Slashdot Mirror
Storage Security
Storage Security is not about turning on the right configuration options on your XYZ brand server appliance. It's about applying solid, methodical security practices to your storage systems, regardless of whether they are disks directly attached to a single computer, Network Attached Storage or part of a Storage Area Network. The authors address the full security cycle, too, starting with evaluating the security of proposed new storage solutions. Comparative data in hand, the book shows you how to narrow the field to a single solution that offers the best balance between functionality and security.
And once the system is selected, you can't stop there. You've got to decide on appropriate security policies for the new storage system, draft and implement a backup and restore plan, deal with disaster recovery and take care of a host of other issues. In short, this is a good guide to an entire range of considerations necessary to select, deploy and manage a secure storage solution.
The book's evaluation methodology is particularly valuable. Each type of storage (directly attached, NAS and SAN) is covered in a chapter of its own. Within each chapter, the authors address specific technologies used to implement that type of storage. For example, the direct-attach chapter discusses such common storage technologies as SCSI and IDE, moderately exotic systems like USB and Firewire drives, and some more advanced solutions like HiPPI and SSA. Each technology is then placed in a matrix and scored in 11 different categories, including popularity and industry acceptance, built-in data protection features, typical fault tolerance and physical security characteristics.
The authors assign each rating on a scale of 1 (poor) to 5 (the best). This gives a good general indication of how each technology measures up, but they tend to rely on a straight average of the ratings when determining the best technology. Although it's true that the average allows you to make a quick ballpark comparison, there are many other factors to consider as well, such as the suitability for your particular environment and the way in which your users need to access their data. The matrixes are quite useful, but just remember that you can't always boil things down to a simple numerical score.
Probably the biggest problem with this book is that it's pretty dry. As a reference book, the writing style is fine, since it's easy to find what you're looking for, and the chapters are concise. It's difficult to read from cover-to-cover, though, which is a shame because that's what you should probably do the first time through. Take it in small doses, a chapter or so at a time, and you should be fine.
Storage Security is about just what you'd think: the security of your data as it's being stored on your server(s). It's not a detailed look at the configuration of any one product, but rather a comprehensive, theory-based approach to managing the security of your storage subsystem from evaluation to purchase to daily operations. If you manage a small or mid-size network, you may or may not need this book. If you have a larger network, though, or have significant data-storage needs, this deserves a space on your shelf.
You can purchase Storage Security: Protecting, SANs, NAS and DAS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Windows 2000/XP (and maybe NT4) have the ability to encrypt the data written to disk. Since it's an MS product, I wouldn't trust anything important to it, but the theory is already put in practice.
AFAIK linux doesn't have an encrypted FS, nor have I heard about anything under development. If any FS hackers are reading this, this would be a handy project if you're looking for something to do.
There is no reasonable defense against an idiot with an agenda
:wq
Yes, it's a common feature on Windows 2000 on, Linux, etc. Google can help.
Slashdot - News for Herds. Stuff that Splatters.
Fo example, if it's a PKI, the private key has to be somewhere in the computer (BIOS, HD, ROM, etc.) for the OS to be able to decrypt. So it is very vulnerable.
Encrypt the key with a OTP.
Another question; why not implement the encryption in the VFS? While a lot of people who want an encrypted FS don't care about the FS implementation, wouldn't it be useful to be able to take advantage of all the current filesystems out there (E.g. Reiser, XFS etc.) and use encryption?
FreeBSD has a new system in the 5.x series. It's called GBDE (Geom Based Disk Encryption).
Basically you ``open'' a partition that's encrypted and you can do any operation you want and only ciphertext will hit the disk. You can then ``close'' the partition and no one should be able to read it.
You can have upto four different pass-phrases so four different people can access the data independently. Each of the four people can also self-destruct access to the data in case of ``attack'' (``blackening'').
The man(1) page list above has a good description.
I've had this similar thinking before, because the information in and of itself is not important, from a technical perspective, it's the mechanism to access that needs to be secure. Hence, a SAN with a fibre-channel fabric would seem secure (a client needs an HBA card), but hook it up to a MS File server, SQL Server, or Oracle, and suddenly all the same exploits apply.
;)
I would suggest it's not the type of nails used, it's the design of the front door. I could be wrong.
Peace, Out!
~Airrage
"This isn't a study in computer science, its a study in human behavior"
When we talk about "Information Assurance," it's based on 3 principles:
Confidentiality--Nobody reads your data unless they're allowed to (think top-secret information)
Integrity--Nobody can change your data unless they're allowed to (think bank account balance)
Availability--When you need the data, it's there (backups, redundancy, etc.)
I do what the voices on my console tell me to do.
Don't forget about swap or paging space, either.
No one but me seems to use them, but I've personally seen amazing reliability with magneto-optical (MO) drives and media. In fact, I've never had one of my MO disks fail. I certainly can't say that about other media I've used:
- casettes (TRS-80 model 1 circa 1977)
- floppies (actually, 8" floppy disks are very reliable, and they go down from there)
- various kinds of streaming tape
- Bernoulli discs of various capacity
- zip discs of various capacity
- hard drives of various capacity
- CD-R and CD-RW of various capacity
Seriously, consider MO media such as the Fujitsu 1.3 gig discs and drives. Of course this does not address really long-term storage and the issues of lost/failing hardware and standards over decades, but I think this gives you one of the most stable physical formats available for "near-line" storage.
One particular memo was about the servicing of the water coolers, and went out to the whole company. When I strings'ed the memo, though, at the top was a draft of an employee's termination letter! Oops. Apparently, this was the undo buffer for Word -- the writer of the memo had just written the termination letter, printed it, deleted it from the document, and wrote the water cooler memo in the same instance of word. However, if opened this doc in Word, I couldn't access the hidden info, no matter what I tried.
Since then, I've always wondered how much other sensitive information has snuck out, via MS Word.
Keys are stored in smart cards. Reading backup tapes requires a Cyberntics drive and the correct key. Obviously you need to manage this very well to avoid being SOL during an actual recovery situation.
Of course, consider how vulnerable your backup media really is. I don't need to hack your network, just show up in an Iron Mountain uniform with forged ID maybe 30 minutes before the real Iron Mountain guy shows up. I then drive off with ALL you data.
If your children ever found out how lame you are, they'd murder you in your sleep