White Paper. Hitachi Data Systems: A Storage Security Leader. By: Jon Oltsik Enterprise Strategy Group. September 2005

Transcription

1 White Paper Hitachi Data Systems: A Storage Security Leader By: Jon Oltsik September 2005 Copyright The, Inc. All Rights Reserved.

2 Over the past few years, spending on information security products and services has steadily increased at large and small organizations all over the world. As the number of threats continues to scale, business managers finally understand that security defenses are a fundamental cost of doing business, just like electricity, heat, and telephones. In spite of this growth, however, spending on storage security continues to lag behind other functional IT areas. For example, in a recent ESG Research Report, NONE of the 251 security professionals surveyed said that his or her organization had a high level of investment in storage security, whereas 64 percent claimed to have a high level of investment in network perimeter security (i.e. firewalls, network gateways, etc.: see the 2005 ESG Research Report, Network Security and Intrusion Prevention). Why is storage security spending so far behind? IT professionals still believe that host-based security acts as a kind of firewall, protecting all of the disk drives that sit behind the servers. In addition, storage professionals remain focused and measured on performance and availability, and they generally have only a cursory understanding about information security processes and technologies. Historically this storage security apathy just wasn t that risky. Yes, there may have been an occasional internal breach or lost tape, but for the most part, storage security was a non-issue. Times have changed. ESG believes that this disregard for storage security is no longer acceptable, because it poses a threat to business operations and confidential data protection. Why have things changed? Several reasons: Storage has become a network service. Direct-access storage is old school. Today s storage systems live on switched Fibre Channel or IP networks and are shared by multiple hosts. This certainly improves capacity utilization and scale, but modern storage networks contain a myriad of non-secure Fibre Channel switches, management stations, and IP interfaces. An IT administrator with modest technical skills could easily perpetrate a denial-of-service (DOS) attack and take mission-critical storage assets offline. With a bit of additional knowledge, a rogue IT staffer or diligent hacker could also steal intellectual property or private data. Information Lifecycle Management (ILM) demands security. ILM provides policy management and storage intelligence to enable companies to move information around geographically dispersed devices based upon business needs. Tiering storage or archiving data to meet regulatory requirements are examples of ILM at work. To protect data integrity and confidentiality, storage managers now realize that copying and transporting private data MUST be supported with strong security. As ESG has often stated, without security, ILM is DOA. Regulatory compliance demands internal controls and reporting. Government regulations such as the Sarbanes-Oxley Act of 2002 make companies accountable for disclosing who touched the storage systems and what they did. This requirement means that companies must adopt formal processes, hardened configurations, role-based administration, and continuous event logging. Storage professionals recognize that they must change their informal ways or risk having their corporate executives face stiff fines or an unwanted vacation in the jailhouse. IT managers and personnel aren t the only ones that need to embrace storage security. The storage industry must understand that security is rapidly becoming the price of admission. Even well-entrenched vendors will find themselves on the street if they don t enhance products and services with adequate security defenses

3 Security Is a Standard Operating Procedure at Hitachi Data Systems Some storage vendors are beginning to see the security light, while others will continue to resist any changes and be dragged into security kicking and screaming over time. Hitachi Data Systems is an exception to these profiles. The company, along with its parent Hitachi, Ltd., has always included security requirements in its product design, customer support, and corporate culture. Hitachi: Includes security in product requirements. The Hitachi Data Systems Technology Office (TO) is responsible for identifying security requirements and including them in product development plans. Much of the planning here is accomplished by reviewing regulatory requirements and mapping them to security frameworks such as ISO 17799, COSO, and CobiT. For example, because SOX has a heavy focus on accountability, Hitachi Data Systems is enhancing its product offerings with technical features for authentication, authorization, and event logging. The company is constantly assessing more esoteric user needs as well to determine if any particular customer set or industry has a specific security requirement. For example, the convergence of security and virtualization requirements led Hitachi Data Systems to choose a controller-based virtualization approach to avoid potential security exposures associated with injecting agents between applications and storage, cracking data packets and redirecting I/O. In general, Hitachi Data Systems believes that security, like quality, should be a part of the product, and that core security functionality is not something that costs extra. Incorporates security phase reviews and testing in the development process. Hitachi, Ltd., with Hitachi Data Systems guidance, has embraced the ISO/IEC 21827:2002 Systems Security Engineering Capability Maturity Model (SSE-CCM) to introduce security best practices in product development projects. This standard is evident in development phase reviews where security requirements are just as important as product enhancements. Security testing has also transitioned from an ad hoc process to a formal phase in the QA cycle. Trains storage developers on security. Hitachi, Ltd., has a series of training sessions around security awareness and best practices that engineers are required to attend on an annual basis. Hitachi Data Systems is also deeply involved with the Storage Networking Industry Association (SNIA) and makes the SNIA tutorial available to Hitachi Data Systems and Hitachi, Ltd., personnel regularly. Actively participates in leading global security organizations. Hitachi Data Systems affiliations read like a who s who list of leading security and technology organizations. Some examples include the Trusted Computing Group (TCG), the Institute of Electrical and Electronic Engineers (IEEE) Security in Storage Working Group (P1619), and the International Committee for Information Technology Standards (INCITS) T11 and CS1 (Fibre Channel Security Protocol and Cyber Security). Hitachi is also heavily involved with both the U.S. and Japanese Computer Emergency Response Teams (CERTs), which help identify and alleviate security attacks in realtime. Employs a dedicated Storage Security Strategist. Hitachi Data Systems is the only storage company with a certified security practitioner who serves as the company s subject matter expert on storage security. The Strategist s responsibilities include working with executive management, guiding the Hitachi Data Systems and Hitachi, Ltd., development teams on issues related to storage security, assisting the product management group with all forms of security matters, monitoring the security testing activities, coordinating participation in industry security organizations and standards boards, and communicating with customers. This expertise has helped Hitachi Data Systems stay ahead of user requirements and achieve a position of storage security leadership

4 Hitachi Data Systems Security at Work Hitachi s dedication to security extends beyond its organization, processes, and affiliations. Hitachi Data Systems products are shipped compliance ready, meaning that they are designed to provide the security features necessary to adhere to regulatory requirements. Some of the more notable security features include: A design that separates device management interfaces from the data. One of the easiest ways to breach a storage device is through its IP-based management interface. Since many companies leave their security systems wide open on the corporate LAN, a bad guy simply needs basic IP address scanning tools or SNMP MIB information to break in. If the goal is basic electronic vandalism, a black hat can launch a DOS attack at the IP port and bring the system to its knees. Hitachi Data Systems has eliminated these risks by denying the device management interface from viewing the data, preventing intellectual property theft. In addition, a DOS attack may slow performance, but Hitachi Data Systems security features will prevent storage systems from crashing. A design for secure password management. Today s Hitachi Data Systems devices manage passwords internally, but the company has its sights set on secure authentication, authorization, and auditing (AAA) in the near future. The company plans to move to role-based access control that prevents anyone from logging into its systems as Root or Administrator. This promotes separation of duties and provides an audit trail to determine who did what. Hitachi Data Systems can dump its logs into an external logging server today but plans to support transactional-based standard Syslog soon. The company also plans to plug into existing authentication infrastructures based on standards such as RADIUS, Kerberos, and 2-factor tokens. Support for SMI-S. Hitachi s management platform supports SMI-S 1.0, which provides secure communications between devices and management servers via SSL v3. Hitachi Data Systems will soon introduce support for SMI-S 1.1 with secure communication using TLS 1.0. SMI-S 1.1 also establishes support for the concept of storage realms, which enables the secure management of multiple storage domains. Multiple administrators will be able to manage their turf without stepping on the toes or peering over the shoulders of others. Secure remote management. Hitachi Data Systems remote support depends on an analog modem today, but the company does offer its customers ways to build secure point-to-point connections through a modem bank to prevent tampering. In addition, Hitachi Data Systems storage systems will provide only device status data through the remote connection, not access to production data. Hitachi will support IP-based remote support in the near future so it can take advantage of standard IP security technologies such as VLANs and IP-Sec. In the meantime, IT administrators can view Hitachi Data Systems management systems securely today, since the company s platforms support secure communications using HTTPS over SSL. Hitachi Data Systems is also planning to support the Fibre Channel Security Protocol (FC-SP) as soon as possible. The company estimates that the standard will receive ANSI ratification in early 2006 and is committed to having its products FC-SP compliant in a matter of months afterward

5 Bottom Line. Storage professionals and vendors are slowly and begrudgingly recognizing that security is a necessity. But at Hitachi, the company has had a commitment to security in its engineering and business processes for years. The result of this dedication can be seen in the company s compliance ready products and ongoing commitment to enhancing security capabilities in future product releases and integrating with common enterprise security infrastructure. ESG views Hitachi Data Systems as a storage security pioneer today and believes it will continue to maintain a leadership role for the industry in the future