Greg Schulz is an independent IT industry advisor, author, blogger (http://storageioblog.com), and consultant. He has a B.A. in computer science and a M.Sc. in software engineering from the University of St. Thomas. Greg has over 30 years of experience across a variety of server, storage, networking, hardware, software, and services architectures, platforms, and paradigms. After spending time as a customer and a vendor, Greg became a Senior Analyst at an IT analysis firm covering virtualization, SAN, NAS, and associated storage management tools, techniques, best practices, and technologies in addition to providing advisory and education services. In 2006, Greg leveraged the experiences of having been on the customer, vendor, and analyst sides of the "IT table" to form the independent IT advisory consultancy firm Server and StorageIO (StorageIO). He has been a member of various storage-related organizations, including the Computer Measurement Group (CMG), the Storage Networking Industry Association (SNIA), and the RAID Advisory Board (RAB), as well as vendor and technology-focused user groups.
Greg has received numerous awards and accolades, including being named a VMware vExpert and an EcoTech Warrior by the Minneapolis-St. Paul Business Journal, based on his work with virtualization, including his book, The Green and Virtual Data Center (CRC Press, 2009). In addition to his thousands of reports, blogs, twitter tweets, columns, articles, tips, pod casts, videos, and webcasts, Greg is also author of the SNIA-endorsed study guide, Resilient Storage Networks-Designing Flexible Scalable Data Infrastructures (Elsevier, 2004).
Cloud and Virtual Data Storage Networking: Being Secure Without Being Scared Published: March 28, 2014 • Service Technology Magazine Issue LXXXII PDF
Abstract: Securing data infrastructure resources in cloud, virtual, networked, and storage environments presents a number of risks and security challenges. Security actions must cover physical security, logical security, multitenancy, and deciphering encryption. Measures must also be taken to eliminate blind spots, or "dark territory." Network storage security environments are unique to individual network needs and should be designed to protect data without inhibiting productivity. This article details techniques, technologies, and best practices that can be used to secure information resources most efficiently. Included is a security checklist providing basic items pertaining to storage and network storage security.
This chapter looks at securing data infrastructure resources in cloud, virtual, networked, and storage environments to counter various internal and external threat risks and other security-related challenges. A good defense—having multiple layers, rings, or lines of protection—along with a strong offense of proactive policies combine to enable productivity while protecting resources. Key themes addressed in this chapter include securing data during transit as well as at rest, authorization, authentication, and physical security. There are many security challenges for protecting cloud, virtual, and data storage networks without impeding productivity. With the right techniques, technologies, and best practices, however, information resources can be effectively secured.
Being Secure Without Being Scared
As IT moves farther from the relatively safe and secure confines of data center glasshouses and internal physical networks with interfaces for Wi-Fi mobile and Internet computing, security has become even more important than it was in the past. Cloud, virtual machine (VM), and storage networking with remote access enable flexible access of IT resources by support staff, users, and clients on a local and wide area basis. This flexibility, however, also exposes information resources and data to security threats. This means that any desired increased accessibility must be balanced between data protection and business productivity. As networked storage enables storage and information resources to be accessed over longer distances and outside the safe confines of the data center, more security threats exist and more protection is needed.
Security issues also increase as a result of networking with virtual and physical IT resources and applications or services being delivered. For example, a non-networked, standalone server and dedicated direct attached storage with secured physical and logical access is more secure than a server attached to a network with general access. However, the standalone server will not have the flexible access of a networked server that is necessary for ease of use. It is this flexible access and ease of use that requires additional security measures. As new enabling technologies, including IP-based networks to facilitate distance, are leveraged, they also enable security threats and attacks. These attacks can occur for political, financial, terrorist, industrial, or sheer entertainment reasons.
Figure 1 – Eliminating "dark territory," "dark clouds," and blind spots.
Eliminating Blind Spots, Gaps in Coverage, or "Dark Territories"
In the previous chapter we looked at the importance of not treating all applications, their data and associated infrastructure resources, and associated management the same, by using policies and procedures collectively called infrastructure resource management (IRM). Security of information and related assets is an important part of IRM, including data management and different levels of protection to meet various threat risks. Business and threat analysis should be used to determine what to encrypt and the applicable level or granularity of encryption to be used. It is also important to eliminate "dark territories," blind spots, or gaps in coverage (Figure 1).
Blind spots or gaps in coverage are not unique to security; enabling an agile, flexible, dynamic, resilient, and converged environment relies on having timely situational awareness of resources and service delivery. Because the focus in this chapter is on logical and physical security of data and information resources on both local and remote bases, the focus of removing dark territories or blind spots is to eliminate gaps in coverage that can result in points of vulnerabilities or threat risks.
When it comes to moving data electronically via a network transfer or by shipping physical media, you may know when and where it left as well as its estimated time of arrival (ETA), but do you know where the data was during transit or while in flight? Do you know who may have had access to it or been able to view its content, particularly if it was not encrypted? Can you provide auditable trails or activity logs of where the data moved or deviated from planned routes or paths?
In the transportation industry, terms such as "dark territory" have historically been used by railroads to indicate areas with minimum to no management or control coverage. Other transportation-related terms include "blind spots" or "flying blind" to indicate lack of situational awareness that can result in loss of management control. What these have to do with cloud and virtual data storage networking is that a "dark cloud" can be considered a resource without adequate insight and awareness of who has access to it and what they may be doing with it.
At the top left of Figure 1, various technologies and techniques are shown that are used at the source and destination for managing digital assets and media. Also shown are issues and lack of real-time management insight while assets are being moved in blind spots.
For example, data needs to be moved to public and off-site remote private providers. Once data and applications are in use at public or private providers and on premise, what visibility is there into how secure information and associated resources are being kept safe? When information is being moved, is it via electronic means using networks or bulk movement using removable media (FLASH SSDs, regular hard disk drives (HDDs), removable hard disk drives (RHDDs), optical CDs or DVDs, or via magnetic tape? For example, to move a large amount of data initially to a cloud or managed service provider, a magnetic tape copy of the data may be made to be used for staging at the remote site, where it is then copied to a disk-based solution. What happens to the magnetic tape? Is it stored? Is it destroyed? Who has access to the tape while it is in transit?
Possible areas of "dark territory" or gaps in coverage include:
Security Threat Risks and Challenges
There are many different threat risks (Figure 2) for IT cloud, virtual, and traditional data centers and the systems, applications, and data they support. These risks range from acts of man to acts of nature, and from technology failure to accidental and intended threats. A common belief is that most threat risks are external, when in reality most threats except acts of nature are internal. Firewalls and other barriers can work together to fight attacks from outside, but equally strong protection is necessary against internal threats. Another common security threat risk within most IT networks is inadequate security on "core" systems or applications within an environment. For example, poor password control on enterprise backup/recovery systems, virtualization systems, and management interfaces may be too common instead of being common sense to change.
Threats may be physical or logical, such as a data breach or virus. Different threat risks require multiple rings or layers of defenses for various applications, data, and IT resources, including physical security. The virtual data center relies on both logical and physical security. Logical security includes access controls or user permissions for files, objects, documents, servers, and storage systems along with authentication, authorization, and encryption of data.
Figure 2 – Cloud and virtual data storage networking security points of interest.
Additional common threat risks include:
Another facet of logical security is the virtual or physical destruction of digital information known as digital shredding. For example, when a disk storage system, removable disk or tape cartridge, laptops or workstations are disposed of, digital shredding ensures that all recorded information has been securely removed. Logical security also includes how storage is allocated and mapped or masked to different servers along with network security including zoning, routing, and firewalls.
Another challenge with cloud and virtual environments is how various customers' or business functions' applications and data are kept separate in a shared environment. Depending on the level of the shared or multitenant solution combined with specific customer, client, or information services consumer security and regulatory requirements, different levels of isolation and protection may be required. For example, on a shared storage solution, is having different customers or applications provisioned into separate logical units (LUNs) or file systems sufficient? As another example, for more security-focused applications or data, are separate physical or logical networks, servers, and storage required? In addition to multitenant hardware, software, and networks, either on your own premises under your management or via an on-site managed service provider or external provider, who has access to what, when, where, and for what reasons?
Additional security challenges include:
In addition to the above, other challenges and requirements include compliance requirements such as PCI (Payment Card Industry), SARBOX, HIPPA, HIECH, BASIL, and others. Security requirements for cloud, virtual, and data storage networks vary and include jurisdiction of specific regulations, fraud and data leak detection notification, data encryption requirements, auditable event, as well as access and activity logs.
Taking Action to Secure Your Resources
Security of your networks and systems is essential in normal times and crucial during service disruption. Denial-of-service attacks have become the new threat, causing disruptions and chaos. Some security issues to be considered include physical and logical security along with encryption of data, virtual private networks (VPNs), and virtual local area networks (VLANs). Security of the network should extend from the core to the remote access sites, whether home, remote office, or a recovery site. Security must be in place between the client and server (or the Web), and between servers. Securing the home environment includes restricting work computers or PCs, use of VPNs, virus detection, and, of course, system backup. Security becomes more important the farther away you are from a secured physical environment, particularly in shared environments.
Common security-related IRM activities include:
As with many IT technologies and services, there will be different applicable threat risks or issues to protect against, requiring various tiers and rings of protection. The notion of multiple rings or layers of defense is to allow for flexibility and enable worker productivity while providing protection and security of applications and data. A common belief is that applications, data, and IT resources are safe and secure behind company firewalls. The reality is that if a firewall or internal network is compromised, without multiple layers of security protection, additional resources will also be compromised. Consequently, to protect against intrusions by external or internal threats, implementation of multiple protection layers, particularly around network access points, is vital.
There are many things that can be done, ranging from protecting physical facilities and equipment to securing logical software and data. Securing coverage should extend in terms of visibility and coverage from physical to virtual, from private to public as well as managed service providers (MSPs). Other things that can be done include preserving segregated administration functions by various technology management groups (servers, operating systems, storage, networking, applications) in a converged, coordinated manner. This means establishing policies and procedures that span technology management domains along with associated visibility or audit tools. Security should also include leveraging encryption, certificates, and tokenization in support of authorization, authentication, and digital rights management.
Physical data protection means securing facilities and equipment and access to management interfaces or workstations.
Physical security items include:
Another dimension of physical security includes ensuring that data being moved or transported electronically over a network or physically is logically secured with encryption and physical safeguards including audit trails and tracking technology. For example, solutions are available to retrofit existing magnetic tape and removable hard disk drives with external physical bar-code labels that include an embedded RFID chip. The RFID chips can be used for rapid inventory of media being shipped, to facilitate tracking and eliminate falsely reported lost media. Other enhancements include shipping canisters using Global Positioning System and other technologies to facilitate tracking during shipment.
With the increased density of servers, storage, and networking devices, more cabling is being required to fit into a given footprint. To help enable management and configuration of networking and I/O connectivity, networking devices including switches are often integrated or added to server and storage cabinets. For example, a top-of-rack or bottom-of-rack or embedded network switch aggregates the network and I/O connections within a server cabinet to simplify connectivity to an end-of-row or end-ofarea group of switches.
Cable management systems, including patch panels, trunk, and fan-in, fan-out cabling for over-head and under-floor applications, are useful for organizing cabling. Cable management tools include diagnostics to verify signal quality and decibel loss for optical cabling, cleaning and repair for connectors, as well as asset management and tracking systems. A relatively low-tech cable management system includes physically labeling cable endpoints to track what the cable is being used for, along with a cable ledger. A cable ledger, either maintained by hand or using software, keeps track of status, including what is in service or available for maintenance. Software for tracking and managing cabling can be as simple as an Excel spreadsheet or as sophisticated as a configuration management database (CMDB) with intelligent fiber-optic management systems. An intelligent fiber-optic system includes mechanisms attached to the cabling to facilitate with tracking and identify cabling.
Another component for server, storage, and networking I/O virtualization is the virtual patch panel, which masks the complexity by abstracting the adds, drops, moves, and changes associated with traditional physical patch panels. For large and dynamic environments with complex cabling requirements and the need to secure physical access to cabling interconnects, virtual patch panels are a great complement to I/O virtualization (IOV) switching and virtual adapter technologies.
Physical security can be accomplished by addressing the above items, for example, by ensuring that all switch ports and their associated cabling and infrastructure, including patch panels and cable runs, are physical secured with locking doors and cabinets. More complex examples include enabling intrusion detection as well as enabling probes and other tools to monitor critical links such as wide area interswitch links (ISLs). For example, a monitoring device could track and send out alerts for certain conditions on critical or sensitive ISLs for link loss, signal loss, and other low-level events that might appear as errors. This information can be correlated back to other information including maintenance records to see if someone was performing work on those interfaces, or if they have been tampered with in some way.
Logical security complements physical security with a focus on items such as applications or data access. Logical security includes authorization, authentication, and digital rights management along with encryption of data and multitenancy.
Additional areas of logical security on a local or remote basis include:
In Figure 3, at the top left is an example of a single tenancy with servers and storage dedicated to a given application or function. Moving from left to right across the top of Figure 3 are examples of multitenant servers using hypervisors for virtualization hosting multiple applications sharing resources. Also shown are shared storage systems in which various physical machines (PMs) or virtual machines (VMs) share storage or have dedicated LUNs, volumes, partitions, file systems, or virtual storage systems shown at the bottom of Figure 3.
Figure 3 – Server and storage multitenancy.
The challenge with multitenancy is that underlying resources are shared while keeping applications and their data logically separated. Various solutions provide different options for maintaining multitenant security and protection, with some being able to provide a subset of management capabilities or subordinated management. Subordinated management enables a subset of tasks or functions to be performed (for example, on a virtual machine or virtual file server or file system instance) without exposing other VMs or resource shares. An example of a multitenant storage solution similar to what is shown in Figure 3 is NetApp Multi-store; there are also many other offerings from various vendors.
A common theme among IT professionals is that there is a perception that encryption key management is a complexity barrier to implementation and that multiple levels of data security are needed to counter applicable threats. Another common concern is real or perceived lack of heterogeneous capability and vendor lock-in. Key management is thought to be a barrier for tape, disk (data at rest), and file system based security and, more important, tiered security.
In general, the overwhelming theme is that encryption key management is complex and that this complexity is a barrier to implementation. Not protecting data, particularly data in-flight, with encryption due to fears of losing keys is similar to not locking your car or home for fear of losing your keys. Key management solutions are available from various sources, with some solutions supporting multiple vendors' key formats and technologies.
Encryption should be used to protect data in-flight or during movement over logical (networks) as well as during physical movement. In addition to data in-flight, data at rest both for short-and for long-term preservation or archiving should be encrypted. There are many different approaches as well as locations for performing encryption. Encryption can be done in applications such as Oracle for database or Microsoft Exchange email, for example. Encryption can also be done via operating systems or file systems, or via third-party software, adapters, or drivers.
Encryption can be performed in many places:
Additionally, encryption can be accomplished via software running on standard hardware as well as in conjunction with custom hardware (e.g., ASIC or FPGAs) in various combinations.
There are several major areas of focus for securing storage and data networks. These include securing the network and its access or endpoints, securing data while in-flight along with where it is stored (locally or remote), and protecting network transports links along with management tools or interfaces. Network security involves physical and logical activities and techniques. Physical activities include firewalls, protecting endpoints and access to cabling and connectors, along with management tools or interfaces. Physical security can also mean having separate networks for different applications or functions.
Logical networking security involves access controls and password-protected tools for virtual private networks (VPNs), virtual LANs (VLANs), and virtual SANs (VSANs) that may be physically connected yet logically isolated for multitenant environments. Traditional network switches have been external physical devices for interconnecting various devices or users. With virtual servers there are also virtual switches implemented in memory as part of a hypervisor, which function similarly to a traditional physical switch. An example is the Cisco Nexus 1000v found in some VMware vSpehere environments.
Concerns for VPNs, VLANs, and VSANs include:
A frequent question is whether the virtual switches are a networking issue or a server management topic, and where the line of demarcation is between the different groups. For some environments the solution is easier when the networking and server teams are part of a larger organization so that activities can be coordinated. For example, the networking team may grant server management personnel subordinate access to the virtual networking switch along with virtual monitoring tools, or vice versa.
Networking and I/O security topics and action items include:
When looking at controlling access and isolating traffic within a single switch or director as well as in a single fabric of two or more switches, the following techniques can be used. Access control policies are implemented using binding to associate what devices, including servers, can attach to which ports as well as which switches and directors can attach to each other. Access control lists (ACLs) are created to authorize the connection between SAN components to implement security policies. These ACLs implement device to switch access policies (port binding), switch to switch (switch binding), and fabric binding. Binding is used to determine what devices can connect to each other, while zoning is used to determine what devices and ports see and communicate with each other.
Fabric-based World Wide Name (WWN) soft zoning is the commonly used industry standard, particularly in open heterogeneous environments. This provides flexibility to move a device from one port to another in a fabric without having to make a zone change. This implies that the zone follows the device; however, the zone is tied to that device. Should the device be changed, for example, when a tape drive is replaced, the zone must be modified to reflect this new device and its WWN. WWN and zoning have ramifications for virtual servers that are using Fibre Channel when a VM is moved from one PM to another and the hardware address changes. A solution is to use N_Port ID Virtualization (NPIV), where VMs establish their affinity to a virtual N_Port ID that is able to move with the VMs to a different PM without having to change zoning.
With the convergence of traditional networks and storage interfaces via storage networks, there is also a convergence of networking. At a minimum, a basic understanding of relative security mechanisms and their correlations are needed as IP and Ethernet move further into the storage-networking realm beyond NAS file sharing (NFS and CIFS) and for wide area communications. The counterpart of Fibre Channel zoning in the IP networking realm is VLAN (virtual LAN) Tagging, used to segment and isolate LAN traffic.
While far from an exhaustive list, the following provides some basic items pertaining to storage and storage networking security:
The most secure environment for your data and information resources is also one that inhibits usability. The by-products of having inhibitive security is impacted productivity and the steps people will take to work around the barriers. At the other extreme are completely open environments with little to no security and free access by anyone from anywhere. Due to this range in spectrum for data security, the right approach for your environment will depend on your needs and service requirements. The level of security should be consistent with the risk for your facility or business based on what you do or who you do it for. Security for storage and storage networking has taken on increased importance, particularly as storage traverses external interfaces. It is easy to look at all the possible threats and fall into a defensive mindset or paradigm. Instead, shift to a strong offense, where security is used as a tool and enabler as opposed to a barrier to productivity.