Storage Security: Protecting, SANs, NAS and DAS

As stated in another review, the case studies are most helpful and give real world examples. John and Scott do a fine job of creating realistic scenarios and discuss the solutions in a positive way. Any reader will be able to relate in some way to the examples.

One of the features that I enjoyed were the "Security Thoughts" spread throughout the book. They make intersting points and give the reader some real food for thought.

Good job Scott and John! I look forward to your next book.

Rating:
Summary: Great tool for security planning and implementation
Review: Prior to this book I was ignorant of a lot of data storage issues. This book opened up areas to me that I had previously overlooked as I always took data storage for granted. The equipment breakdown and analysis was the most concise that I've ever seen. Nearly every page brought me a new item to learn or ponder. The sections on packet breakdown and network latency were fascinating. The information in this book is fully explained and with the author's help, easy to understand. The chapter(8) on designing and implementing a sound data security program almost serves as a blueprint as the steps and procedures are clearly outlined for the reader. This book provides BIG TIME info to the IT professional.

Rating:
Summary: Great tool for security planning and implementation
Review: Prior to this book I was ignorant of a lot of data storage issues. This book opened up areas to me that I had previously overlooked as I always took data storage for granted. The equipment breakdown and analysis was the most concise that I've ever seen. Nearly every page brought me a new item to learn or ponder. The sections on packet breakdown and network latency were fascinating. The information in this book is fully explained and with the author's help, easy to understand. The chapter(8) on designing and implementing a sound data security program almost serves as a blueprint as the steps and procedures are clearly outlined for the reader. This book provides BIG TIME info to the IT professional.

Rating:
Summary: A weak text on storage security
Review: Securing storage sub-systems is an important, but omitted task. Will this text help you to do what is necessary to secure your storage fabrics? On my third read, the answer remains illusive. Important parts that should be part of standard decision protocol are missing. Will the text help you to understand security as a general topic? Certainly, the text attempts to apply CISSP concepts to the storage security topic.

In Chapter 1, trade articles cite storage pundits on the typical security grind, with a few small customer comments. All neglect in some form the fact that administrative error is the number one risk to availability, and by ISO17799, a security threat. Security is proactive rather than reverse engineered. The listing of security domains is certainly useful as a template for consideration.

Chapter 2 (DAS) discusses at length issues of data protection (RAID), discussion of interface technologies and a useful CISS matrix that is then applied to each interface. Rather than offer mitigation strategies for each interface, security resorts to the traditional CISSP analysis approach, classify, use standards, and build a plan, etc. when people really need situational case studies and risk mitigation. (Certainly, it remains important to do the analysis, but that is part of a CISSP text.)

Chapter 3 (NAS) begins with discussion of the NAS technology and their reasons for values supporting their security evaluation criteria. I found no serious discussion of the relationship of NAS to the outside world (Windows and UNIX) and the risks that this creates (need for authentication, etc.) In addition, one would expect a discussion of NFS flavors, CIFS and active directory, but this too was absent. One nit was a "weakness: NAS may not be good for databases," which with the new locking mechanisms is becoming more popular (although I personally still have a hard time with the idea.) Some protocols discussed are no longer in use. It includes a passable discussion on NASD and key management.

Chapter 4 (SAN) As with the others begins with discussion of technologies in the broad sense of the storage fabric including iSCSI and FC, followed by a SAN security matrix. The discussion of "Manageability" and "Access Control Management" including techniques by title and model remain as definitions without an interpretation within the technology - e.g. The Bell-LaPadula Model includes mandatory access control by determining access rights from different security levels, and discretionary access control by cross-referencing access rights from a matrix. How do we create the matrix in SAN terms, develop security levels, and determine access control rights? When is it appropriate to use this model? Very little discussion of authentication, other than user or administrator rights - techniques were in existence at the time of publication.

I could continue, but my findings remain that this is a book about security, not storage security. It has a lot of potential if the models are given life with real life interpretation.

Rating:
Summary: The "whole enchilada" of storage security
Review: Storage networking and security are two different subject matters that really have been treated as such. I read about SANs and NASs being vulnerable with overlooked security. Since this is one of the industry's missing links I've been waiting for a new book that includes the "whole enchilada", and Storage Security is just that.

Don't be fooled by this book's outline. This book is stuffed with goodies from technology to implementation. Not only do the authors cover SAN, NAS and DAS security, you'll also find data availability, protection, backup and recovery. Also among a few step-by-step case studies you'll come across a very useful iSCSI model. Even better this book includes excellent design and selection criteria and goes so far as to building a testing and monitoring program using (my favorite VS) Nessus.

I would have liked to see more modeling but the technology and business criterion make up for it. Well done.

Rating:
Summary: Top Notch Information
Review: The material provided in Storage Security was unique in its approach and provides an excellent foundation for the creation of a secure storage environment. "Ripple Security Logic" provides an interesting and easily understood method that can be utilized to evaluate and strengthen the secirity of individual devices. The sample evaluation criteria workbook is also a valuable baseline tool. Anyone involved with Storage should add this book to their reference library.

Rating:
Summary: Comprehensive coverage of an oft-overlooked topic
Review: What does "Information Security" mean to you? To many, it means firewalls and encryption. To some, it means intrusion detection systems. Chances are the words "file servers" weren't high on your list, but they probably should be. After all, "information security" is about information, and when it's not flying across the network it's got to be stored somewhere, right? In fact, the security of the storage mechanism is often overlooked, which makes it an attractive target for attackers. In their new book, Storage Security, Chirillo and Blaul take a comprehensive look at this often-ignored subject.

Storage Security is not about turning on the right configuration options on your XYZ brand server appliance. It's about applying solid, methodical security practices to your storage systems, regardless of whether they are disks directly attached to a single computer, Network Attached Storage or part of a Storage Area Network. The authors address the full security cycle, too, starting with evaluating the security of proposed new storage solutions. Comparative data in hand, the book shows you how to narrow the field to a single solution that offers the best balance between functionality and security. And once the system is selected, you can't stop there. You've got to decide upon appropriate security policies for the new storage system, draft and implement a backup and restore plan, deal with disaster recovery and take care of a host of other issues. In short, this is a good guide to an entire range of considerations necessary to select, deploy and manage a secure storage solution.

The book's evaluation methodology is particularly valuable. Each type of storage (direct attach, NAS and SAN) is covered in a chapter of its own. Within each chapter, the authors address specific technologies used to implement that type of storage. For example, the direct attach chapter discusses such common storage technologies as SCSI and IDE, moderately exotic systems like USB and Firewire drives, and some more advanced solutions like HiPPI and SSA. Each technology is then placed in a matrix and scored in 11 different categories, including popularity and industry acceptance, built-in data protection features, typical fault tolerance and physical security characteristics. The authors assign each rating on a scale of 1 (poor) to 5 (the best). This gives a good general indication of how each technology measures up, but they tend to rely on a straight average of the ratings when determining the "best" technology. Although it's true that the average allows you to make a quick ballpark comparison, there are many other factors to consider as well, such as the suitability for your particular environment and the way in which your users need to access their data. The matrixes are quite useful, but just remember that you can't always boil things down to a simple numerical score.

Probably the biggest problem with this book is that it's pretty dry. As a reference book, the writing style is fine: since it's easy to find what you're looking for, and the chapters are concise. It's difficult to read from cover-to-cover, though, which is a shame because that's what you should probably do the first time through. Take it in small doses, a chapter or so at a time, and you should be fine.

Storage Security is about just what you'd think: the security of your data as it's being stored on your server(s). It's not a detailed look at the configuration of any one product, but rather a comprehensive, theory-based approach to managing the security of your storage subsystem from evaluation to purchase to daily operations. If you manage a small or mid-size network, you may not need this book. If you have a larger network, though, or have significant data storage needs, this deserves a space on your shelf.