Scale-out storage technologies create special security challenges

Key Challenges^❋

• Consolidating large amounts of information by applying scale-out storage technologies presents a large target for ill-intentioned mischief from users and administrators
• Moving from a traditional storage array with a limited set of workloads to a scale-out storage topology with diverse workloads challenges compliance enforcement.
• Lack of a centralized encryption solution for private scale-out storage infrastructure, is resulting in multiple security solutions being deployed.

Recommendations^❋

• When carrying out threat analysis for applications hosted in a private cloud, the security teams should consult with the storage teams of these business units to understand underlying storage security requirements and risks.
• Wrest control of data that is being generated outside the perimeter of the internal cloud. For data generated or accessed outside the internal cloud, storage security policies must be enforced the same way as it were within premise.
• Storage security must be offered as a service in the service catalogue. Consider integrating security solutions with the orchestration and automation layers of the cloud architecture.
• Consider deploying a storage security solution based on standards such as KMIP

Introduction^❋

Securing a scale-out storage infrastructure presents unique challenges for organizations that are migrating from traditional storage array implementations as part of key initiatives such as private clouds. For example, topologies allow isolation of workloads into separate hardware platforms that provide de-facto physical security between storage arrays and the workloads that live on them. This provides any easy solution for separating business unit data and workloads from a comingling, access and administrative perspective. Such physical separation enables limitations on logical accessibility by providing a boundary around which to define security policies and enforcement. In addition, when staffing allows, administration can be compartmentalized and further isolate access to sensitive storage workloads. In contrast, when private cloud storage, realized using scale-out technologies, replace conventional storage arrays, workloads will reside on a common physical infrastructure. The consolidation of diverse workloads exposes data to new risk factors if for no other reason than they reside on the same physical hardware. Examples of these new risks can be categorized as follows:

Organizational, user and administration concerns that include:

• Consolidating large amounts of information on scale-out storage presents a large target for ill-intentioned mischief from users and administrators
• Expansive administration control over many sets and types of data may result in potential security loopholes due to insufficient awareness of sensitive data and the application of generic security protocols and policies
• Easier data access by many users could result in data breaches by determined attackers due to the large attack surface of the consolidated storage environment.

Physical infrastructure and implementation concerns that include:

• Eliminating data leakage due to remnant data when replacing disks will require special disk handling procedures.
• The lack of a centralized encryption solution for private scale-out storage infrastructure may require tailored security solutions.
• Storage consolidation will complicate security audit processes due to the overlap or absence of access authorities
• The creation of an isolated security zone apart from the network and compute layers due to gaps in integrated security solutions.

Workload and data management concerns that include:

• Regulatory compliance enforcement may be difficult due the lack of granularity of policy enforcement capabilities of a scale-out storage solution.
• Encryption technologies interfering with compression and de-duplication.
• Multiple data types require multiple encryption and Key management solutions.
• Persistence of storage level security when data moves  to other lower tiers such as backup and archive.

Neglecting these risks can lead to unfortunate data breaches at the worst, and inadvertent data loss at the best, due to administrator overreach or user error or mischief.

Analysis^❋

CIOs should create a cross-discipline team of security, storage and information management

experts to define security and data management protocols.

During the planning phase of a scale-out storage deployment, the security and information management  team must work with application owners and storage teams of each business unit to identify possible internal and external threats. A threat model can then be developed based on these inputs.

Recommendations:

• Sensitive applications must be identified and isolated at logical and physical levels to ensure they meet regulatory and compliance requirements if any. This simplifies the security audit process.
• Storage teams must collaborate with application owners and security teams to identify and document the guidelines for decommissioning storage systems to ensure compliance.
• During the planning phase, identify storage administrators and end users who are required to have elevated privileges. Implement Role Based Access Controls at the storage level to contain unwanted access to the storage infrastructure.

Create specific workload and information protection SLAs to bucketize security and data protection requirements

Based on inputs from Enterprise information team and application owners, the storage team must identify the application workloads and their information protection SLAs. They must use this information to design a secure, granular and compliant scale out storage solution. The scale out storage architecture must allow for deep integration with the management and orchestration layers to allow for automation of frequent secure storage requests.

Recommendations:

• Consider using object based storage – Object based storage can be considered as an alternative to traditional file and block storage when storing large datasets across hybrid storage environments. Since each object has a unique ID, granular level security can be achieved in a multi-tenant environment within a single large namespace. Most object based storage appliances offer integration with public cloud storage such AWS S3 APIs and SWIFT APIs for OpenStack and ensure encrypted communication via gateways. .
• Provide encryption as a service in the service catalogue – The internal cloud should allow for end users or storage administrators to request for encrypted storage resources from a self-service portal. Cloud architects must work with storage teams to identify frequently requested secure storage options by end users. These can be encrypted file storage options for securing confidential project documents, or secure storage associated with VMs. The process of applying the access controls, encryption method and authentication type should be built into the orchestration layerwhich automates the storage provisioning request.
• Deploy a standards based security solution – In a private or a hybrid cloud environment encryption requirements for individual business units can vary or be non-existent. In many cases multiple encryption and key management solutions are deployed for file storage, block storage or databases. Each of these solutions are based on proprietary technologies and not based on standards. Key management in such environments becomes extremely complex. When selecting a key management solution, ensure that the vendor supports standards such as KMIP (Key Management Interface Protocol). This will help in consolidating and simplifying multiple key management appliances and integrate well with encryption products.

Procure scale-out solutions with well-defined data protection, storage efficiency and availability capabilities

Since scale out storage systems are used for consolidation efforts, security, availability and management features become important criteria during vendor selection. Consider vendors that offer advanced features that simplify data protection and security management.

Recommendations:

IT security teams or storage administrators must run periodic antivirus scans on centralized NAS storage appliances. Customers can choose either off-board anti-virus scanners or onboard antivirus scanners that are part of the appliance, to ensure protection again malware on storage networks. Favor vendors that offer antivirus scanners built into the storage appliance without compromising performance.

• When selecting an object storage vendor, consider features such as meta data management, encryption, versioning, replication and ACLs

Ensure compliance for data that reside outside the scale-out storage infrastructure

Information protection SLAs are applicable throughout the life of the data. Backup data and data replicated to the DR site are equally vulnerable and must have the same protection requirements as it where on the primary scale-out storage. Data that is cached in the remote or branch offices must be identified and appropriate security policies must be enforced.

Recommendations:

• Backup, archive and data that is replicated to the DR site are must be treated as an extension of the private cloud storage infrastructure. Backup teams must enable the security team by providing sufficient information on aspects such as current backup architecture and retention policies.
• Security teams and storage teams must treat remote office or branch office storage as an extension to the internal cloud. They must identify potential risks associated with these storage appliances and identify suitable security solutions to protect this data. This also applies to environments that use hybrid cloud storage – where some use cases such as file storage are hosted on public clouds and are being accessed by multiple sites