Storage Security

Storage security

Emerging storage networking topic of interest

Executive summary............................................................................................................................... 2 Introduction to storage security .............................................................................................................. 3 Storage security in the context of the larger data center............................................................................ 4 Storage security: attacks, exposures, mitigations...................................................................................... 6

Goal of storage security: attacks and resulting exposures...................................................................... 6 Mitigation of storage security risks ..................................................................................................... 6 Important topics outside scope of storage security ................................................................................ 7 Confidentiality, integrity, and destruction of data ................................................................................. 8 Storage security model ..................................................................................................................... 9

Data security ..................................................................................................................................... 10 Authentication ............................................................................................................................... 10 Authorization................................................................................................................................. 12 Encryption..................................................................................................................................... 13

Management security ......................................................................................................................... 15 Authentication ............................................................................................................................... 16 Authorization................................................................................................................................. 17 Audit ............................................................................................................................................ 17

Summary and recommendations.......................................................................................................... 18 Glossary........................................................................................................................................... 19 For more information.......................................................................................................................... 21

Executive summary Storage has evolved into a resource shared by many systems over the last decade. In the past it was sufficient to secure the one system to which a storage device belonged. A storage device is now connected to many systems, and must protect:

• Confidentiality of data (reads, other than by the application or user who owns it) • Integrity of data (modifications, other than by the application that owns it) • Against destruction of or loss of access to data, without authorization

The means used to mitigate these risks are:

• Identification (authentication) – An administrator must log on before administrative actions are permitted. – Emerging technology: Devices must log in to the storage network before doing I/Os. This

prevents, for example, a system from forging another system’s WorldWide Name (WWN) to gain access to its data.

• Authorization – Individual administrators are permitted to do only certain actions on certain devices. – Storage devices check I/Os against the list of systems permitted to access the specific block of

data (LUN), rejecting any I/O from an unauthorized source.

• Audit – The storage subsystem logs all administrative actions (changes) and any events of significance,

which enables many problems to be traced back to their origin, and logs the individual who performed the action as well, deterring malfeasance.

• Encryption (not yet in widespread use) – Protects both confidentiality (no one saw it) and integrity (no one changed it) of data.

Storage security is a portion of the overall security plan for a data center, and for a business. For that reason, any product-level security model must be augmented by customer business policies and practices, including network and system security.

Priorities for action on storage security:

• Secure management ports and management interfaces on switches, arrays, and so on – Use strong passwords; never leave a default unchanged – Disable unused management ports on devices – Firewall management LAN interfaces from widespread access

• Enable LUN Security (Selective Storage Presentation, LUN masking, and so on) • Consider encryption, in extraordinary cases or to meet specific business objectives

Most importantly, have a plan for storage security that encompasses people and procedures as well as equipment. Be sure that plan fits with the overall data center and business plans and that network assumptions are consistent. Evolve the plan as both situation and technology allow, then follow the plan. Lastly, test it.

2

Introduction to storage security Storage has evolved into a resource shared by many systems over the last decade. In many cases it is no longer sufficient to secure the one system to which a storage device connects: a storage device is now connected to many systems, and must protect the valuable data belonging to each system against unauthorized access, modification, or destruction by any of the other systems. In turn, storage devices must be protected against unauthorized configuration changes, and keep an audit trail of all such changes.

Storage security is part of a given customer’s overall security plan, both for a single data center and for the organization as a whole. It would make no sense to carefully secure the storage but leave the system wide open to the Internet. It should be recognized that security plans will likely have levels to address the varying security requirements of a diverse number of databases and applications.

There are three types of storage to consider today, with a fourth emerging. Direct attached storage (DAS) is connected directly to a single system, much as the disk within a PC. Network attached storage (NAS) is accessed by way of the Ethernet LAN network, and accesses files. Storage area network (SAN) storage is accessed over a storage network, which today is typically Fibre Channel, providing what looks like disk drives to systems. Internet SCSI (iSCSI) offers storage networking over Ethernet LAN, but is not yet in widespread use. Object storage is an emerging technology combining aspects of SAN and NAS. The focus of this paper is storage that is shared between many systems on a network, primarily SAN and secondarily NAS.

Storage security is not a box added to a SAN. Storage security is an attribute of every system, every switch, and every device in the SAN. Storage security must protect against a variety of threats, not all of which can be anticipated in advance. Storage security is also a set of procedures that defines access rights for data, as well as authority for managing devices, and defines an appropriate response when security issues occur. Last but perhaps most important, the people entrusted with access to data or device management authority must be carefully selected.

Authentication, preferably using the organization’s central directory (such as Active Directory, NDS, and so on), has several important benefits. First, an individual can be given authority to manage only specific devices, or provided limited access to many devices (such as being able to look at configuration data but not change it). Second, audit trails (logs) will show not only what was done, but who did it. Such logs both deter deliberate misuse of authority and help recover from incorrect actions. Third, if an individual’s responsibilities change or he or she leaves the organization, it is straightforward to revoke his or her identity or change the authorizations.

In principle, storage security is straightforward. Online storage—disk storage—is allocated in pieces. Each piece belongs to a particular system or user. When the piece is accessed, the storage system looks at the return address on the request, and rejects the request if it is not from the owner. Nearline storage—tape library—requests are made through a backup or other management application, which keeps track of both which system is using which tape drive at the moment, and of backup tapes. For management actions—especially those changing permissions or destroying data—the storage administrator must log on (authenticate) and may perform only those actions permitted by his or her assigned roles. A log of such actions should be kept, so that a record of which administrator took what actions managing which device is available both as an audit trail and in tracing attempts to breach security and other problems to root cause.

In practice, establishing storage security requires specialized knowledge, careful attention to detail, and ongoing review to ensure that the storage solution continues to meet the business’ evolving needs. Threats such as forged return addresses must be mitigated. Most importantly, security by its nature is a three-way balance between the cost of measures taken, the impact of a breach, and the level of resources a determined intruder would need to overcome those measures.

3

Storage security in the context of the larger data center While storage security is quite important, it is only one part of the overall security solution for a given customer or data center. Security is a very broad topic, starting with an organization’s goals, environment, regulatory constraints, and tolerance of risk. That direction in turn leads to choices in having doors that lock and security guards, in due diligence choosing employees for positions of trust, in how records are kept and how their integrity is maintained, and in plans assuring that the organization can continue to operate. Storage plays only a modest and indirect role in those business processes, but a critical one because it contains the majority of an organization’s records; many business processes stop if their storage becomes unavailable.

The HP Adaptive Enterprise provides a framework (see Figure 1) showing how both storage and storage security relate to an organization’s business processes, IT infrastructure, and overall security model. Policy and governance are driven from the business level; storage security will over time increasingly rely on security services such as centralized identity (logon).

Figure 1. Adaptive Enterprise security model

Business Strategy

Business Processes

Information

Resource

Business

Manage and Control

Application Services

Virtualized Resources

Infrastructure Services

Service

Security governanceOrganizational structure,processes, procedures, andtraining to create an effectiveenterprise informationsecurity program

Application securityIntegration and orchestration ofsecurity services and controls toimplement the security policyand provide end-to-end security

Information securityPolicy related to labeling,handling, use, disclosure, andlifecycle of information

Business securityBusiness strategy and processesto define trust relationships andattitude toward risk

Risk and trustmanagementSynchronization, assurance,fulfillment, and management oftrust relationships, policies,security attributes, and securityservices; includes event andincident management

Trustworthy managementEffective trust and securitypolicy and controls applied tothe management and controlinfrastructure

Trustworthy infrastructureCombination of system, device,and network security to protect the availability, integrity, andconfidentiality of data andprocesses

Trust and securityservicesIdentification and authentication,authorization, privacy,confidentiality, integrity, non-repudiation . . .

Business Strategy

Business Processes

Information

Resource

Business

Manage and Control

Application Services

Virtualized Resources

Infrastructure Services

Service

Security governanceOrganizational structure,processes, procedures, andtraining to create an effectiveenterprise informationsecurity program

Application securityIntegration and orchestration ofsecurity services and controls toimplement the security policyand provide end-to-end security

Information securityPolicy related to labeling,handling, use, disclosure, andlifecycle of information

Business securityBusiness strategy and processesto define trust relationships andattitude toward risk

Risk and trustmanagementSynchronization, assurance,fulfillment, and management oftrust relationships, policies,security attributes, and securityservices; includes event andincident management

Trustworthy managementEffective trust and securitypolicy and controls applied tothe management and controlinfrastructure

Trustworthy infrastructureCombination of system, device,and network security to protect the availability, integrity, andconfidentiality of data andprocesses

Trust and securityservicesIdentification and authentication,authorization, privacy,confidentiality, integrity, non-repudiation . . .

Within the Adaptive Enterprise security model at lower left, Virtualized Resources represent the organization’s data centers, including storage; storage security is part of Trustworthy Infrastructure. Figure 2 expands Virtualized Resources as a simplified, single data center organization. Storage is the lower fourth of that data center diagram. An organization such as this would have a single overall security plan, in the context of which areas such as network, server, client, email, web server, identity, and storage security are all components.

4

Figure 2. Storage security affects only a few elements in this simplified view of a data center

. . .

Internet

Storage Network

Network

Firewalls

Clients. . .

Servers

CentralDirectoryService. . .

Internet

Storage Network

Network

Firewalls

Clients. . .

Servers

CentralDirectoryService

Storage security draws not just on the organization’s security governance and attitude toward risk, but also on its centralized identity (authentication) and authorization services. While choices made for storage are independent of choices made for servers or networking, an attacker will seek weaknesses across all three. Logs and audit trails must collectively span all three, as well.

For storage over standard networking, including both NAS and emerging iSCSI block storage, security depends on both how well the network is protected and on security of the storage system itself. This is particularly true when storage is accessed over the organization’s backbone network rather than through an isolated storage network or subnet.

Computer “viruses” and similar sabotage are important topics to consider. The primary means of controlling viruses are network and individual client/server level firewalls, an email firewall that scans messages for known viruses, and individual client/server level virus checkers that inspect files being written to or read from disk for signs of “infection.” For SAN and DAS storage, disk-sized units of storage, called LUNs, are provided to the system and only the system understands where a given file begins and ends, so only the system has sufficient knowledge to check a file for viruses. For NAS and some uses of object storage, virus checking can be done in the storage subsystem. Most importantly, mitigating a threat like computer viruses requires planning and designing at the overall organization level first, then implementing the parts of that solution at appropriate points in the IT infrastructure.

5

Storage security: attacks, exposures, mitigations

Goal of storage security: attacks and resulting exposures The goal of storage security is protecting:

• Confidentiality of data (reads, other than by the application or user who owns it) • Integrity of data (modifications, other than by the application that owns it) • Destruction of or loss of access to data, without authorization

The consequences of these are clear. Sensitive business or customer data can be exposed, and business records can be altered or destroyed. One can easily imagine a worst-case scenario for one’s own organization—but also a more typical case, such as a minor administrative error on one system destroying data belonging to another.

Mitigation of storage security risks The means used to mitigate these risks include:

• Identification (authentication) – An administrator must log on (give his or her own userid, then prove he or she is that user by

knowing a password or using some more sophisticated mechanism) before administrative actions are permitted.

– Emerging technology: a device must not only be on the list of devices permitted in the storage network, but must also prove that it is in fact who it says rather than an impostor. This prevents a rogue system from, for example, pretending to be a switch and issuing unauthorized I/Os with forged WWNs to bypass LUN-level security. Fibre Channel’s FC-SP protocol works this way; iSCSI accomplishes the same end but in a slightly different way.

• Authorization – Storage devices must verify that the specific administrator who issued a command is authorized to

do so, before performing the requested action. – Disk arrays must verify that the specific system that issued a read or write command has

permission to do so for that LUN, before performing the I/O. Emerging technology: a tape library controller can similarly verify permissions on I/Os to a tape library.

• Audit: – The storage subsystem as a whole must log all administrative actions (changes) and any events of

significance. This is typically done individually in devices, but software to present a single view (and allow queries) is preferred.

• Encryption (not yet in widespread use) – Protects both confidentiality (no one saw it) and integrity (no one changed it) of data. – Data on disk can be encrypted. – Data on tape and other removable media can be encrypted. – Data “in flight” between data centers, typically HP StorageWorks Continuous Access data

passing over a WAN connection, can be encrypted to protect against wiretapping. In the future, data “in flight” within a data center can also be encrypted.

6

Important topics outside scope of storage security A number of very worthwhile and interesting topics are outside the scope of storage security addressed in this paper because they occur outside the storage subsystem (network and devices):

• One viewpoint on assuring confidentiality of sensitive data is that data should be encrypted by the application. This is the ideal end-to-end solution on paper, but is rarely done in practice because of the expertise it requires of application vendors, the effect on application performance, the large number of CPU cycles encryption requires, the complexity of key management including the risk of lost keys, and the difficulty of sharing or archiving encrypted data. The storage system is not aware that the data it is storing is encrypted. – Ideally, encryption in the system would be done by a sealed, tamper-proof hardware device so

that the keys could not be obtained by compromising the system. This topic is very advanced and beyond the scope of this paper.

– For application-independent archiving as part of Information Lifecycle Management (ILM), the application would provide non-encrypted data to the reference store, which would in turn be responsible for any encryption. Searching and Indexing are only meaningful when done on non-encrypted data.

• Physical destruction of the data center by natural disaster, fire, bombing, and so on. Disaster recovery plans should be in place for any data upon which an organization depends.

• Destruction of data due to human error, hardware malfunction, or software defect. Backup and Restore/Recovery plans should be in place for any data upon which an organization depends.

• If an attacker takes control of a system with legitimate access to a piece of storage, the data is completely vulnerable as the storage system cannot distinguish which application or user is issuing a read or write request.

• It is not the intent of this paper to address national security or military grade security, including, but not limited to, special antennas capturing stray electrical signals, destroying failed hard drives on site, storing removable hard drives in a safe except when data is being used, and so on.

7

Confidentiality, integrity, and destruction of data Many ways exist to gain unauthorized access to data, retrieve it, alter it, or destroy it. The following table gives a number of examples, ranging from straightforward cases every storage network installation should consider, to very advanced topics only appropriate to address in the most sophisticated installations. Many mitigations are expressed in the Fibre Channel context; iSCSI has functional equivalents for each.

Attack/Vulnerability Exposure Mitigation

Steal disks (includes data recovery from failed disk mechanisms)

Data exposed, loss of data Physical security of data center Restrict access to data center

Future: encrypt data on disk

Steal backup tapes Data exposed

Backup tapes in vault Restrict access to tape vault

Future: encrypt data on tape or other backup media

Copy disks Data exposed Physical security of data center Future: encrypt data on disk

Access to disk array by unauthorized system

Data exposed, modification of data LUN masking LUN-level security

Access to tape library by unauthorized system

Data exposed, modification of data

Backup application Roles and authorization Tape security in HP Extended Tape Library Architecture

“Spoofing” attack: forge I/Os as if from authorized system

Data exposed, loss of data, modification of data, loss of access

Fabric checks addresses, rejects packets with forged addresses

Future: mutual authentication of systems and storage with FC-SP

Wiretapping within data center Data exposed Physical security of data center Restrict access to data center Future: Encryption with FC-SP

Wiretapping between data centers (using Continuous Access)

Data exposed Use dedicated fibre/Dense Wave Division Multiplexing (DWDM) Encrypt traffic

Unauthorized change to permissions in the disk array

Data exposed, loss of data, modification of data

Limit physical access to array management ports

Strong authentication Role-based permissions

Unauthorized change to permissions in the switch

Data exposed, loss of access, modification of data

Limit physical access to switch management ports

Strong authentication Role-based permissions

System mounts and initializes volume it does not own, due to software defect, operator error, or miscommunication

Loss of data, data exposed LUN masking LUN security

8

Storage security model A number of mitigations were introduced in the preceding table. These fall into data access path and management access path measures, and will be described in the following two sections.

Figure 3 places major parts of these mitigations into the categories of data security and management security, then further divides those categories. Some items in these categories are in routine use today, while others represent the leading edge of what can be done (or could be done in the next few years). For example, selectively showing each system only the devices and LUNs it is allowed to access is a feature in widespread use in SAN installations today, while storage encryption is a leading-edge technology. Simplified language has been used: “Authentication of users” encompasses not just Single Sign On but also more traditional approaches.

Data access security and management security are discussed in detail in the next sections of this document.

Figure 3. Storage security model

StorageSecurity Identity (Authentication) of administrators

Man

agem

ent

Authorization and roles of administrators

Audit trails and logs

Dat

a A

cces

s Identity (Authentication)(is this device who it says?)

Authorization (access rights)(selective presentation of devices and LUNs)

Confidentiality and integrity(includes encryption of data)Storage

Security Identity (Authentication) of administrators

Man

agem

ent



Dat

a A

cces



Confidentiality and integrity(includes encryption of data)

9

Data security Three broad technology areas are involved in mitigating the risk of unauthorized access, modification, and destruction of data. They are Identity (Authentication), Authorization (LUN Security), and Confidentiality/Integrity (Encryption).

Dat

a A

cces



Confidentiality and integrity(includes encryption of data)D

ata

Acc

ess Identity (Authentication)

(is this device who it says?)



Authentication Authentication of devices is an effort expended by a device to ensure the identity of another device with which it is communicating.

Identity (Authentication)(is this device who it says?)

There are three levels of authentication relevant to storage: none, trusting the device’s address, and challenging the device to prove its identity. Historically no authentication at all was done. More recently the Fibre Channel WWN has been trusted as a device’s identity. Looking to the future, both in Fibre Channel and in iSCSI, state-of-the-art challenge/response protocols will be used to confirm a device’s identity.

No authentication Devices on a SCSI cable are presumed to belong there; there is no concept of identity.

Early Fibre Channel installations split a SAN into zones. A system connected to a zone was presumed to belong there, much as a system on a SCSI cable. Zoning remains important for isolating traffic for interoperability or fault isolation reasons.

Fibre Channel WWN Current Fibre Channel best practice is that online storage identifies the unique WWN of the system making a request, using that WWN as its identity. For security against simple administrative errors and against casual attacks this is sufficient. It is theoretically possible for a determined and knowledgeable attacker to forge (“spoof”) a WWN belonging to another system. Leading-edge mitigation of this theoretical attack today involves (1) ensuring the SAN contains no unauthorized “rogue” switches, (2) disabling all unused ports on the fabric, and (3) restricting each SAN port to allow only traffic from the WWN (device) that is supposed to be connected, using an advanced switch feature.

10

Fibre Channel Security Protocol (FC-SP) (Future) Current work in the Fibre Channel industry standards body includes developing the FC-SP security standard, which is hoped to complete in 2004, with product to follow. Under FC-SP, Fibre Channel devices will mutually authenticate using state-of-the-art challenge/response protocols. Several years will pass before FC-SP–enabled devices will be pervasive enough to make it practical to lock non-FC-SP devices out of a pre-existing SAN.

iSCSI iSCSI provides for the use of the Challenge Handshake Authentication Protocol (CHAP, a state-of-the-art challenge/response protocol) for a storage client to authenticate itself to the storage server, during login time, much as FC-SP does. It is thus not possible for a storage client to masquerade as a valid user of another’s iSCSI port ID. However, if the iSCSI traffic is not encrypted, a sophisticated attack could theoretically take over an established connection. Such encryption is accomplished using Internet Protocol Security (IPsec), a set of protocols that allows encryption of data over an IP network like a LAN or even the Internet. IPsec prevents this attack because the attacker cannot know the correct data encryption keys. IPsec depends on the customer’s security infrastructure, specifically on CHAP (or possibly SRP) for authentication, on IPsec policies, and on an appropriate mechanism for exchanging keys.

When implementing IP-based storage, whether iSCSI or NAS, it is important to keep in mind just how broadly a network is connected. While the greatest risk may be from a disgruntled employee or simple error, an external attack would find a Fibre Channel SAN contained entirely within a locked data center a much more difficult target than an open network reaching every desk in a company, which is in turn harder to reach than the Internet.

Central directories and challenge/response protocols background While details vary and can be quite complex, state-of-the-art authentication is simple in concept. A data center (preferably the whole organization) has a single server containing a list of all the “authorized entities” (people, applications) in the organization, and what their roles are (really what they are allowed to access or do). Assume device A asks device B to perform an action. Device B “challenges” device A by giving it a random number to combine with device A’s “key” (password) in a special way. Device B then sends both the random number and device A’s response to the authentication server, which responds “yes device A used its key, it’s who it says it is” or “no it didn’t.” Most importantly, this process centralizes authentication both without keys ever appearing on the network in the clear and without device B seeing device A’s key.

A variant of this approach uses Public Key Encryption, in particular “Certificates.” For Public Key Encryption, a particular user (or company or device) is given a pair of keys—a public key and a private key. Two basic operations can be performed: encrypt data with your private key, and anyone can decrypt it with your public key; anyone can encrypt a message with your public key, knowing that only you have the private key to decrypt it. Roughly speaking, for trusted communication between two users (devices), the message is encrypted using the recipient’s public key, then a checksum of the message is encrypted using the sender’s private key. A “Certificate” is a user’s name, public key, an expiration date, and the assertion by a certificate-issuing authority that it was really the user and not someone else the certificate was issued to. Care must be taken in which certificate-issuing authorities to trust and in the actual issuing of certificates: unlike a central directory, which can instantly revoke an identity, a certificate has a life of typically a year. The whole topic of “Public Key Infrastructure”—certificate-issuing authorities, secure distribution of private keys to their owners, means of finding someone’s public key—requires both expertise and effort to establish and operate.

11

Authorization Authorization has evolved from DAS model of “if you can see it, you own it” to more sophisticated mechanisms that enable pooling of resources on the SAN.


No authorization needed As mentioned before, SCSI does not have an authorization mechanism: any system can read and write any device connected to the same cable.

Early Fibre Channel SANs offered a variant of SCSI by dividing the SAN into segments, called “zones.” Each zone behaved like a SCSI cable—any system in the zone could read and write any device in the zone. Later versions allowed overlapping zones. Today, of course, zoning remains important, primarily used to isolate traffic for interoperability or fault isolation reasons.

LUN masking/selective LUN presentation based on WWN Current state-of-the-art authorization for Fibre Channel SANs is that each storage device maintains, for each LUN it presents to the SAN, a list of which systems (which WWNs) are allowed to access that LUN. When a system asks the storage device which LUNs it offers, the storage device responds naming only the LUNs that system is allowed to access. Likewise when systems sends a read or write I/O to storage, the storage device checks to see if that system is authorized to perform that read or write. (Note: this explanation is simplified and several variants of this basic approach are used by different products in the industry). The LUN authorization lists are typically created by system administrators who access the array’s configuration utility by way of a password-protected interface.

iSCSI iSCSI devices offer both device level and per-LUN Access Control Lists (ACLs). Per-LUN ACLs are similar to Fibre Channel LUN masking. VLANs on the network are analogous to Fibre Channel zones. It is up to administrators to verify that a particular array supports the features they plan to use.

Network Attached Storage (NAS) NAS is delivered by a server connected to the network, behind which either DAS storage or SAN-connected storage is used. Data accesses are typically by one of two protocols, either “NFS” (UNIX® heritage) or “CIFS” (Microsoft® Windows® heritage). Both protocols treat permissions for file access in much the same way as file access on a local system works: a file system has an owner, which sets permissions (read, write, and so on) based on the user’s identity and groups to which the user (identity) belongs.

Mainstream NFS protocols are in widespread use and quite effective. However, they are subject to “spoofing” attacks, where an unauthorized entity impersonates an authorized one, and should always be isolated from malicious users (and from the Internet) by an appropriately configured firewall.

Devices that combine NAS and iSCSI are starting to become available. While sharing a common network connection (and hence being behind a common firewall), the two protocols have very different access rights mechanisms that are administered separately.

12

Reference stores and ILM An emerging class of storage addresses information that is no longer changing but the organization to store cost effectively for long-term read access and records that must be stored in compliance with laws or regulations such as those prohibiting tampering or deletion. Like NAS, this storage can be modeled as a server in front of DAS storage; such storage is usually instantiated as a cluster of many storage units, which are accessed by way of emerging protocols over Ethernet LAN. Interestingly, such stores can include a selection of different types of storage systems that contribute different performance, availability, and other capabilities to the store.

It is clear that permissions to access archives of corporate trade secrets must be more restrictive than permissions to access historic press releases. For example, attorneys doing discovery in e-mail archives need access which for privacy reasons would not be granted to everyone.

Reference store security standards have not yet emerged, but it is clear that reference stores (which themselves might contain more than one storage subsystem) will need security analogous to conventional storage arrays, including both authentication and authorization. Also, audit trails must be maintained within reference stores. At the least, these must be able to satisfy regulatory compliance requirements.

Encryption Encryption has drawn a lot of attention. Taken purely as a technology, that exotic branch of mathematics, which for centuries was out of reach of all but military and espionage, has suddenly found a mass market. The Internet has made it necessary to secure transactions across an untrusted connection between parties who trust each other, and VLSI technology has made such security affordable. On the other hand, exponential growth in computer power has made it possible for experts to “try every possible key” and decode messages, which just a few years ago were thought unbreakable.

While encrypting (or decrypting) data at hundreds of megabytes per second—storage system speeds—is considerably more difficult than encrypting a few thousand bytes using software on your PC, such speeds are attainable using commercially available technology today. Many people across the storage industry have thought about how this technology could be applied, resulting in a number of products from a variety of companies.

Rather than seeking applications for one of these products, consider systematically the customer needs that encryption might address. In general, data can be encrypted either in flight (crossing a Fibre Channel, Ethernet, or WAN network) or at rest (on a disk or tape).


Data in transit between data centers When data is copied between data centers, usually as part of a disaster recovery plan, it is no longer protected from wiretapping by the physical security of those data centers. There are degrees of risk to this: passing through a few kilometers of optical fiber in cable channels owned entirely by the customer is a far lower risk than passing over a leased line, which is in turn a far lower risk than passing the data over the Internet backbone.

In any of these situations, the lack of physical security on cables outside the data center can be mitigated by passing the traffic through an encryption box before it leaves the sending data center, and of course through a corresponding decryption box after entering the receiving data center. Such boxes are available today for both Fibre Channel and IP networking, with the latter called IPsec gateways. Such installations are uncommon today because cost and complexity of such measures are greater than the perceived risk.

13

In the particular case of iSCSI, HP anticipates IPsec will be built into future interfaces, making encryption more affordable and more ubiquitous than is possible with IPsec gateways, presuming that IPsec policy and key distribution infrastructure are available. IPsec software layered above standard VLSI is available today; HP anticipates the industry will have premium-priced interface VLSI with IPsec within a few years, but that mainstream-priced interfaces will not include IPsec hardware for at least five years.

Data in transit within a data center While the security plans of most data centers establish a secure perimeter and assume that the risk of wiretapping within the data center is low, situations do exist where encrypting even traffic within the data center is necessary. In these situations today, the only available technology is encryption boxes for Fibre Channel (akin to IPsec gateway boxes). There are two future technologies of interest:

Fibre Channel Security Protocols (FC-SP future)

The Fibre Channel Security Protocols (FC-SP) standard includes not just authentication as previously mentioned, but also Encapsulating Security Payload (ESP) encryption, which provides a way for Fibre Channel devices to exchange keys and then encrypt all data flowing between them. Because all elements of the SAN must have not just FC-SP but also the encryption feature before there is a real benefit to its use, HP anticipates it will be several years before ESP is used and many years before it is pervasive.

iSCSI (IPsec future)

IPsec is in common use today, although rarely at the speeds needed for storage. As Ethernet interfaces with built-in line speed encryption become more common (and less expensive), it will become practical to encrypt storage traffic in the data center. This is at least several years in the future.

Data on disk (online storage) Incidents in which media containing valuable data, or customer data which must remain private, are stolen from a data center are reported regularly in the media. Privacy legislation such as California SB1386 makes these incidents more visible, except when the data is encrypted.

Data is encrypted by transforming it in a special way using a secret key. After the data is encrypted, it cannot be used unless decrypted using that key. Various encryption algorithms exist in the industry, such as Data Encryption Standard (DES), triple DES, and Advanced Encryption Standard (AES). One very important choice made in encryption is the length of the key in bits. A very short key, for example 10 bits, has only 1,024 possible values (2^10), so it would be straightforward to attempt decryption using all 1,024 possibilities, look at the results, and know which one was correct—in maybe a second of computer time on a PC. This is called “cracking” the encryption. A very long key, for example 1,000 bits, has 2^1000 possibilities, which are far too many to try in a million years using all the computers in existence. However, encrypting using a 1,000-bit key is quite compute intensive and completely impractical today at disk I/O speeds. Practically speaking, to run at disk speeds an encryption algorithm and key length must be chosen for which a high-speed encryption/decryption VLSI device exists already. This means that if a well-funded and expert government organization really wanted to “crack” what was on that disk they could, but no commercial organization (and certainly no hacker) could do so. Such a length today is between 100 and 150 bits. (Triple DES achieves what is considered 112-bit strength by encrypting three times with separate 56-bit keys.) Keys must be generated randomly: if a key can be guessed, including guessed by knowing a weakness of the random number generator it came from, security is compromised.

Encrypting data on disk requires appropriate key management, which must balance the difficulty of changing a key (all data must be rewritten) with the risk of loss of a key (in which case all data is lost). Keeping more copies of a key makes it more likely one will be compromised; keeping only one or a few copies makes it more likely the key will be destroyed by a system failure or human error. Key

14

management software exists in the industry today, but success in managing encrypted data today depends far more on people and processes than on technology.

Data can be encrypted on disk or tape today using the same box products used for data-in-transit encryption. HP has considered encryption within storage controllers such as disk arrays over the past decade; at this time the cost and complexity of such a feature are not consistent with the needs of most of our customers. HP will continue to consider this feature in future products based on cost, complexity, and evolving customer needs.

Data on tape, optical disks, other media (nearline storage) Backup tapes are more easily removed, not just from a secure data center but from sometimes less secure offsite storage, and their loss is less easily detected than disks. This creates the opportunity to encrypt data stored on backup tapes.

Such encryption is possible today, using the same encryption boxes previously discussed. Key management becomes a very challenging issue since keys for every known backup tape must be retained if the tape is to be retrievable and useful.

Management security

Identity (Authentication) of administrators

Man

agem

ent




Man

agem

ent



While far less exotic than encryption technology, basic management security for storage devices is the most important area to focus on today, and is in transition. Historically in the days of SCSI—and today for the disks in a PC—storage is entirely owned by a single system, any management software for that storage runs on that system, and the only storage security (or storage management security) is what that system provides.

As storage became shared by many systems, typically there was a management utility installed on one or more of those systems, and the storage administrator was required to supply a password to manage a particular array. This is normal practice in the industry today, and works quite well when there is a single administrator of a modest amount of storage.

However, as storage requirements have grown rapidly over the past few years and pooling of free storage at a SAN level rather than inventorying free storage per-application have become common, it has become much more important to have multiple administrators, each with much more granular permissions as to which actions they can perform, on which storage devices. Fortunately, this problem has long been faced by the administrators of large numbers of servers, and technology addressing it is well established. Single sign on is enabled by protocols such as RADIUS (historically “Remote Authentication Dial-in User Service”) that forward a logon request to a central server for validation, and by central servers such as Microsoft’s Active Directory or Netscape Directory Services (NDS) on various UNIX platforms by way of the Lightweight Directory Access Protocol (LDAP), and others. Creating a complete central directory environment for an entire organization is a significant undertaking, beyond the scope of this paper. See Central directories and challenge/response protocols background in the Authentication section.

15

Audit trails and logs must show which administrator performed a given action. This becomes very difficult to administer on a per-device basis, and a number of problems (even attacks) are visible only when such data is visible across all devices. Tools to present a single, searchable view of logs are necessary in large installations.

Centralization of both authentication and authorization in the data center (if not the enterprise) has been under way for some years. While in widespread use in larger data centers and larger user populations today, this centralization is finding its way into even modest organizations. Aspects of the data center like storage, which today uses more traditional password schemes, are evolving to use centralized authentication and authorization. For storage, this evolution started with tools able to manage multiple devices of the same type, and is now moving toward toolsets with single sign on that address a variety of storage, or even a variety of servers and storage together.

It is important to understand that this change is taking place product by product, in the ordinary course of major releases, so as not to disrupt current installations and current procedures. Small installations and customers who have not implemented a central authentication server will still be able to use products the traditional way.

Authentication


Instead of having distinct (userid, password) logons for each system or device, a user (application or person) has a single identity. Logging on to a given server, or to the management port on a given device, appears to be by that device but in fact is delegated to a data center’s (preferably enterprise’s) central authentication server, using RADIUS or a similar protocol. While common for user logons to systems today, use of this technique to administer devices is just now starting to occur.

Technically, single sign on is usually accomplished by the user’s computer receiving and holding a “token” (time limited key) as the result of logging on, which can be transparently presented in response to future logon (authentication) requests. The details of how such a token can be used without eavesdropping and impersonation are very interesting technically but beyond the scope of this paper. RADIUS is a protocol that, when user “A” is logging on to server “B,” allows “B” to ask the RADIUS server “is this logon valid?” rather than maintain its own copy of the user/password file.

Central authentication services offer several benefits. Single sign on gives a user only one password to remember, so it is practical to change it periodically. If a user leaves the organization, there is only one logon of concern, and it can be revoked quickly and productively. The organization can move with relative ease from “something you know” (a password) to “something you have and something you know” (a card and a PIN or password) authentication.

16

Authorization


Beyond single sign on, the second difference from current storage management practice is that there will no longer be an “administrator” logon to manage a device, which has all privileges and is shared by all administrators. Rather, “administrator of device x” is a role that can be assigned to an individual.

The third and perhaps most important difference is that administrative privileges can be granted in a fine-grain way. For example, one administrator could be given the right to view anything but change nothing in a particular storage subsystem, while a more senior administrator could make changes. “Roles” are predefined sets of permissions that can be assigned to a particular person.

Again, the customer continues to have the flexibility to organize server and storage administration. A small organization can continue to have a single administrator with all permissions, while a larger organization might continue to have separate server, storage, and network administration departments, each with varying permissions based on specific individuals’ roles.

Audit


All configuration changes and other significant events should be logged, so that problems of any sort (including security breaches) can be traced to their origin. Understanding which administrator made the erroneous configuration change, and when, makes it much easier to find and correct the process or procedure breakdown that led to the error.

A centralized view of the audit trails/logs from the various devices in the data center is important. The ability to query the collective set of logs rather than individual elements is very important in tracking down issues, whether they are security intrusions, administrator errors, or other problems. Overall security administration may call for specific reports to be periodically generated from these logs.

When data is automatically moved between devices, such as in archiving, Hierarchical Storage Management (HSM), or ILM, the software performing the data movement must be duly authorized, and logs of such movement must be kept. This is an emerging area; this is a goal rather than standard practice today.

17

Summary and recommendations Storage security is a portion of the overall security plan for a data center, and for a business. For that reason, any product-level security model must be augmented by customer business policies and practices, including network and system security.

Setting priorities for the next few years, in most cases securing the management interfaces of all devices, is the highest priority issue. To begin, disable all management ports in switches and other devices that are not in use. Change device management passwords from their factory defaults and use “hardened” passwords—passwords or phrases that must contain alpha and numeric characters, upper and lower case, and perhaps even special characters. Common sense dictates avoiding normal “dictionary-type” words and other terminology that could easily be guessed by an intruder. LAN management ports on storage devices should be separated from widely accessible networks by at least one firewall. As storage devices become able to use the centralized authentication in the data center, and as role-based authorization becomes available in devices on the data center floor, the storage security plan should evolve to use them.

After securing the management, consider fabric security. In the case of Fibre Channel, enable WWN-based LUN security and take appropriate steps to ensure WWNs are not “spoofed” (forged). In the case of iSCSI, assess IP threats and mitigate appropriately. In the case of traffic between data centers, balance the value to an attacker of intercepted data against the difficulty of such interception, seeking out encryption only if indicated.

Third, in extraordinary cases consider encryption of data, either “in flight” on wires in the data center, or “at rest” on disks or tapes.

Most importantly, have a plan for storage security that encompasses people and procedures as well as equipment. Be sure that plan fits with the overall data center and business plans and that network assumptions are consistent. Evolve the plan as both situation and technology allow, then follow the plan. Lastly, test it.

18

Glossary

ACL Access Control List. List of users permitted to access a particular resource on a network.

Active Directory Centralized authentication and authorization service associated with Microsoft Windows.

AES Advanced Encryption Standard. Emerging encryption algorithm offering a choice of 128-, 192-, or 256-bit keys. Mandated by U.S. government for use in certain nonclassified cases. Was developed with the expectation that it would ultimately replace DES.

Certificate Certificate contains the public key and name of a person or entity. Typically digitally signed by a certificate-issuing authority and has an expiration date. Used in public key encryption, the certificate is made public while the corresponding private key is a secret known only to the person or entity (and the issuing authority, and if appropriate the relevant centralized authentication server).

CHAP Challenge Handshake Authentication Protocol. Means for system “A” to log on to system “B” using central authentication server “C.” A’s password never appears in the clear on the network, and B does not know A’s password.

• A makes a request of B.

• B sends challenge to A: combine this random number with your password.

• A returns result to B.

• B sends both A’s result and random number to C.

• C uses the random number and A’s password to recalculate A’s response.

• C responds to B either “yes, it’s A” or “no, it was not A.”

Two variants are MS-CHAP (stores password more securely on C) and DH-CHAP (allows secure exchange of symmetric key)

CIFS NAS access protocol associated with Microsoft Windows.

DAS Direct attached storage. Storage connected directly to a system, not through a network.

DES Data Encryption Standard. Well-established encryption algorithm using 56-bit key.

DWDM Dense Wave Division Multiplexing. Way of combining a number of connections on a single fiber optic link, in which each connection is given its own wavelength (color of light).

FC-SP Fibre Channel Security Protocol. The emerging standard for Fibre Channel security, providing for both the authentication of devices to each other (to prevent spoofing) and for a means of exchanging keys so that data itself can be encrypted as it crosses the network.

HSM Hierarchical Storage Management. Automated, policy-based data migrations based on storage capabilities, data aging definitions, and other requirements. HSM can exist either stand-alone, or may be included with ILM solutions.

ILM Information Lifecycle Management. Automated, policy-based storage and movement of stored information. Placement and movement are directed by administrative policies. ILM also includes capabilities that help ensure regulatory compliance.

IPsec Internet Protocol Security. The protocol for encrypting packets sent over IP networks such as a LAN or the Internet. One variant is Authentication Header (AH) in which packets are marked with a special header but data is not encrypted. Other variant is Encapsulating Security Payload (ESP), which also encrypts data.

IPsec gateway Box product that handles IPsec encryption. Simplest use is one of these at each end of a WAN connection.

iSCSI Internet SCSI. Protocol used to access block mode storage over IP network.

Key Value used in encryption and decryption of data. In most cases is a secret that must remain private.

LDAP Lightweight Directory Access Protocol. Protocol used to access central authentication server.

19

LUN Logical Unit Number. In SCSI, the address of a segment of storage allocated to a specific application or server. Typically 1 GB to 50 GB in size, but can be smaller or larger.

NAS Network attached storage. Storage accessed as files, typically through NFS or CIFS protocol over Ethernet LAN.

NDS Netscape Directory Services. Centralized authentication, supported in many environments.

NFS Network File System. NAS access protocol normally associated with UNIX.

Public Key Encryption Encryption environment where each participant has both a secret private key and a well-known public key. To send securely to someone, encrypt with their public key and only they can decrypt with their private key. Requires PKI to securely create and distribute keys.

PKI Public Key Infrastructure. The set of key, certificate, and directory services supporting a public key encryption environment. This is a challenging set of problems.

RADIUS Remote Authentication Dial-in User Service. The historic name for a dominant protocol for central authentication. In the definition of CHAP, B uses RADIUS (or a similar protocol) when communicating with C.

RSA RSA encryption algorithm, owned by the company RSA Security. The encryption algorithm used by web browsers.

SAN Storage area network. A local area network used to connect storage devices and systems. Usually refers to Fibre Channel but can be used to refer to an Ethernet network used to connect iSCSI storage.

SB1386 (California) Privacy legislation requiring notification when confidentiality of certain kinds of personal data are breached.

SCSI Small computer system interface. Standard protocol for accessing disk drives and disk arrays, other than inexpensive ones in personal computers. For example, Fibre Channel is presenting an encapsulated SCSI protocol.

3DES Triple DES. Encryption algorithm that (roughly speaking) performs DES three times on the same data. Although DES has a 56-bit key length, 3DES is generally considered to have an effective key length of 112 bits.

WAN Wide Area Network. Network connection between cities (or longer distance).

WWN WorldWide Name. In Fibre Channel, the unique identifier of a device connecting to the network, which is programmed into that device when manufactured. Analogous to an Ethernet MAC address.

20

For more information HP Adaptive Enterprise

http://www.hp.com/go/adaptive/

HP Storage

http://www.hp.com/go/storage/

Storage Networking Industry Association (SNIA)

http://www.snia.org/

SNIA Storage Security Industry Forum

http://www.snia.org/ssif/home/

“Security for Storage Networks,” SNIA sponsored tutorial, spring 2004

http://www.snia.org/education/tutorials/spr2004/security/

SNIA “A Dictionary of Storage Networking Terminology”

http://www.snia.org/education/dictionary/

FC-SP standard

http://www.t11.org/ (navigate to “FC,” then to “FC-SP”)

HP Extended Tape Library Architecture

Choosing the best architecture for data protection in your SAN, HP, 2003

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. UNIX is a registered trademark of The Open Group.

5982-5975EN, 05/2004

http://www.hp.com/go/adaptive/

http://www.hp.com/go/storage/

http://www.snia.org/

http://www.snia.org/ssif/home/

http://www.snia.org/education/tutorials/spr2004/security/

http://www.snia.org/education/dictionary/

http://www.t11.org/

Storage Security

Technology

Transcript of Storage Security