Storage Peer Incite: Notes from Wikibon’s July 17, 2007 Research Meeting
This week Wikibon presents Securing the storage onion. While network security issues, particularly computer viruses and worms and penetration attempts from outside the corporation, gets the press, 90% of the threat actually comes from employees inside the organization who use legitimate access for improper activities ranging from downloading sensitive data onto a laptop that then may be lost or stolen through industrial espionage to malicious damage. Minimizing this risk requires a coordinated effort across the corporation including HR, physical security and the combined efforts of application, network and storage security. Thus storage can no longer afford to conduct its security efforts in isolation from other parts of IT and the larger corporation. These efforts start coordinating with other parts of IT to define the boundaries of storage security's focus. For instance, does storage or network security control access through the physical iSCSI and other ports on the storage appliances? We believe that should be the responsibility of network security, while storage focuses on securing the data from both physical (e.g., theft of media, loss through disaster) and logical (e.g., unauthorized activities) exposure to the data and the media on which it resides.
Physical security, which has been largely overshadowed by the issues of data theft and damage via network access, remains vital, and the exposure to physical theft is growing as the media becomes smaller and more mobile. Storage should work with physical plant security to secure the areas where the data appliances and media are kept and perhaps with local law enforcement to provide security for movement of backup tapes to off-site storage. Tape shipments have been stolen while in transit, so this is a real risk.
We see logical data security taking two main forms. First, for go-to-jail data, which if improperly exposed could lead to jail sentences for those responsible for its use and/or severe repercussions for the organization, highly secure encryption and security procedures for handling (i.e., such data should never be downloaded onto a laptop or other mobile device or media) are vital. However, encryption cannot prevent personnel authorized to view the data from misusing it, and encryption is impractical for the vast majority of data. Therefore, strong audit routines, which track who accesses data, when they access it, and what they do with it (read it, download it, write to it to add or change data) is necessary. All security plans must recognize that total security is not possible, given the data access needs of the organization. At the least, audit allows security to backtrack when an exploit is discovered to identify who was involved, and security can use pattern analysis to identify potential exploits in progress and prevent them. Bert Latamore
For many years storage security was seen primarily as managing physical security for storage devices and media from unauthorized access or theft. Storage security was carried on largely in isolation, with little reference to security efforts at the application or network levels. While physical security remains important, particularly in the era of increasingly small and portable storage media, the development of pervasive networking has changed the nature of the threat and made integration of storage with network and application security vital.
In recent years emphasis has shifted from physical to logical security, with the new concerns of protecting data as it crosses the network and preventing unauthorized access from outside either by individuals (hacker penetration) or logical devices (viruses, worms and key loggers) predominating the security discussion. However, this is only part of the security picture; in fact, 90% of data security exposure originates not outside the organization but inside, with individuals who use legitimate access for legitimate activities. An adequate storage security plan must recognize this and take both logical and physical threats into account. It must also recognize that total security is impossible to achieve while providing the data access the organization requires to operate. Thus the correct security approach is to quantify the amount of risk the organization can tolerate and then provide security that reduces the exposure to that risk level, recognizing that breaches will still be possible.
The natural reaction to this realization is to want to encrypt every piece of data. While this would certainly provide excellent protection against unauthroized access, it comes at a high cost that makes this simple plan impractical. Encryption and decryption of large amounts of data adds a tremendous processing load to servers. Also deduplication and compression is impossible once data is encrypted, driving huge growth in storage requirements. Also, it does nothing to diminish the security exposure from individuals with legitimate access to the data, who have access to the encryption keys.
It is therefore imperative that storage security administrators adopt a risk mitigation approach to security, classifying different data pools according to their exposure, determining the degree of security that each data pool requires, and building appropriate security methods into the procedures for handling that data pool. At the one end, public data -- for instance data describing products and the company, itself, and for publicly held companies, quarterly and annual reports -- requires only low levels of access control, and security needs to focus on preventing unauthorized changes to the material. On the other end of the scale, corporate financial data, information on products under development, and data such as personally identifiable medical information for which access is tightly regulated by law, require very high levels of read as well as access and write security.
As a result, we see four basic classes to security for different sets of problems and data:
1. For go-to-jail data (e.g., medical records, product research information, customer account information) data encryption is an absolute requirement, both when it is being moved over the network and when stored on media. 2. Other data must be kept “in the clear”. However, audit technology should be applied to all storage pools, whether encrypted or not, to record who accesses what data when and who changes what data when, and both read and write access should be restricted as appropriate. That at least allows security personnel to determine who is responsible after an exposure or alteration is discovered, and at best allows security to employ pattern analysis to identify suspicious activity early and prevent exploits. 3. All automatic copying routines must be identified and either shut down or incorporated into the data security plan to ensure that proper security levels are maintained. Often data centers have low-level batch copy routines in place to move data from one application to another, or in some cases to share that data with business partners. The problem is that the application receiving the data may not operate at as high a security level as the data requires, while moving data outside the organization completely has obvious security implications. 4. On the physical side, data administrators must fully consider the implications of the increasing portability and plug-and-play characteristics of storage media such as tape and disk cartridges. We believe the best solution is for vendors to build RFID into their portable media cartridges, allowing IT to institute procedures based on those used by the large package movers (UPS, Federal Express, etc.) to track the movement of these devices.
It is also imperative that storage administrators remove artificial barriers between storage and network and application security to create a single, seamless security strategy across the enterprise. For instance, network security rather than storage security should control access to iSCSI ports on storage devices, while network and application security must recognize the specific needs of storage, for instance to audit all data access.
Action item: Storage administrators should regard security as an onion with multiple layers ranging from the physical up through logical, transport, etc. They should work with security administrators at other levels in IT and the organization at large, particularly application and network organizations in IT and physical security in the larger organization to develop a single integrated plan. This plan should provide the optimal levels of security to reduce threat exposure to the organization’s level of acceptable risk with minimum disruption to legitimate activities. This will allow storage security administrators to focus on the specific layers that fall primarily under their purview ensuring proper storage practices, starting at physical and moving out to more logical issues such as audit and data access.
As with any risk mitigation initiative, storage security requires IT organizations begin by assessing the situation at hand. Making storage security a natural extension of storage pools and classification efforts will simplify the process.
Users need to identify information assets, their relative value, degree of exposure and liklihood of a breach. This can be done with a simple matrix that assesses exposure (loss potential) and probability of an event. It is advisable to enlist the stakeholders of the information in the process as they ultimately decide the value of data. However as is often the case with prioritization efforts, everyone believes his data is most important and should reside on the highest performance, most reliable systems. In the case of storage security the complicating issue often greater degrees of security will reduce flexibility, and business lines are typically willing to compromise security to preserve flexibility. These countervailing pressures should be considered and addressed in a relative manner in any assessment, in order to provide a clear picture to executive decision-makers.
In any event, the notion of a maximum acceptable loss (MAL) should be an outcome of the assessment. This threshold should guide storage managers and set the water mark for where discretionary decision-making can occur (i.e. if losses are kept below the MAL then it's up to the discretion of the IT organization to implement the right technologies and processes).
What follows are strategies to mitigate losses based on this assessment. This may involve:
- Putting controls in place
- Eliminating the risk
- Transferring or sharing the risk
- Accepting the risk (e.g. for low impact events)
All of this should be done with an understanding of the costs, potential losses and residual exposures that can exist for assets that cannot be protected fully due to costs or other factors.
Action Item: Storage security starts with a proper assessment of the assets being secured. IT should use a common framework that can be applied to cut through the politics of decision-making and, if necessary, used as a 'stick' to cajole stubborn lines-of-business who are willing to trade adequate security for flexibility.
Taking a layered approach to storage security simplifies the organizational issues. A chief information security officer (CISO) is responsible for traditional information security, including storage. Reporting to the CIO, CTO or CFO, storage security starts with a proper business assessment of the risks and the costs of mitigation, and obtains agreement from the lines of business.
Each layer in a storage security architecture needs to be managed independently from the other layers. Ensuring authorized access to data is a data network issue. Ensuring security of data that is transported over networks, especially IP and iSCSI, is also a data networking issue. Both of these areas (and probably fibre channel networks as well) should be owned by the networking security people. Ensuring physical security is a storage data center issue, as is ensuring that security logs and security audits of those logs will make data thieves believe that they will be caught. The innermost layers (such as encryption by the database) should usually be owned by the application group or database group.
Action item: Organizations need to adopt a top-down, bottoms-up approach to organizing storage security. A top-down CISO needs to define the levels of risk and spend, as well as define a layered storage security architecture. Each storage security technology layer needs to be assigned to an appropriate IT department for implementation and ongoing operations.
According to the Computer Security Institute/FBI 2006 study, the risks of data loss or unauthorized access account for 37% ($19 billion) of security related losses.
Security, like Shrek, ogres and onions, has layers. Ensuring authorized access to data is in the data network layer. Ensuring security of data that is transported over networks, especially IP and iSCSI, is also a data networking layer issue. The technologies are known and well understood, and technologies such as encryption over the network are relatively low cost.
Ensuring physical security is a storage data center layer. The technologies include encryption of tapes when they are physically transported, using FCsec to ensure that devices are not removed from the network, and physically separating and isolating different storage pools according to the data security requirements of each pool. In “Storage security starts with a proper assessment” it is suggested that storage pools are used to classify storage on a security dimension. Physical separation of these will conflict with operational flexibility, but be necessary for the highest layers of security requirement.
Within this layer, the costs of security rise significantly. According to some estimates over 80% of losses come from inside people who have authorization. Most important for this layer is the ability to know what data has been accessed, when, and by whom. Security logs and security audits of those logs are vital tools to make would-be thieves believe that they will be caught.
The final layer uses techniques such as encrypting data within the database or file system, and only holding encrypted data on the disk. There are high costs for holding the data on disk fully encrypted, both for the database servers and for storage. As the data is random, techniques for data reduction such as compression and data duplication are no longer valid. Loss of flexibility in storage operations can be a significant cost.
Action item: Chief information security officers (CISOs) need to understand the technologies available, and organize them into a layered defense. They should assume that the failure of any layer will be complete. They should trust nobody and verify. The decision of where to place data should be shared between the business and IT, but the technology costs should be budgeted for and borne by the business.
While the physics of miniaturization have changed all computing devices in the data center, the security-related consequences of smaller and faster are especially problematic for storage media. Tagging and labeling drives, tapes, and other removable media remain necessary for asset management and location, but are hardly sufficient for security. Software that audits change, move, and copy at the bit level is essential to securing storage, but provides minimal help when the data stays on a particular media, but the media moves. RFID technology, in conjunction with the most modern processes for managing package logistics, should be added to the domain of storage media management. Some specialty storage vendors serving specific IT verticals (e.g., health care) are beginning to offer embedded RFID capability. However, to improve storage media tracking, users should start pushing suppliers for RFID-enhanced media across the board. As bit densities increase, it's a design trade-off that makes enormous sense to any business concerned about data moving by foot.
Action Item: RFID technology is too simple and too mature to not be added to data center efforts to physically secure storage media. While the costs of integrating RFID into media packaging may be an important consideration (likely in terms of less data per media), the long-term benefits of being able to more fully secure physical storage media are compelling. We hope storage suppliers provide this feature sooner rather than later.
Today's networks have lots of devices attached to them that have been around for quite some time. These include optical devices, removable disk and tape products and myriad storage technologies that may still serve a useful purpose but bring with them potential exposures.
IT must ask four related questions:
- Does the network to which these devices are attached have access to secure data and/or could secure data find its way to this network?
- Can data be copied by or from these devices?
- Will you know if data are copied?
- Do these devices have a USB port or other means to extract sensitive information?
When the answer to any of these questions is 'yes', IT must remediate the exposure or take other steps.
Action Item: Devices that cannot be made secure via normal practices should be considered high risk and the security threat targeted for elimination. To the extent that processes are in place but these devices still present a threat, the devices should be either removed from the network or 'zoned' off to a network that has no access to secure information.