Storage networks are predominantly used by organisations to centrally manage their data, reduce hardware costs (cost of server hardware, software, installation and maintenance) and downtime (when adding extra storage), effectively manage storage resources, and overcome computing power and storage scalability issues that the ‘independent storage for each system’ approach is affected with. These networks are regularly used to store critical information the compromise of which could affect the organisation’s competitive edge, cash-flow, profitability, legal and regulatory compliance, and corporate image.

Storage Area Networks (SANs) and Network Attached Storage (NAS) are the two types of storage networks used primarily. The two storage networks differ in various aspects; however, both these technologies were built with functionality in mind and not security, and are riddled with vulnerabilities that adversely affect the confidentiality, availability and integrity of the information stored within these networks. Serious vulnerabilities exist within these technologies that could allow unauthorised, (and in various cases) unauthenticated access to stored information. The support for IP based connections, iSCSI in SANs, and IP connections in NAS increase the accessibility but also enlarges the attack surface.

Additionally, organisations often contract third party service providers for deploying and maintaining the storage infrastructure. In many cases, the management of user permissions on the data is also outsourced to the service provider. This adds to the number of personnel who could access the organisations data and the locations where the data can be accessed from (if management is outsourced, the storage infrastructure and data could be accessible from all locations where the support staff is based).

Storage vendors have recently started realising the need for security and are now bundling network storage devices features that help secure the SAN and NAS environments; however, these features are not configured as factory defaults, and the lack of secure storage configuration policies, standards and guidelines at the organisation/service provider level introduces considerable weaknesses in the storage network environment.

The security of storage is paramount due to the criticality of information stored, the abundance of security weaknesses in the technology and due to the ever growing compliance and regulatory requirements. The process of securing storage environments should start with strict organisational policies targeted towards storage networks. Secure configuration standards and guidelines should then be developed and enforced in-line with vendor and industry best practices.