Welcome to the 24th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.
The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.
Storage Appliances and Data Security
Storage Area Networks (SANs) and Network Attached Storage (NAS) provide cost effective data storage at the terabyte scale. The technology is impressive: fiber optic communication links and solid state drives provide a fast and scalable storage solution. By centralizing storage to a dedicated rack-mounted appliance, data centers and IT departments reduce both hardware and personnel overhead. This is a win for customers since the storage appliance model supports a new generation of high-scale computing at decreasing cost.
Shared storage introduces security challenges, however. When one business application can access a storage device that is also used by a second business application, it can be difficult to enforce separate authorization rules. Standard file system access control lists (ACLs) solve that problem effectively at the application tier. But the use of a storage appliance can change your logical and physical security models, since the appliance and the storage services that it provides can be accessed independently of the applications and servers that connect to it.
The good news is that a variety of encryption solutions are available for protecting stored data. For example, the Opal standard defines management interfaces for securely sharing keys across multiple Self-Encrypting Drives.
There’s a second security challenge, though. Storage appliance data protection can be difficult when it comes to data in motion. That is, when application servers are exchanging data with the backend storage, either application-level or network link encryption must be used, otherwise the data is at risk due to wire snooping.
Again, there’s good news: network encryption solutions exist for storage traffic. For example, the SMB (Server Message Block) 3.0 protocol defines a standard for encrypting the data exchanged when using Windows file shares.
In summary, scalable data storage and information security are two sides of the same coin. Repositories of sensitive data are an attractive target for hackers so don’t forget to lock them down.