Security in conventional data communications networks attempts to safeguard data access by implementing both authorization and encryption technologies. Authentication procedures verify that data access between two end points is approved. Encryption ensures that only bona fide senders and receivers will be able to render encrypted data intelligible. Conventional data security techniques are primarily focused on protecting data in flight, as it traverses the network from, for example, a server to a workstation. If the data in flight is intercepted, diverted or copied, the security breach may allow unauthorized access to or corruption of sensitive corporate or personal information.
For storage environments, data transactions between servers and storage arrays or tape devices are also vulnerable to in-flight interception. In addition, however, security for storage area networks must provide means to safeguard data at rest, that is, after the data is written to disk or tape. This added requirement has generated new security solutions that attempt to protect storage data through its entire cycle of data retrieval and repose. This paper examines the unique characteristics of SANs and security techniques required to safeguard storage assets.
Storage area networking is a technology that enables high availability and high performance access between servers and storage devices. First formulated as American National Standards Institute (ANSI) standards in the early 1990s and now widely adopted by all major institutions and enterprises, SANs have displaced earlier storage connections which bound individual storage arrays to individual servers. By placing both servers and storage assets on a dedicated network, it is possible to redirect storage access from one server to another, thus facilitating high availability data access. It also enables administrators to add additional storage capacity without disrupting on-going production.
SAN technology was originally based on the Fibre Channel protocol and transport. Fibre Channel was the first high performance transport to deliver the gigabit speeds required for moving large amounts of storage data. The common analogy differentiating storage networking from conventional LAN and WAN networking is that while LANs and WANs move cars (packets) of data along highway lanes, SANs move freight train loads of data over high performance channels. Today, Fibre Channel SANs can provide 4 Gbps and 10 Gbps performance, while the vast majority of LAN technologies are still implemented at 1 Gbps (Gigabit Ethernet) or 100 Mbps (Fast Ethernet) speeds to workstations, with 10 Gbps links providing the network backbone.
As shown in Figure 1, data center SAN configurations are typically deployed for high availability data access. Each server and storage array is connected to fabric directors or switches for alternate pathing. If an individual link, port or switch fails, servers still have access to their designated storage targets. Fibre Channel directors are designed to provide 99.999 percent availability, or ~ 5.39 minutes of downtime in a given year.
A data center SAN provides alternate pathing for high availability
For moderate performance requirements, new IP-based storage network protocols such as iSCSI provide a means to move blocks of storage data over traditional TCP/IP network infrastructures. Given the notorious vulnerability of TCP/IP networks to disruption and latency, however, iSCSI must address the inherent contradiction between the deterministic performance required by storage applications and the indeterministic nature of IP networks. From a security standpoint, iSCSI is the beneficiary of decades of development of IP Security and other IETF standards that provide auxiliary mechanisms to safeguard IP data transport.
Because all applications and data ultimately reside on some form of spinning media, maintaining the high availability and integrity of storage data is fundamental to all IT operations. SANs have generated a wide spectrum of solutions for assuring continuous storage access, including server clustering, failover, point in time data copies, data backup, and disaster recovery. At the same time, SANs have helped reduce operational costs by facilitating consolidation of storage assets (fewer but larger storage arrays) and streamlining backup processes. The end-user value of SAN technology is so clearly established that every major enterprise world-wide is now running its storage data on the basis of a storage area network.