CDs, DVDs and other forms of optical media. Also included in removable media are USB flash thumb drives, PDAs, iPhones, Droids and laptops.

One way of safeguarding data is to make sure that once it is written to storage medium that it is in the correct format and readable as part of basic data integrity checks. Another form of preserving data is storage mediums or systems that support Write Once Read Many (WORM) to ensure that data does not get changed or altered as part of securing it. Since storage can be accessed via block LUNs, devices, partitions or volumes, a means of protecting access in shared or multi-tenant environment is LUN or Volume Mapping and masking.

With LUN or volume masking, only authorized servers are allowed to see the SCSI target when using a shared Fibre Channel or iSCSI SAN. LUN or volume mapping compliments the masking or hiding process by enabling the different servers who see only their own storage to view an address as being unique to them. For example, if there are six servers each accessing their own storage volume or LUN, with masking they would not see each other':s storage in a shared environment, likewise with mapping, the LUN presented to each server could be numbered 1 to meet operating system requirements, yet each LUN 1 would be unique.

Removable Media Security

Some organizations are exploring virtual desktop solutions as a means of moving away from potential desktop data exposure and vulnerabilities. Many organizations are racing to encrypt laptops as well as desktops. Some organizations limit Universal Serial Bus (USB) ports for only printer use. Some organizations are also beefing up audit trails and logs to track what data was moved and copied where, when, and by whom. USB devices are seen as valuable tools, even given all of their risks, to be able to move and distribute data where networks don':t exist or are not practical.

An evolving dimension to protecting data and securing virtual data centers are distributed remote offices and traveling or telecommuting workers who occupy virtual offices. The threat risks can be the same as for a primary traditional datacenter along with others including loss or theft of laptops, workstations, PDAs or USB thumb drives with sensitive information. When it comes to security, virtual data centers require multiple levels of logical and physical security across different technology domains.

In addition to tape and optical, another form of removable media include various forms of flash SSD ranging from thumb drives, PDAs, tablets or high capacity devices. The removable hard disk drives (RHDD), more common back in the 70s and 80s, have also reappeared. I myself utilize RHDDs for archiving and storing certain backup':s offsite in a secure safe. I also use cloud based backup services in addition to local disk to disk (D2D) backup.

While lost tapes make the headlines, research indicates that there are, in fact, fewer actual tapes that go missing each year while there are more reports. What this means is that in the past tapes were not reported missing if lost or stolen; however, given current regulations, the reporting can make it seem more common. What should be of concern are how many laptops, notebooks, PDAs, cell phones or USB thumb drives that get lost or stolen per month. Are these devices any less of a risk than a lost tape or disk drive? That depends, of course, on what data is stored on the missing device, however it is important to protect the data to be safe as well as to meet applicable compliance regulations.

Virtual, Physical Servers, and Desktops

Securing storage and storage networking resources starts (or ends) at the server. At the server level, basic security begins with proper security of the individual file systems, directors, files, logical and physical volumes, and access to other storage resources. Access to storage management tools, including volume managers that can be used to provide a layer of abstraction also know as virtualization, should be restricted to those with the appropriate responsibility and capability to make configuration and provisioning changes. Access tools that can be used to affect the availability of storage resources whether they be path managers for HBAs, volume managers, file systems, backup, mirroring, and storage configuration should be secured and safeguarded.

Depending on the environment, access to the servers themselves by system administrators, storage analysts, and data base analysts may vary. For example in some environments, storage resources are presented to a specific server via the storage network with complete control and access to those resources (LUNs or Volumes) at the discretion of the individual system administrator. The system administrator may in turn restrict access and allocation to specific volumes and resources to other administrators who are responsible for their specific pieces of storage. In other environments, a system administrator(s) may have complete end to end responsibly and capability to configure the storage network, the storage, and access to it.

Protection of virtual servers or VMs combines aspects of physical server or PMs, storage and networks hardware and software. What changes with VMs is another layer of technology is involved in the form of hypervisors or virtualization software. Hypervisors emulate servers including presenting virtual CPUs, memory, network and storage adapters as well as virtual network switches. Security for VMs and virtual desktops infrastructure (VDIs) environments includes protecting the guest operating systems and their applications, hypervisors along with underlying physical resources. In addition, when not active in memory, VMs are saved on storage as a file that also needs to be protected.

Securing Clouds

Many of the same issues, challenges, threats and, consequently, techniques for networks, storage and servers also apply to public and private clouds. Given the shared nature of public cloud and MSP resources, additional considerations include managing and monitoring the service provider. Auditing the providers includes reviewing relevant access or event logs along with physical review of facilities and services. This means applying the same management standards for your own environment onto service provided solutions. Part of reviewing service providers offerings includes understanding who has access to your data and, if applicable, applications and other resources.

Access to cloud resources is often via a management interface, cloud point of presence (cPOP) or gateway appliance whose management interfaces should be protected as would any other storage and networking device. Given that the value of many cloud providers is to leverage multi-tenancy, it is important to know how those services isolate your applications, data and customers. For encrypted data, understand how keys are managed as well as who has access to the keys or other authentication material. Key themes with clouds whether public or private is to be aware of the security, be prepared and do your due diligence.

Another dimension to cloud or any remote service or destination including your own is how data will move between sites. Networks have gotten faster and bandwidth more plentiful as well as more reliable, accessible and affordable. However there is also more data to be moved in the same or less amount of time than in the past. As a result, initial data migration or copy to a cloud service may require a bulk movement using removable media which will need to be secured. Once the initial copy is made, ongoing data access and movement can be done using secure networking techniques.

Disposing of Digital Assets and Technology

While most technologies and techniques are focused on protecting and preserving data, some of those also add complexity when it comes time to retire storage technologies. Part of data protection and security includes safely destroying digital data. This ranges from ensuring that hard disk drives and flash devices on PDAs, laptops or workstations are securely erased when discarded to digitally shredding TBytes or PBytes of data on large storage systems or across thousands of tape cartridges.

From a cost standpoint, if you have not already included time and expense to digitally destroy or erase disks and storage systems along with flash SSD and magnetic tapes when retired, now is the time to start doing so. For example, if you about to acquire a 100TByte storage solution, how long will it take to securely erase the data to meet your organization':s requirement or application needs? What happens if instead of 100TBytes, it is 1PByte or 10PBytes or larger? Thus now is the time to start including into your TCO and ROI models the time and cost to digital shred or destroy data as part of your data migration activities.

Care should be taken when disposing of storage resources, including disk and tape, when they are no longer needed. When magnetic tapes are no longer needed, have them properly disposed of which could entail degaussing or burning. With disk sub-systems and storage located in servers, workstations, desktops and laptops, remove sensitive data and take appropriate steps including re-formatting disks if needed. Simply deleting data can still leave the data recoverable by those interested in doing so. Servers, storage controllers, and switches, if applicable, should also be reset to factory configurations and have their NVRAM cleared.

Historically, digital shredding or secure erasure of data has required use of software or appliances that meet various regulatory or agency certification. For example Department of Defense (DoD) secure erase codes using software running on a server or on an appliance that writes successive patterns to ensure the data is safely destroyed. Another means of intentionally destroying data include degaussing devices that magnetically alters the recording media. In addition, physical destruction techniques include drilling holes through devices such as disk drives and physical shredding of disk and tape media. With a focus on environmental health and safety (EH&S), burning of magnetic media is frowned upon if not banned.

A new approach to securely and quickly destroying data involves self-encrypting disks (SEDs) which are being brought to market by different manufactures including Seagate in conjunction with the Trusted Computing Group (TCG). SEDs are part of the TCG OPAL disk program of enabling disk drives to encrypt themselves in conjunction with servers or storage systems. Instead of relying on software on a server or appliance or within a storage system, the disk drive itself performs the encryption or decryption functions without performance penalties. For organizations that are unsure about using encryption, the side benefit of SEDs is that for most environments, once the SED is removed or its affinity with a given storage controller or server or laptop discontinued, the device is effectively shredded or deactivated. The device could be connected to a different controller or server establishing a new affinity but all previous data would be lost.

Granted, for ultra secure or sensitive organizations and agencies, additional safeguards would be used, however for most environments, SEDs provide another means to reduce the time required to digitally destroy old data before retiring technology. Consult with your manufacturer on their suggested procedure for safeguarding your information and ensuring that disposal of resources does not compromise your business information. If you have an office of sustainability or someone who handles EH&S, also confer with them along with your security or compliance personnel as to what should be in your specific policies.

Security Checklist

While far from an exhaustive list, the following provides some basic items pertaining to storage and storage networking security:

  • Restrict and limit access to physical components including networking cables
  • Disable management interfaces and access when not being used
  • Restrict access (local and remote) to those who need access to management tools
  • Secure and rationalize access to equipment for vendor support and maintenance
  • Evaluate use of SNMP MIBs and agents and how sets and traps are implemented
  • Manage maintenance ports including remote dial-in/dial-out as well as email
  • Utilize storage based LUN/volume mapping/masking to control access to storage
  • Persistent binding should be combined with some other security mechanism
  • Implement encryption for data at rest as well as for data in-flight or on the move
  • Plan for data shredding or digital destruction including secure erase ahead of time
  • Perform periodic audits of access to devices as well as enable intrusion detection
  • Audit the auditors as well as service providers♦



Read more IT Performance Improvement

This article was excerpted from:

The amount of data being generated, processed, and stored has reached unprecedented levels. Even during the recent economic crisis, there has been no slow down or information recession. Instead, the need to process, move, and store data has only increased. Consequently, IT organizations are looking to do more with what they have while supporting growth along with new services without compromising on cost and service delivery.

Cloud and Virtual Data Storage Networking looks at converging IT resources and management technologies for facilitating efficient and effective delivery of information services, including enabling of Information Factories. Regardless of your experience level, Schulz guides you through the various technologies and techniques available for achieving efficient information services delivery.

About the Author

Greg Schulz is founder of the Server and StorageIO group (StorageIO), an independent IT industry advisory consultancy firm. He is also the author of the books The Green and Virtual Data Center and Resilient Storage Networks. He is a popular blogger and also a fixture on Twitter.