To sum it up, it's a data encryption solution that secures data at the SAN/NAS storage layer. In other words, it encrypts the data stored within the SAN and also includes access controls to restrict access to certain data within the SAN by certain hosts. Sounds kinda neat, huh? I found it interesting that the vendor was touting that their product addresses the encryption and data security requirements of the PCI (Payment Card Industry) Data Security Standard. I have to completely disagree with this positioning.
The product does encrypt data at rest within the SAN. But this is not really where the threat exists. The solution does nothing in regards to protecting data once a host is authorized to access the data within the SAN. And the threat of someone getting physical access to your SAN in order to attach to an existing volume is, shall we say, not very probable. And, if you are following the other requirements of PCI, you have your SAN and servers secured within a data center with appropriate physical access controls. So the chance of someone walking off with servers and your SAN also has a low probability.
With a solution like this in place, the Oracle database server has complete access to the encryption keys and all of the data in the SAN that it needs in order for the database to operate. And the web application that's connected to this database has access to all of the data it needs in order for the application to operate. So, even with such a solution implemented, you are still completely dependent on the security and access controls (and inadequacies) of those systems to protect the data. If someone can circumvent the controls in the web application or the database access controls, is doesn't really matter if the data is encrypted in the SAN. Implementing a database encryption solution would be a much more effective and secure solution.
But a solution like this isn't all bad. Where I do see value is in highly virtualized environments. Since the data is encrypted with the SAN you will have the capability to restrict access to only authorized hosts. Another great feature of the solution I reviewed is the ability to apply this technology to backup media. This is an area that's fraught with vulnerability, and it's good to see a product that addresses this head-on. What bugs me is when vendors get a little over zealous in their marketing strategy, attempting to position themselves as a solution to problems they don't really solve.
Copyright (c) 2007 Kenneth M. Smith
Kenneth M. Smith CISSP CISA QSA
Nothing can guarantee complete protection from the threats that exist on the Internet. Worms, viruses, malware and other malicious attacks are making this battle more complex every day. But it’s important to make a concerted ‘due-diligence’ effort to protect your information systems. Here is a preliminary checklist of 20 items that can help reduce your exposure to the top Internet threats.
SANS Newsletters: There are two weekly Newsletters and one monthly to choose from. The Security Alert Consensus (CAS), for example, lets you customize the content to your environment. You can choose to only receive news that pertains to the operating systems that you use. To subscribe to the SANS Newsletters, visit: https://portal.sans.org/
SecurityFocus Mailing lists: There are currently 26 lists to choose from. At a minimum, I would recommend the ‘bugtraq’ mailing list. To subscribe, to the SecurtyFocus lists, visit: http://www.securityfocus.com/archive
Incidents.org: This site provides daily updates and alerts on the latest threats, acting as an Internet Storm Center. Here you can access the latest CID Graph, probing statistics, and access the DShield Database. DShield is a system that acts as a central logging and analysis repository for IDS and Firewall logs. For more information, visit http://www.incidents.org/.
10. Keep Internet accessible hosts on a DMZ – Any host that can be directly accessed from the Internet should be in a Demilitarized Zone network, not your internal LAN. For example, web, mail, and ftp servers should be on a separate network segment that is connected to the firewall only. Firewall rules are then created to allow access to these systems from the Internet, and to allow these servers to communicate with systems on your LAN.
13. Closely guard modem remote access services – A single host with a modem connected to an analog line can completely circumvent your security strategy. Although it doesn’t get the attention it used to, finding a host running PcAnywhere with a weak or non-existent password will usually result in full access to the companies’ internal network and applications. Systems that must be made available in this manner must be closely monitored, and full auditing and logging capabilities should be enabled. Regular WAR-Dialing exercises should be performed to inventory modem usage, and to identify weak authentication requirements.
15. Categorize and segregate systems – Organize systems into categories based on their importance to the organization, and their function. Next, segregate systems into secure ‘zones’ based on these categories. This allows you to provide countermeasures that are better aligned with each systems security requirements. Additionally, more extensive countermeasures will be efficiently deployed, exactly where they are needed the most.
Copyright (C) 2004 Kenneth M. Smith