With all they've got to worry about these days, most IT executives don't lose a lot of sleep over whether the data stored on their companies' tape and disk devices is secure. Most have come to believe that data, particularly mission-critical data residing in the corporate data center, is capably guarded by the usual protections such as firewalls, user authentication, and intrusion-detection systems.
That confidence, however, may be about to evaporate. That's because, at most enterprises, storage devices that are directly attached and dedicated to a specific server--and therefore easily secured--are rapidly giving way to shared networked storage topologies that introduce new security exposures. As much as 70% of enterprise storage will be networked in the form of either Fibre Channel-based storage area networks or network-attached storage devices by 2006, according to Nancy Marrone, senior analyst with the Enterprise Storage Group.
SANs are rapidly gaining ground in the enterprise because it can be easier and less expensive to manage a network of storage devices that are shared by many servers than hundreds or even thousands of disk subsystems attached to individual servers.
But the same things that make SANs cheaper and easier to manage also make them potentially more vulnerable to security breakdowns. Unlike traditional direct-attached storage devices, SANs are accessed by many servers, often running different operating systems. That means it's difficult for SANs to rely on any one host's operating system for security. Also, SANs are typically comprised of many more elements such as storage arrays, switches, directors, host-bus adapters, and management consoles, to name just a few. More elements attempting to access any shared resource over a network usually increases the opportunity for security breaches. An attacker, for example, could mount a denial-of-service attack on a SAN by issuing repeated log-in requests or gaining unauthorized access to combine SAN fabrics in a way that increases inefficiencies and decreases performance. Or an attacker could gain access to key data assets by spoofing, for example, a management interface address. Stored data is particularly vulnerable to this type of attack, experts say, because it is rarely encrypted as it sits on the disk or tape medium. Once a hacker gains unauthorized access to stored data, it's generally easy for the intruder to read, copy, and reuse it.
Such storage security vulnerabilities will multiply as enterprises begin to integrate their Fibre Channel SAN and NAS networks with more easily-accessed IP networks via gateways or the new Internet Small Computer System Interface, a protocol for IP-based storage. While host-bus adapters and other gear using the iSCSI protocol are just beginning to appear, IP-based storage is expected to become more popular, particularly for disaster recovery and remote back-up applications.