S 2.353 Drawing up a security policy for SAN systems

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: IT Security Officer

A SAN system is essential as a central data storage instance for some or many procedures and business processes in the organisation. Secure and correct operation can only be ensured when stationing, administration, and operation of the SAN systems are integrated into the existing security-related specifications.

The main security-related requirements and the security level to be attained are derived from the organisation-wide security policy and should be formulated in a security policy specifically for storage systems to specify and apply the higher-level and general security policy in the given context.

The basis for the appropriate definition of the requirements in the security policy is the protection requirements determination for all data to be stored in the SAN. This is the only document that can be used to derive the requirements regarding the availability, integrity, and confidentiality of the data and, correspondingly, the appropriate technical and organisational effort.

Since SAN systems contain a dedicated network, safeguard S 2.279 Drawing up a security policy for routers and switches must be taken into consideration first when drawing up a security policy for SAN systems. This safeguard presents the general security precautions for IT components in an internal network permitting access to information or other systems.

Additional aspects to be addressed in the security policy for an SAN system include:

Specifications for planning an SAN:

• Specifications for the technical infrastructure must be developed listing the SAN components to be used. The infrastructure available in the rooms in which SAN components will be stationed must be suited to fulfil the availability requirements of the SAN system.
• Specifications regulating external accesses (for maintenance purposes) must be defined. Since monitoring and maintenance contracts from suppliers of SAN components often require the storage system to be connected directly to the monitoring system of the manufacturer or supplier, it must be specified how such access will be controlled and logged.
• If very high protection requirements are determined for the availability, the use of a disaster-tolerant SAN configuration must be specified. If very high availability of the SAN is required, SPOFs (Single Points of Failure), which may result in the complete failure of the entire system, must be avoided. The operation of such a configuration must be supported by special test systems that can be used to check the effects of changes and software updates.

Specifications for the work of administrators:

• The scheme used to assign administration privileges for SAN components or the overall system must be documented. If possible, a role concept must be developed.
• Administrator roles must be defined possessing the rights necessary to perform the corresponding tasks. In particular, routine system administration tasks (performing backups, for example) should only be performed with the absolute minimum rights. The administrator IDs are then assigned roles. To reduce the effects of errors, users should only be allowed to work under an administrator ID when it is absolutely necessary.
• Administrative access must be secured at a minimum using strong passwords, but also using special procedures for user authentication, if necessary.
• The administration and control of SAN resources by the administrators and access for auditors to the systems should only be permitted locally via directly connected consoles, a separate administration network, or encrypted connections. Access to SAN resources must be restricted to defined systems and controlled by security gateways, for example.
• IT systems used as management consoles or for auditing purposes must be protected as strongly as possible against viruses and malware.
• It must be ensured that administrators are unable to perform any actions or change any settings on the SAN that may lead to inconsistencies, failures, or loss of data by dividing the tasks as prescribed, defining specifications and regulations, and keeping the documentation of the settings of all SAN components up-to-date at all times. Relevant changes must be documented. It is therefore recommended to implement a change management procedure, for example based on the ITIL (IT Infrastructure Library).
• It must be determined whether certain changes need to be double-checked.

Specifications for the installation and configuration of the SAN:

• The initial installation procedure must be documented. Since the initial installation is usually performed by the manufacturer or supplier, they must be required to provide the corresponding documentation.
• After installation, the default settings must be checked for security threats, insecure services on the LAN interfaces of SAN switches and storage devices must be disabled, and any changes to default IDs and passwords must be checked.
• The "System Console for SAN" function must be restricted to the minimum number of devices possible. Device accesses to SAN components via the LAN should only be permitted using encrypted connections. The number of users authorised to access the devices must be kept as small as possible. Rules for the use and configuration of consoles and the access mode restrictions must be documented.
• Regulations for the creation and maintenance of documentation and for the form of documentation (e.g. documented procedures for the configuration of administration IDs, instruction manuals for procedures, and checks to be performed during normal operation) must be specified.
• Specific methods of segmentation (see S 5.130 Protection of SANs by segmentation) should also be used in the SAN. This provides better protection of the subsections in the SAN - in terms of the confidentiality of the data as well as the integrity of the configuration and the availability of the SANs.

Specifications for secure operation:

• The SAN administration must be secured by only permitting access via special connections (a separate administration network, possibly the storage network itself as well).
• If necessary, tools for the operation and maintenance and the integration of SAN components into existing network management must be selected. Specifications for secure configurations of these tools must be defined. If possible, only encrypted connections should be used and any unneeded interfaces and services should be disabled.
• If remote maintenance or monitoring by the manufacturer must be utilised, specifications for securing the access points must be defined. For example, connection through a VPN or dedicated connections should be implemented and traceable records of these activities should be requested by the organisation.
• The authorisations for initiating software updates and configuration changes must be unambiguously defined. The procedure must be documented. As soon as the availability requirements become very high, changes and updates must be tested and evaluated on identical test systems before implementation in live operations.
• During operation of the SAN, all administrative activities must be logged. Furthermore, a concept for administrating and monitoring the storage systems must be drawn up. Information on this subject can be found in S 2.359 Monitoring and administration of storage systems.
• The regulations for backing up the data on the SAN must be coordinated with the overall data backup policy of the organisation (see module S 1.4 Data Backup Policy for more information) and with the protection requirements of the SAN. If there are special requirements placed on the confidentiality, the rights required to make backups must be granted in the rights administration.
• Due to the importance of the SAN, its contingency plan (see also S 6.98 Contingency planning for storage systems) must be integrated into the organisation-wide contingency concept.
• The persons responsible for revisions and auditing must be specified and the procedures must be described. The SAN audit must be integrated into an overall auditing concept.

Review questions:

• Has a security policy been drawn up for SAN systems?
• Is the SAN system only administered using trustworthy paths?
• Is there a current documentation of the settings of all SAN components?
• Were specifications for the configuration, operation, and fault management of SAN systems described in the security policy?