SANs require unique security

As storage area networks (SANs) become more popular and complex, industry observers point out that it is increasingly important to secure the precious data that these infrastructures hold.

But SAN security isn’t always easy. Some say these networks are difficult to protect, especially as they grow more complicated.

“The first implementation of SANs were really in the data centre, very often behind closed walls,” said Nancy Marrone, senior analyst with Enterprise Storage Group (ESG), a research firm in Milford, Mass. She explained that as SANs grow in complexity, security becomes more important.

“Now SANs are more popular and not always in the data centre. The more SANs you have, the more people you have with the ability to access the data storage.…You might have had a single SAN island in the data centre before. Now you want to connect it to another SAN in another data centre. Now you have a wide area connection. How secure is that? Could someone tap into it, get into my SAN and my data store?”

Bob Zimmerman, a storage industry analyst with Forrester Research Inc., headquartered in Cambridge, Mass., said SANs evolved out of less-sophisticated technology. As companies come to rely on SANs for their data storage needs, that simple past makes security a tough go.

“Mostly because of the way SANs were constructed, most of them are upgrades of a direct-attached disk array. The storage administrator and the security administrator are essentially relying on the server security to protect both the storage and applications.”

To ensure security, Marrone advocates a “holistic” approach that includes logical unit number (LUN) masking and zoning, both of which help make sure that only certain people can access various aspects of the SAN.

But LUN masking and zoning are only the first steps, Marrone said. She pointed out that new technology from companies like NeoScale Systems Inc., Decru Inc., Vormetric Inc. and Mississauga, Ont.-based Kasten Chase Applied Research Ltd. (KC) take SAN security to the next level: “Authentication, server to storage and encryption of the data at rest,” she said.

KC in April unveiled Assurency SecureData, a SAN protection platform that incorporates encryption and authentication. All in all, Assurency locks down data sitting in the SAN, as well as data travelling from one part of the SAN to another, said Hari Venkatacharya, senior vice-president, secure networked storage with KC.

He said LUN masking and zoning aren’t always enough to keep the SAN safe.

“There are known vulnerabilities. You can very easily spoof an HBA (host bus adapter)….You could also spoof the switch by its worldwide name, attach another server to it and suck out all the information from a SAN.”

Assurency encrypts data by PCI cards installed on the servers. This helps protect the info as it travels and while it’s at rest, Venkatacharya said. As well, authentication via a separate appliance in the SAN fabric bolsters LUN masking and zoning so only the right people access the right information.

Venkatacharya said other vendors combine encryption and authentication in one appliance. KC’s relatively distributed architecture offers certain benefits.

“It’s much more cost-effective. If you’re encrypting in an appliance, you have to add more appliances when you add more servers. In our case, you’re just adding more cards. Cards are less expensive than boxes would be.”

As well, “you want to make sure you store the keys away from where the encryption occurs,” Venkatacharya said, explaining that the appliance holds the keys, whereas encryption occurs at the server. Because the keys are held in a separable module in the appliance, “You could take that hardware security module, and…store it in a vault off-site somewhere. Even if the appliance crashes, you still have access to your keys.”

Venkatacharya said Assurency also addresses wide-area connections between multiple SANs. “The appliance also acts as a gateway to other SAN islands. You could use SSH to communicate between two appliances securely and the appliance runs the authentication, as well as stores the keys, for the other SAN fabric.”

Assurency itself is a step towards the next level of SAN security, wherein service providers offer comprehensive packages that address LAN and SAN security as one, Venkatacharya said.

But Marrone had a different opinion. For her, data security is too important for most businesses to outsource. “As far as handling the primary data, it’s not going to happen. Why would you outsource the security of your data to a third party that you don’t even employ? You don’t know these people.”