Insider warns of storage industry security flaws

The security strategies of the leading storage vendors have been criticised by a former US government security consultant who now works for Hitachi Data Systems.

Storage vendors EMC, IBM and NetApp came in for particular criticism from Eric Hibbard, who works for Hitachi Data Systems as senior director of data networking technology.

"I've found a lot of storage vendors don't understand what security is," Hibbard told ZDNet UK at the Storage Networking World event in Frankfurt this week.Even Hitachi Data Systems, his present employer, had problems with security, according to Hibbard. "The storage community has not been part of this world, but we're being quickly educated — we need to fix this now."

Hibbard said most storage vendors are failing to address common security problems. During his time in both the public sector — at NASA and the US military — and in the private sector, he claims to have seen applications with known vulnerabilities left in use, due to poor understanding of security by both storage vendors and customers.

"If I know you're running Redhat Linux, I know the attack points for the operating system. If you're running old versions of Apache, for example — that has known vulnerabilities that can be exploited," said Hibbard.

Firewalls are not used or not configured properly, and unsecured channels are being used to access devices with credentials being transmitted in cleartext, rather than being encrypted, according to Hibbard.

The effects of data breaches can cause reputational damage to the company and the individuals involved, he added. "Chief information officers are getting killed over data indiscretions," said Hibbard.

A fundamental lack of communication between vendors and customers is the cause of the problem, he added. "When a storage vendor goes and talks to companies, they talk to storage people. If there's a disconnect between the storage and security guys, that won't feature in the discussion," said Hibbard.

Ulrich Pense, a senior consultant for data storage services vendor Intellistorage agreed that storage security was not well understood.

"Both vendors and customers are not aware of security issues. People don't address security because it's uncomfortable," he said.

Hibbard said that ISO security standards such as ISO 17799, designed to guarantee the quality of security practices, are not being adhered to.

"I'm stunned by how many storage vendors don't comply with all the elements of ISO standards," said Hibbard. "If you ask a storage guy if his products and practices comply with ISO 17799 he'll look at you like you're speaking a different language."

Responding to Hibbard's accusations, the storage vendors contacted by ZDNet UK strenuously denied that they lacked an understanding of security. EMC said that although it didn't follow ISO standards, it had its own EMC Products security policy.

"The policy contains more than 80 guidelines we need to follow as each product is developed," said Rob Sadowski, senior manager of information security product marketing at EMC. "It takes direction from ISO, and the [US] National Institute of Standards and Technology."

EMC claims it also uses AES 256 encryption technology, which is also used by the US military. However, the company admitted that it still had security problems to solve. The company has no common encryption key management framework, but said that its acquisition of RSA would allow it to address that, and other issues.

"Customers will be better able to manage access to their storage data, storage array or data repositories like their email archives across a range of products," said Sadowski.

IBM said that while it did not automatically build ISO standards into its products and services, customers could request that they were included.

"Our products can be deployed and monitored in line with ISO 17799 and we have services offerings to support compliance," said Gordon Arnold, product manager at IBM Tivoli Storage. "Certainly many of our systems adhere to strict security certifications like FIPS [federal security standards], in particular for the storage domain."

IBM said it advises its customers about the various different types of attacks that can be used against storage devices, and how to prevent or mitigate the effects of those attacks.

"We have long had a variety of services offerings and products for monitoring to detect and prevent intrusions. We have a service which includes a worldwide collection of known vulnerabilites, for instance, with best practices for avoiding those vulnerabilities," said Arnold in a statement.

IBM indicated that it recognised there was room for improvement in its security services. "Our recent announcement of the acquisition of ISS, for instance, shows our commitment to enhance our security services offerings," said Arnold.

NetApp said that while its products and services did not follow ISO standards, its storage products did follow FIPS federal security standards. The company claimed it was "at the forefront of providing best practice on how to maximise the security of its appliances".

"In addition to building security into all areas of its product portfolio, NetApp has rolled out a variety of educational tools to help customers better understand their data security risks and the ways they can tune their IT infrastructure to mitigate those risks without having to rip and replace or make unrealistic investments," said Mike Walters, consultant systems engineer at NetApp.

The company added that its storage environment had a hardened micro-kernel which would leave customer's systems less prone to attacks than a general operating system.