SAN security best practices

Why SAN security matters

Owing to the unique position SANs occupy in a storage ecosystem, SANs must securely move vast amounts of data among a variety of servers and storage devices. Security breaches can impact multiple devices, and as such, security measures must be robust and multi-layered to minimize the likelihood of a cyberattack. 

Among the security issues that must be addressed are data entry and egress points, managing access, identifying and mitigating vulnerabilities, secure and continuous monitoring of network traffic, protecting storage devices from damage or theft, and ensuring that data in motion and at rest is encrypted. 

Data protection is one of the key principles of establishing and maintaining a secure SAN environment. Properly implemented, a robust security infrastructure can help detect potential malware across the SAN and reduce the likelihood of cyberattacks, including phishing, ransomware and distributed denial-of-service (DDoS) attacks. 

Best SAN security practices

The following section presents activities that ensure a secure SAN infrastructure can respond to a broad spectrum of potential security issues. 

1. SAN access control and authentication. Establishing strong SAN access controls and using two-factor or multi-factor authentication reduces the likelihood of an access breach. Centralized identity management can be implemented using Active Directory with authentication techniques. Employ the principle of least privilege access to all SAN elements.
2. Identification and mapping of SAN entry points. Before they can be monitored, it is necessary to identify all components that connect to the SAN, including storage devices, hosts, switches and interfaces. This is a key activity for establishing SAN fabric security.
3. Monitoring and threat detection. Without continuous monitoring, the potential for cyberattacks increases dramatically. Ensure that resources for monitoring, event logging and generating audit trails are used. 
4. Identify likely SAN threat vectors. Among the potential attack vectors are LUN (logical unit) masking attacks, data paths that have not been encrypted and zoning changes in Fibre Channel. Knowing where attacks are most likely to occur helps identify where hardening efforts should be focused.
5. Network segmentation and isolation.To prevent SAN traffic from combining with other network traffic – which could introduce malware -- segment and isolate network traffic using firewalls and other tools.
6. Implement hardening of Fibre Channel and iSCSI networks. Minimize the likelihood of exploitation with dedicated SAN infrastructures, secured switch configurations, and focused zoning and masking.
7. Implement data-in-motion and data-at-rest encryption. This fundamental SAN security activity protects data even if storage devices are lost or stolen, while also blocking any interception of data across both Fibre Channel and iSCSI networks. End-to-end storage encryption delivers the most effective data confidentiality.
8. Restrict physical access to SAN components. Limit access privileges to authorized SAN technicians, restrict access to the SAN device area and consider deploying CCTV cameras and motion detectors to identify intruders to protect SAN switches, cabling and storage arrays.
9. Establish a zero-trust environment. A zero-trust approach increases scrutiny of all transaction requests by not trusting and then validating and permitting only those interactions that have been approved.
10. Deploy security management tools. Many systems are available that can monitor SAN network activity, detect suspicious code, quarantine code for analysis, and respond to attacks such as phishing, DDoS and ransomware. Systems using AI are particularly important in their ability to analyze anomalies and to automate security management functions such as continuous SAN performance monitoring.
11. Compliance and governance. If specific security requirements are mandated by a regulation (such as the EU Regulation GDPR) or standard (such as ISO 27001), governance practices must be established to ensure that all SAN activities can demonstrate compliance where applicable. Cybersecurity policies should address SANs alongside other IT resources.
12. Documented and tested incident response plan. Procedures must be in place to detect, assess, and deal proactively with SAN security incidents. Such plans should be documented and periodically tested, along with other security management activities.

Benefits and challenges of SAN security

The principal benefit of SAN security is keeping the enterprise in operation by preventing cyberattacks that could disrupt it. The following sections examine the pros and cons of SAN security. 

Among the benefits of a robust SAN security program are the following:

• Data protection, especially for mission-critical data and systems, must comply with key data protection standards and regulations.
• Active responses to the growing number of cyberattacks and attack surfaces.
• Reduction in breaches that could impact the business and increase risks to its financial position.
• Compliance with key data governance, data protection and privacy standards and regulations.
• Improved resilience operationally with assured uptime and availability of resources through greater resistance to cyberattacks.
• Support for advanced technologies such as AI to streamline security.

Challenges to SAN security include the following:

• Potential complexity and difficulty implementing a security tool.
• Investments may be significant, causing budget issues.
• Performance may be impacted with the addition of technologies such as encryption, segmentation, continuous monitoring and advanced inspection.
• Maintaining compliance may require more frequent system updates and patching.
• Costs may increase due to the use of specialized hardware and software.
• Existing security employees may need additional training.
• New employees with specialized expertise may be needed.
• Building a resilient SAN infrastructure.
• Potential security vulnerabilities in SAN protocols, such as iSCSI.
• Expanded data center security to protect SAN components.

Decision criteria for SAN security

The following questions should be evaluated when addressing SAN security.

• What is the availability of strong data protection attributes such as encryption of data while at rest and in motion, robust integrity controls and access authentication?
• What access controls are needed, for example, role-based access control and LUN masking?
• Which SAN protocols, such as Fibre Channel or iSCSI, make the most sense?
• What resources are available for continuous monitoring?
• How are suspicious anomalies detected?
• What audit capabilities are available?
• How will SAN security additions impact network performance and throughput?
• What administrative actions will need to be added, such as updates to zoning or monitoring?
• How will new SAN security measures interface with existing security resources?
• How well will the current security team support the SAN tool?
• Will it be possible to demonstrate compliance with required regulations?
• What is the vendor's track record with the potential implementation?
• What issues will we face in computing the total cost of ownership?

While the benefits of a robust SAN security ecosystem are significant, decisions must be carefully examined on all sides of the issue.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.