Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storage Security

Posted by timothy on from the place-for-your-stuff dept.

shiroi_kami writes "What does Information Security mean to you? To many, it means firewalls and encryption. To some, it means intrusion detection systems. Chances are the words "file servers" weren't high on your list, but they probably should be. After all, information security is about information, and when it's not flying across the network it's got to be stored somewhere, right? In fact, the security of the storage mechanism is often overlooked, which makes it an attractive target for attackers. In their new book, Storage Security, the authors take a comprehensive look at this often-ignored subject. Update: 03/26 05:44 GMT by T : Please note, this review was written by David Bianco under the handle shiroi_kami as an Amazon.com review, and also appears at InfosecBooks.com. Apologies to David for the misplaced and delayed attribution. Storage Security: Protecting, SANs, NAS and DAS author John Chirillo, Scott Blaul pages 408 publisher John Wiley & Sons rating 9.8 reviewer David Bianco ISBN 0764516884 summary A storage security handbook that examines strengths and weaknesses, describes architectural security concerns and considerations, and identifies ways to implement and design more secure storage systems.

Storage Security is not about turning on the right configuration options on your XYZ brand server appliance. It's about applying solid, methodical security practices to your storage systems, regardless of whether they are disks directly attached to a single computer, Network Attached Storage or part of a Storage Area Network. The authors address the full security cycle, too, starting with evaluating the security of proposed new storage solutions. Comparative data in hand, the book shows you how to narrow the field to a single solution that offers the best balance between functionality and security.

And once the system is selected, you can't stop there. You've got to decide on appropriate security policies for the new storage system, draft and implement a backup and restore plan, deal with disaster recovery and take care of a host of other issues. In short, this is a good guide to an entire range of considerations necessary to select, deploy and manage a secure storage solution.

The book's evaluation methodology is particularly valuable. Each type of storage (directly attached, NAS and SAN) is covered in a chapter of its own. Within each chapter, the authors address specific technologies used to implement that type of storage. For example, the direct-attach chapter discusses such common storage technologies as SCSI and IDE, moderately exotic systems like USB and Firewire drives, and some more advanced solutions like HiPPI and SSA. Each technology is then placed in a matrix and scored in 11 different categories, including popularity and industry acceptance, built-in data protection features, typical fault tolerance and physical security characteristics.

The authors assign each rating on a scale of 1 (poor) to 5 (the best). This gives a good general indication of how each technology measures up, but they tend to rely on a straight average of the ratings when determining the best technology. Although it's true that the average allows you to make a quick ballpark comparison, there are many other factors to consider as well, such as the suitability for your particular environment and the way in which your users need to access their data. The matrixes are quite useful, but just remember that you can't always boil things down to a simple numerical score.

Probably the biggest problem with this book is that it's pretty dry. As a reference book, the writing style is fine, since it's easy to find what you're looking for, and the chapters are concise. It's difficult to read from cover-to-cover, though, which is a shame because that's what you should probably do the first time through. Take it in small doses, a chapter or so at a time, and you should be fine.

Storage Security is about just what you'd think: the security of your data as it's being stored on your server(s). It's not a detailed look at the configuration of any one product, but rather a comprehensive, theory-based approach to managing the security of your storage subsystem from evaluation to purchase to daily operations. If you manage a small or mid-size network, you may or may not need this book. If you have a larger network, though, or have significant data-storage needs, this deserves a space on your shelf.

You can purchase Storage Security: Protecting, SANs, NAS and DAS from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

7 of 125 comments (clear)

  1. Encrypted File System by Anonymous Coward · · Score: 5, Insightful

    This is something I've wondered about, and this reminded me.

    Is there any operating system that supports encrypting the storage at the file system level. In other words, is there any operating system where I can specify that I want a particular path encrypted, and then copy files over, edit files, etc without worrying about having to decrypt, recrypt manually all the time?

    Even a weak encryption would satisfy me.

    1. Re:Encrypted File System by nakhla · · Score: 5, Informative

      Yes, Windows 2000/XP Professional and Windows Server 2003 all support this feature. Encryption/decryption is done transparently so there is no additional user intervention required.

      Also, with PGP you can create PGP disks that are essentially files that are loopback-mounted as an encrypted drive. Any files you copy to this virtual drive are automatically encrypted with your PGP keys.

    2. Re:Encrypted File System by olip · · Score: 5, Insightful

      Encrypted HD can't be safe, can it ?
      Fo example, if it's a PKI, the private key has to be somewhere in the computer (BIOS, HD, ROM, etc.) for the OS to be able to decrypt. So it is very vulnerable.
      The computer is a deterministic system, it fully contains all the information needed for automated processing ; usually security is ensured by the externalization of some part of data (password, private key, fingerprint) considered as needed for some processing.
      I mean, you wont type your password everytime your OS reads from the HD ;-)
      BTW NTFS is a first step in the direction you suggest.

    3. Re:Encrypted File System by paulhar · · Score: 5, Informative

      Unfortunately the words "weak encryption" can definately be attributed to Windows EFS encryption.

      Every time you open the file it's decrypted in place, so while the file is "open" it's in an unencrypted state.

      A few scenarios to consider:

      A) Application A always running. While the application is running, the data file in unencrypted on disk so anyone with the appropriate permissions can read it. Exchange is a good example of this - how often do you shut it off?

      B) What happens when you have a powercut. If the file was unencrypted guess what state it'll stay in until you manually poke it?

      C) If it's data like word documents then this is the chain of events: open encrypted file, (it decrypts in the background), you change the file, you save it, windows creates a NEW file and writes the changes to it, office deletes the old file, office renames the NEW file to the name of the old file, windows encrypts the changed file, and office etc rename the encrypted version back to the original filename. But the blocks for the decrypted one are on disk for anyone with the appropriate undelete tools to use.

      Still, better than nothing?

    4. Re:Encrypted File System by stilwebm · · Score: 5, Informative

      There are patches for the Linux Kernel that use loopback devices and the international patches (CryptoAPI) to encrypt filesystems transparently. They also require CryptoAPI enabled losetup, mount, and umount binaries. Linux Encrypted File System Howto

      A similar arrangement is available to OpenBSD. OpenBSD Encrypted Virtual Filesystem Mini-HOWTO

  2. physical securty has been around for a long time by Anonymous Coward · · Score: 5, Insightful

    This is nothing new. Administrators and other have known for a long thime that no machine is secure if someone has access to the physical machine. If someone can open your box up, reboot it, attach new devices to its private subnet, etc. then it is not secure.

    Why anyone thinks this should be different for storage systems is beyond me. If someone can break in and steal your data, or attach new devices to the data transfer channel, or whatever, then your data isn't secure. That the authors think this comes as a revelation to anyone means either they are really stupid or they think administrators are really stupid.

    Get your machines installed in a location with good physical security. That's really all there is to it.

  3. IEEE SAN security standard by Anonymous Coward · · Score: 5, Informative

    IEEE is working on a standard (IEEE P1619) which will allow encryption to shared media (SANs I guess). They've set up a working group.

    They're looking at (from the website):

    • Cryptographic algorithms for storage
    • Cryptanalysis of existing and proposed systems and protocols
    • Key management for storage
    • Attacks on storage area networks and storage systems and countermeasures
    • Standardization approaches
    • Deployment of secure storage mechanisms
    • Defining and defending trust boundaries in storage
    • Relating storage security to system and network security.

    Something to look at in the future. Hopefully it'll be more secure than WEP. :)