Security Baselines for Enterprise Storage Systems: Is Yours Being Followed?
“You want storage devices to be configured in a certain way… that doesn’t always happen the way it’s supposed to” – so I’ve been told by George, global head of storage at a leading international bank, in a recent conversation. “For example, the FTP example you’ve shown me; we don’t need FTP on our storage devices, so why is it enabled?” he continued. George is not alone. In fact, many storage teams struggle to keep storage systems configured according to the defined security baseline – ie, according to the fundamental configuration that every storage device is expected to meet to ensure it is secure.
An enterprise organization typically uses hundreds to thousands of storage devices; those include disk arrays, fiber-channel network switches, data protection appliances, storage management servers, storage virtualization systems and other devices. And they come in all shapes and sizes – different vendors, models, versions, operating systems, CLI, API and more. Keeping track of the up to date security best practices and vulnerabilities for all these variants is hard. Validating the configuration of a large and heterogeneous storage environment ongoingly – even harder. Configuration management and CMDB tools offer poor coverage for the storage environment, both in terms of support for storage vendors and in terms of understanding the storage space, storage OS, storage objects, storage access control, storage networking, storage command set and so on.
So how can we verify adherence to security baseline? Let’s explore the options.
Periodic manual configuration assessments. This method involves a manual review of storage configurations by internal or external subject-matter experts. This method is labor-intensive and can be costly from an FTE investment perspective. In a large-scale enterprise environment, it is simply not feasible. Furthermore, the analysis performed is limited to the knowledge of the SME conducting the review, which may not be adequate for all your devices or not entirely up to date. Finally, this method carries an even more significant disadvantage: it leaves you exposed in between assessments – ie, most of the time.
Home-grown scripts. Some organizations choose to develop home-grown scripts (Linux shell, PowerShell, python, Perl, etc.) to check the configuration of the storage estate. This approach offers an automated method for assessing the configuration and is superior to manual periodic assessments. However, this method is still far from sufficient. Keeping the scripts up to date requires continuous research of latest vendor guidelines. It often breaks when a new storage OS version or software is made available and requires heavy maintenance work. Being what it is (a script), it lacks the ability to run reliably on a large-scale geo-dispersed storage environment and report back on results in an orderly fashion, including what was executed successfully and what was not. It does not integrate with other IT systems such as ServiceNow, Cyber-Ark, PowerBroker, etc. Often it introduces security risks where the admin password is hard coded as plaintext within the script itself. And then some systems simply do not support non-interactive shell access, which makes script a non-viable option. Perhaps the biggest disadvantage: home-grown scripts are very commonly created and maintained as a professional hobby by a single administrator in the team; when this individual is not available or no longer with the company, the knowledge is lost and soon also the ability to run the scripts. In short, while a step-up from manual assessments, this approach is either not good enough or a nightmare to maintain.
Commercial configuration analysis solutions. A vendor solution that automatically gathers and analyzes the security configuration of your storage systems. The better ones will offer support for wide range of storage solutions and include a continuously updated knowledgebase of security configuration recommendations – based on vendor best practices, community insights, industry standards and similar sources. Another key functionality is the ability to create custom checks, so that even if a certain baseline requirement is not covered by the built-in knowledgebase, you still benefit from the manageability, scalability and security features of the solution in addition to the integration it may offers with ITSM solutions such as ServiceNow and HP Service Desk. Of course, this kind of software solution requires a license and therefore comes with a cost.
Our Data Security Advisor (DSA) solution belongs to the third group. We believe Storage administrators should be users of Storage Security Analysis tools, not developers. DSA gathers the security configuration details from the various storage systems of Dell EMC, Hitachi, HPE NetApp, IBM, Cisco, Brocade, Infinidat and more. DSA will enable you to define your security policy using built-in templates or a custom policy and then analyze the configuration according to the specified policy. DSA includes out-of-the-box tunable checks for protocols, DNS settings, Cipher Suites, NTP configuration, User and Roles, IP Filters, Active Directory, Data Encryption at rest and in-transit, Certificates, Password policies, SSH keys, Audit logging, zoning, masking, port configuration, CVE detection, FC policies, remote support settings, Hashing, file shares, SNMP, NDMP, anonymous user access, timeout configuration, ransomware and malware protection… and many more settings. The results of the analysis can be viewed in simple pass/fail reports – overall and with a per-device summary, and violations can be received over email or sent to your preferred incident management system (eg, ServiceNow, BMC Remedy, etc). DSA can also easily be expanded to collect and analyze additional storage configurations if needed. In addition to its built-in knowledgebase of checks, DSA provides the ability to detect and track changes to the storage security configuration on a daily basis, thereby helping to identify unplanned or incorrect changes that may put storage systems at risk.
Data Security advisor can be used as an integral part of your ongoing security plan or for a one-time HealthCheck (assessment). Contact us to learn more about Data Security Advisor.
* Additional resources and recommended reading
The term “baseline” may have different meanings depending on the context. What is a security baseline?
In a nutshell, it is the minimum set of configurations and controls to ensure the security of a device. The baseline can be high-level guidance or technical configuration guidance. Baselines are created by commercial organizations, governments, vendors and non-profit subject-matter institutions.
Here are several alternate publicly available definitions:
Baseline Examples –
Vendor baseline / Guidance:
National Checklist Program Repository (Technical)
COBIT (High Level)