INAP IS NOW HORIZONIQ.
Click here to LEARN more.

Sep 19, 2018

Block Storage Security 101: An Introduction to iSCSI SAN Deployments and Security

INAP

“Once my data is in your storage environment, how do I know it’s safe?”

This is one of the most common questions we hear from potential customers, and it’s not surprising. That’s why we wrote this blog post: to provide background on security in a traditional Fibre Channel environment as well as how security is practically handled in the modern Internet Small Computer Systems Interface (iSCSI) framework, which communicates over existing networks, rather than requiring its own infrastructure like traditional Fibre Channel.

And while there are numerous ways that storage providers might keep your data safe and secure, there is one key point to make from the start: Using a wide variety of available tools in combination is the best way to keep your storage secure.

(Note that the information in this blog post pertains to both dedicated and multitenant storage environments.)

The Old School: Fibre Channel 

Fibre Channel storage has typically been used to present block storage to compute hosts. This is separate from the production networking and uses a separate medium, electronics and protocol.

Fibre Channel security usually entails configuring LUN zoning or LUN masking (a LUN being the logical unit of disk or a partition off a larger physical array). Fibre Channel adapters have a unique address burned in, which is known as a World Wide Name (WWN).

In LUN zoning, the Fibre Channel switching fabric is configured to prevent hosts from communicating with one another, meaning that WWNs can only communicate with the WWNs used for the SAN arrays. In effect, this acts as a firewall that prevents the hosts from communicating with anything but the storage array.

LUN masking adds more security by further limiting a WWN’s ability to communicate, restricting its communication to a specific LUN. Thus, a group of VMWare hosts would have the WWNs from their FC adapters limited to only communicate with a specific LUN. This further prevents the hosts from being able to communicate with anything except their own assigned LUN.

Ensuring Data Security in iSCSI Environments 

iSCSI Addressing

In iSCSI, each host server is an iSCSI Initiator and the SAN is an iSCSI Target. Similar to the WWN system in Fibre Channel, iSCSI uses an iSCSI Qualified Name (IQN). Unlike WWNs, the IQN is made up of four fields that can be configured by the administrator. Those fields are:

Field 1: “IQN

Field 2: Date, in YYYY-MM format, e.g., “2018-07

Field 3: a reverse of the DNS domain, e.g., “com.eugene

Field 4: an optional target name, e.g., “storage.vmware.datastore1.xyz

All together this would look like “Iqn.2018-07.com.eugene:storage.vmware.datastore1

iSCSI Network 

A dedicated VLAN is used for iSCSI communications between trusted hosts and targets. Having an isolated network is a primary security step to protect hosts, targets and data.

iSCSI Authentication

An iSCSI initiator first needs to authenticate. Typically, Challenge-Handshake Authentication Protocol (CHAP) is used. The two endpoints exchange a hash from the CHAP ID, which consists of a challenge and a secret password.

iSCSI Authorization 

Once the host iSCSI initiator has authenticated using CHAP, then the IQN is used for authorization. Think of it this way: Once a host’s identity is authenticated, it needs to ask for access to a specific iSCSI resource. Like Fibre Channel LUN Masking, a SAN array will limit a target LUN to only specific IQNs.

The typical security measures for iSCSI SAN deployments

A CHAP-based handshake between iSCSI initiator (client) and iSCSI Target (storage system) might be sufficient for some implementations. Taking it one step further, modern storage systems also offer domain segmentation, where a restricted group of iSCSI clients (IQNs) are associated with a specific set of IPs that a client inquiry may come from. Then, based on successful CHAP authentication, those IQNs are allowed to discover and communicate with the group of LUNs on the target system (e.g., Host A with IQN Y and coming from the IP 10.x.x.x and with the valid CHAP authentication passed).

It’s important to note here that iSCSI is a clear text protocol. In order to ensure the secure transmission of data between the client and its target storage, all of the above security measures are required and equally important to be in place.

In certain scenarios, depending on the networking topology in place, additional security can be introduced at the networking layer, where only specific hosts (with specific MAC addresses) that are associated with specific networking adapters may initiate an ISCSI connection with a pre-defined source and target IP space within storage network isolated VLAN. (These techniques are similar to SpoofGuard.)

Encryption

Typically, depending on the storage system implementation model and its type, at-rest data encryption is realized through either hardware or software encryption methods.

Hardware-based encryption is associated with self-encrypting drives and requires a special type of hard drive to be used in the storage system. If for any reason the data is attempted to be accessed on such a hard drive outside of its storage platform (e.g., removed from the storage unit shelf), it will be in an encrypted state.

Software-based encryption, as its name suggests, uses software-driven encryption methods, while leveraging the offload of the actual encryption instructions to the underlaying hardware (AES-NI and similar CPU technology). The minimum encryption level recommended for software-based encryption is AES-256. A major benefit of software-based encryption is a lower cost for a solution that delivers the same level of encryption seen with hardware-based solutions.

Conclusion 

With the right tools, vendors and implementations, iSCSI is as secure as any other storage system. And while there are many available security tools, the combination of all these tools will put you in the best position long-term to secure your storage environment.

When it comes to securing your block storage, there are no half-measures, and a trusted service provider like INAP will be able to provide valuable insight and tools to make sure your data is fully secured from start to finish.

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

INAP

Read More
May 14, 2018

How General Data Protection Regulation (GDPR) Impacts Your Business

INAP

There has been a lot of buzz recently about the new General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, officially replacing the Data Protection Directive from 1995.

If you market to, process, transmit or store information of European Union (EU) data subjects – including employees, customers and end users – you will need to adjust your organization’s data management to align with the new GDPR requirements. Failure to comply with regulations can result in a fine of up to 4 percent of annual global turnover or €20 million, whichever is greater.

For your organization, these new regulations should encourage you to take a fresh look at how you control exposure to personal data, employ security mechanisms to protect personal data, detect and notify supervisory authorities of breaches within a timely manner, keep records of data-processing activities and document risks and security measures.

Why GDPR is Being Implemented

In an increasingly data-driven world, people want more control over their personal data and transparency into how businesses are using their data. Individuals are not only concerned about how organizations are using their information for advertising, but also how their data might be exposed to the increasing threat of cyber incidents.

To combat these issues, GDPR is being implemented for the following reasons:

    • To standardize data privacy laws across Europe;
    • To protect and empower all EU citizens’ data privacy; and
    • To reshape the way organizations across the region approach data privacy.

Companies must continue to listen and meet the privacy demands of users, and GDPR is the first step to create more transparency between brands and individuals.

6 GDPR Changes to Expect for Your Business

There are a few key changes to previous legislation that your organization will need to prepare for in your transition to GDPR compliance.

  1. Consent
    Under GDPR, consent for processing data must be clear and distinguished from other matters, provided in an easily accessible form and the individual must easily be able to withdraw consent. For instance, companies will no longer be able to assume users give permission for their data to be stored and used. Even pre-checked boxes on websites will no longer constitute consent in most instances. Businesses will now have to allow users to explicitly give their consent through a written or verbal statement or electronic means.
  2. Breach Notification
    If your company is victim of a personal data breach, you will now be required to issue a breach notification with 72 hours of being made aware of the breach – unless you are able to demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of the people impacted by the breach.
  3. Right to Access
    Data subjects have the right to obtain information on whether their personal data is being processed, where it is being stored and used and for what purposes. Data controllers must provide a copy of the personal data free of charge upon request once.
  4. Right to be Forgotten
    Think of this as a universal data opt-out option. Subjects will have the right to have their personal data erased without undue delay if that information is no longer necessary in relation to the purposes for which it was collected.
  5. Data Portability
    This new regulation gives data subjects the right to receive personal data concerning them and the right to transmit that data to another controller.
  6. Privacy by Design
    This concept has been around for years and is now a requirement in the GDPR. It calls for the inclusion of data protection during the design of systems rather than an addition.

INAP’s Commitment to GDPR Compliance

INAP has been preparing for the GDPR implementation ever since the law was passed in 2016.

The security of our global infrastructure is one of our top priorities, and we have been reviewing and updating our customer privacy and security policies to better safeguard your data and ensure we are in compliance with the new regulations. We are entering into data processing agreements with our customers if GDPR applies to the processing of their data and entering into sub-processing agreements with vendors when necessary.

For more information about our processing roles and responsibilities, as well as our commitment to customers as a data controller, visit INAP’s GDPR page.

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

INAP

Read More
Feb 1, 2018

The Internet of Unsecured Things

INAP

Finding Security in the Smart Devices World

The internet of things (IoT) refers to the network of physical objects embedded with network connectivity.

This technology allows devices that were previously silent to communicate and share data. For instance, objects as complex as automobiles, public transportation and heart monitors can now share data with appliances like washing machines or refrigerators. The result is an explosion of both data creators and data collectors.

However, as the initial excitement and possibilities about IoT have subsided, it has created serious concerns about the functionality and security of connecting everyday devices. With experts forecasting that as many as 50 billion IoT devices could be connected by 2020, IT professionals are grappling with the problem of securing so many devices.

The Trouble Securing So Many Devices

One of the fundamental issues of IoT security is the sheer number of gadgets for which to account. Securing that many devices behind a single security firewall can be difficult. Just a few years ago we only had to worry about digitally securing our computers. Now we have to consider protecting our cell phones, wearable devices, home appliances and more.

Properly securing IoT could require an enormous investment of resources. Businesses already worry about the security of their networks being used through computers and smartphones, but as IoT grows, businesses may also have to secure ordinary objects, such as the motion detector that monitors how many people are in the conference room.

To make matters worse, HP has estimated that as many as 70 percent of IoT devices could be vulnerable to attack. With smart devices, such as watches, baby monitors and garage doors taking in thousands of data points daily, even small breaches could compromise millions.

Proactive Solutions for the Future

IoT brings a wealth of benefits and advantages to both businesses and consumers.

People who utilize smart devices can count on a treasure trove of relevant and targeted data. This can help companies manage everything from inventory tracking to remote workers. But managing our new smart gadget-driven world is not without potential pitfalls and security headaches.

Here are a few ways they can protect devices and networks from unwanted and malicious intrusions and keep consumers safe.

1. Patches

Developers need to ensure their devices are patchable, and then stay constant and current with available security updates. A problem still exists when patches are released, but users fail to take the necessary steps to update their devices – leaving hundreds of millions of unpatched and unsecured devices on the internet.

There is only so much that manufacturers and developers can do to remedy this problem, but two suggestions are to send alerts to users when a patch is available or allow users to opt in for automatic updates.

2. Consider Multiple OSes

Even when developers are proactive with patches, they need to understand these security updates will impact every user differently due to the variety of operating systems in use on individual devices. For instance, Apple, Samsung, Google and Microsoft all have their own IoT platforms, which don’t always communicate well with each other.

Developers need to consider a multi-layered security approach which will effectively function throughout the lifecycle of an IoT device, regardless of the operating system it’s running.

3. Password Requirements or Two-Step Verification

The next time you scan for nearby Bluetooth connections on your cell phone in a crowded place, you’ll probably see a few smart devices pop up.

Most devices already require passwords or two-step verification to connect, but developers should consider adding this security measure to all IoT products. Users will want their devices to automatically connect, but this should only be an option after security and authenticity are initially verified.

The simple fact is that most people who use IoT devices do not understand how they work and may wrongly assume that their devices are secure, which may not be the case if the product is discoverable by default.

Living in an Internet of Secured Things

Unfortunately, until there is a massive IoT security breach (and it’s likely not a matter of if, but when), we really won’t understand the risks associated with all of our interconnected devices. This is not to say we should abandon an IoT world because the security threat level is too great; the benefits far outweigh the risks.

While developers and manufacturers do hold some of the responsibility of mitigating these risks, the onus is also on users to understanding how devices will share their data and taking proactive steps – like downloading those security patches and frequently updating passwords – to protect their personal information.

Does your business have network security or IT infrastructure needs? Contact us today to learn more about INAP’s high-performance network services that will keep your applications running as fast as your business.

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

INAP

Read More
Sep 11, 2012

Internap’s commitment to PCI data security standard

INAP

Internap’s commitment to PCI data security standard  For the second year in a row Internap volunteered to have its data centers audited for the PCI DSS compliance by a PCI Qualified Security Assessor (QSA). The result of this audit is a PCI ROC, a Report on Compliance that covers Internap’s managed hosting and the dedicated private cloud environment.

Why does Internap care about PCI DSS? Because we care about the security of our customers’ sensitive business data…

Some of Internap’s clients are required by major payment card companies to be PCI DSS compliant. Therefore Internap developed a secure data center managed hosting environment and a suite of security service offerings that address many of the PCI related service needs of our clients.

How does Internap help its clients with their PCI DSS needs?

The PCI DSS standard includes 12 requirements for businesses that store, process or transmit payment cardholder data (CHD). These requirements, which are listed below at an overview level specify the framework for a secure CHD environment.

It’s important to note that no one managed solution vendor addresses all twelve requirements and their sub-requirements to the fullest and that responsibility for passing the PCI DSS audit ultimately falls to the hosting customer that processes, stores and/or transmits the CHD. However, the following are examples of functions that are defined as the responsibility of Internap in the management of networks and operating systems that address some of our customers’ PCI DSS needs:

  1. A SOC 2 compliant physical data center with security controls to protect the physical assets (firewalls, routers, switches, and servers) of the hosting customer’s environment.
  2. Management of administrative user accounts that include service-accounts, root, administrator and other system-level administrative (privileged-user) accounts.
  3. Installation, configuration, administration and maintenance of firewalls and network router equipment, and the deployment of baseline firewall and router rules (configurations) for which the customer would request its business-specific rules for Internap to implement.
  4. Network bandwidth to/from the Internet, or customer provisioned private line networks into the provisioned customer environment.
  5. Anti-virus administration at the operating system level, to ensure that the services operating within the customer’s managed server environment are free from viruses.
  6. Baseline backup and recovery of operating system environments, customer data repositories, as well as system and security device configurations.
  7. Operating System (OS) patch management services.
  8. Intrusion detection, prevention and log management services.
  9. 24/7 service support (SOC).

Internap represents the best available data center environment to provide better protection of our clients’ applications that deal with CHD. Internap also presents an opportunity for its customers to leverage managed security services tailored to the PCI DSS compliance for better protection of their sensitive business data – and to address compliance with other standards and regulations. Please contact your solutions engineer (SE) with any questions regarding Internap’s PCI DSS managed hosting environment.

 

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

INAP

Read More