Paller says the SANS Institute has begun to press vendors and standards organizations to come up with common ways to add encryption and authentication to management ports. And vendors are slowly beginning to respond. IBM's Tivoli division, for example, has already built Secure Sockets Layer encryption into its Storage Area Network Manager product and includes an idle time-out feature. Switch maker McData Corp. is planning to add SSL and Secure Shell software encryption to its SANavigator management suite, a move which is part of a broader initiative the company calls Secure Management Zones, according to Brandon Hoff, the company's senior manager for strategic marketing. Some vendors, however, believe SSL isn't strong enough to protect networked storage management ports. Switch maker Cisco Systems, for example, has moved to 56-bit Data Encryption Standard encryption. Competitor Brocade uses passwords or public key encryption to authenticate management access to its devices and can restrict access to only specified IP addresses.
Such solutions, however, tend to be proprietary and to vary from management platform to management platform. For a standards-based approach to securing networked-storage management interfaces, enterprises will likely have to wait a couple of years. The Distributed Engineering Task Force is working on a version of the so-called Bluefin management profile that's specifically for storage-management tasks and incorporates Web-based security techniques. The final version of the standard, however, isn't due until later this year, and broad vendor compliance will not come until 2005.
Meanwhile, some vendors are working on ways to integrate SAN management authentication with authentication services that already exist or are being developed outside the storage environment. Brocade, for example, has demonstrated its ability to tie its management tools with authentication servers using the Remote Authentication Dial-In User Service protocol. Cisco also has plans to integrate with Radius authentication, according to Silvano Gai, a Cisco Fellow.
2. Vulnerable data at rest
While many applications--backup, for example--encrypt and compress data while it's traveling over a network, data created by most applications and stored on networked devices isn't encrypted. So, once intruders or internal employees gain unauthorized access to networked storage, they generally have free rein.