security_creekpath

The Role of Security in Storage Operations Management An effective storage management solution must consider the role of security in ensuring network and data integrity. When Direct Attached Storage (DAS) was the majority of storage, security was not an issue. By preventing access to the server you could stop access to the server-owned storage resources of disk and tape. Unlike DAS, Storage Area Networks (SANs) allow multiple access points. Holes in SAN security practices can threaten data integrity and system availability. An effective storage management solution should implement security practices for: • Storage array volume access control • Volume access control on the host • Device configuration access control • Storage management software access • Proactive detection and notification of access violations, auditing and logging WHITE PAPER Storage Array Volume Access Control Direct-attached storage technology assumes that a single host system controls access to each storage device or subsystem. Most operating and file systems weren’t developed to support shared access to storage for more than one host system as enabled in today’s storage networks. For example, a file system’s volume table of contents (VTOC) is a data structure that the file system uses for tracking of its internal configuration. Some operating and file systems, particularly Microsoft Windows, will overwrite an existing VTOC with its own signature when accessing another system’s storage. The result is that the existing data on the storage subsystem becomes inaccessible and the data can become corrupted. Three methods of storage access control segregate the I/O path to prevent incompatible systems from accessing another system’s storage. A well designed storage management solution should automate the configuration of your SAN to enforce the best security methods. The three methods are: 1. Switch or fabric-based zoning 2. LUN management and port zoning at the storage subsystem 3. LUN masking at the server The complexity of future SANs and the choices that need to be made to ensure security and proper access require system and storage administrators to possess a tremendous amount of knowledge. This complexity can be resolved by having one central point of control for configuring and managing your networked storage environment. Page 1 Switch or fabric-based zoning The Fibre Channel standard governing SAN products is wide open by default. Application servers are potentially aware of all SAN devices, with unrestricted access to any disk. Zoning is a switch function that addresses this problem by creating a logical, closed path from the host server to the storage array. Devices can be restricted to single zones or shared zones. For example, a server may be in one zone with a RAID and share a second zone with a tape library. A well designed storage operations management solution should allow you to define, by policy, which zone a given application’s volume or database should belong to ensure automatic security enforcement. Figure 1 depicts a typical zone configuration. In this diagram, server 1 and server 2 share two disk subsystems, 1 and 2, in Zone A. Note that server 2 is also in Zone B. Also in Zone B is storage subsystem 3, only accessible by server 2. This subsystem could be used for a snapshot mirror of the clustered servers in Zone A. In Zone C, the server 3 and storage subsystem 4 are not shared by any other zones but use the same switch infrastructure for connectivity. Zone B Server 2 Storage Subsystems 3 Server 1 Switch Tape Library Storage Subsystems 1 Storage Subsystems 2 Storage Subsystems 4 Server 3 Zone A Zone C Figure 1: Example of switch or fabric-based zoning As the complexity of your fabric(s) grows, ensuring that your zoning policies are enforced becomes a difficult manual task. This task becomes even more exasperating if you add different manufacturer’s switches and/or directors which result in multiple user interfaces. Even different models from the same manufacturer may have a different user interface. A well-designed storage management solution should provide one Page 2 common interface for defining all fabric zoning. Furthermore, an effective solution should allow you to define by policy which zone an application or server should belong to and should automate the provisioning and set-up of the fabric. The choices for storage access control are further complicated because there are two methods of switched zoning – zoning that is implemented in the switch hardware, known as hard zoning and zoning that is implemented in the switch software, known as soft zoning. Hard zoning works in one of two ways: by linking physical ports in the fabric (port zoning), or by using the World Wide Name (WWN) that identifies each SAN device. Of the two hard zoning techniques, port zoning is easier but less flexible. On the other hand, WWN can be spoofed, allowing a rogue device in onto the network. Soft zoning uses the switch’s name server database, which stores WWNs and port numbers. It’s a flexible zoning method, but there’s a risk that certain operating systems will allow the host to connect directly to the storage device without consulting the database. There is a potential security risk with soft zoning, which can be caused by an intruder that spoofs frame addresses and may be able to infiltrate switch zones by trying various source and destination combinations until successful. In addition, such a process may overload the switch with excessive requests resulting in a denial-of-service. Note that the risk is somewhat mitigated by the fact that the storage network is usually behind a firewall and servers are in a physically secure data center. It would require an insider to infiltrate this network to spoof the necessary information. An effective storage operations management solution should support the hard and soft zoning capabilities of your switches and directors. It should be able to provision storage paths that enforce your requirements for security, performance and flexibility for the zone of that server or storage. The software should manage the complexity of these different methods to meet the storage service levels required for that server or application. A complete storage operations management software solution understands that each storage subsystem vendor has its own terminology as well as a unique command line or console interface to configure the volumes, map the LUNs and implement security and control. A well designed, integrated storage operations management solution should allow you to define your security and configuration objectives in a “common language” and then translate into, even automate, the steps to provision appropriately on each storage subsystem. By implementing a consistent process and graphical user interface (GUI), training would be greatly simplified for storage administration personnel, while still providing the unique features of each storage vendor. Page 3 LUN Masking at the Server Device drivers on the server’s HBA can provide a masking utility that allow certain LUNs (storage resources) to be blocked or made visible to the host in the SAN. However, since an administrator would need to visit each SAN-attached server to set the masks in a consistent fashion, this is only feasible in very small SANs. It is not a recommended approach for SAN security in a SAN fabric due to the significant number of serves and the potential for errors. Furthermore the potential exists for a rogue server to be attached to the SAN and gain access to other server volumes. There is no validation in the fabric or storage array to prevent this when LUN masking is performed at the server. For these reasons, storage management solutions usually don’t support LUN masking at the server. Volume Access Control on the Host The measures discussed so far, provide security within the physical storage network and storage subsystems. Another critical security aspect is the access to the logical volumes and its administration on the servers. Software that controls access to data volumes is an effective tool that manages potential data corrupting issues. Each user, application, or group can be assigned different access privileges for every storage volume. This is usually accomplished through the volume manager as part of the OS and file system environment on the server. A storage management solution should provide direction on storage provisioning to maintain these storage access rights of the volume manager on the host. Device Configuration Access Control As stated above, an effective storage operations management solution centralizes the various security management tasks into one unified management environment. Without the “single pane of glass” provided by the storage operations management solution, you would be forced to go to individual management consoles and command line interfaces for each switch and storage subsystem opening up risk for security breeches. The interfaces and terminology vary by manufacturer and even model. With an effective storage operations management solution, you need only learn and login to one application that has a consistent set of managed processes and a secure GUI. A well-designed storage management solution would enable security through one management interface for every component type, regardless of the manufacturer. For example, the storage management application would provide a switch zoning interface consistent across all switch vendors. Page 4 Storage Operations Management Software Access Because of the power of a complete storage management solution and the importance of the storage and data integrity it helps manage, the solution itself should be very secure. Multiple layers of security should exist for assigning administrative rights to appropriate storage and systems administration personnel. The login and passwordprotected security levels should enable administrative classes to define the “span of control” of a given administrator or work group. The security system within the software should control the functions users can access. For example, less skilled users may be restricted to reporting and monitoring, or workflow execution, while highly skilled users have access to defining and setting new policies. Managing storage resource configurations through one central solution prevents having to issue multiple logins and passwords to manage through each unique vendor’s management console. A super user account that allows for the creation and maintenance of user accounts, passwords, and access control should be available. Proactive Detection of Access Violations, Auditing, and Logging Any process that needs to be controlled must have proactive monitoring, auditing, and logging of significant event and alarm conditions. The solution should continuously monitor the storage network for security violations and attempted violations. Moreover, it should set policies to notify enterprise level IT management systems with emails, pages, or other means if there is a problem. All changes to security levels and SAN configuration should be logged and tools provided to audit the processes should be available. Detailed workflow history should be available, providing what was done, by who and when. Finally, the ability to rollback changes should be implemented with an accompanying audit trail so that the information cannot be removed. Summary SANs deliver the capability for any server to access any storage device. Though this is extremely powerful and cost effective, it is obvious that security measures must be in place – not only to prevent illegal access to data, but also to prevent accidental corruption or loss of data. An effective Storage Operations Management solution should implement a common set of policies and processes to protect the information and the availability of the information within a SAN. A Storage Operations Management solution should ensure security service levels are met. A storage operations management solution should Page 5 enable the IT administrators to use one common GUI across all their SAN hardware. Finally, a well designed storage operations management solution should enable IT groups to manage the complexity of SAN configuration for security management. The following table provides a checklist of storage operations management solution features that you should look for to enable and support your SAN management security practices. SAN Security Practice Checklist for Storage Operations Management-Enabled Security Practices Storage Management Feature SAN Securi t y St orage Acces s Cont rol St orage Management Feat ure Swi t ch or Fabri c-bas ed Zoni ng LUN Management and Port Zoni ng Vol ume Acces s Cont rol on t he Hos t Confi rgurat i on Acces s Cont rol Vol ume Manager Int egrat i on "Si ngl e Pane of Gl as s " GUI Confi gurat i on W i z ards for each SAN Component St orage Management Soft ware Acces s Management Enabl e wi de "Span of Cont rol " for a Gi ven Admi ni s t rat or or Workgroup Super Us er Acces s Proact i ve Det ect i on of Acces s Vi ol at i ons Acces s Vi ol at i on Det ect i on and Not i fi cat i on Audi t i ng Loggi ng Page 6