Defense in Depth: Storage Security in a Hybrid Cloud

Storage Security is not only about Encryption, which is just one aspect of Storage Security requirements for the virtual and cloud environments. It is also about increasing defense in depth and knowledge of what is touching your storage environment. As well as providing security around those touch points and to a great extent auditing and protecting the data residing within the storage devices regardless of where the devices live: within the virtual environment or within a cloud. Traditionally we have the following storage security capabilities:

  • Presentation
  • Zoning (or use of VLANs or Software Defined Networking in case of IP Technologies)
  • Encryption of Data at Rest (discussed previously)
  • Device to Device Authentication (such as iSCSI CHAP)
  • Storage Device Selection (or ultimately where to place the data)

But is this really the extent of our security capabilities? While presentation is the act of presenting the storage to a server (whether a virtualization host or a virtual machine within that host) is the most basic form of security, zoning adds capability within the storage network to describe how to encapsulate the packets sent between the storage device and the target machine. In effect, the most basic forms of shared storage functionality, but also security controls to an extent. Outside of encryption, there is also the ability to use multiple storage arrays for the multiple tasks within the virtual and cloud environments. For example, you may want an array specifically to be used by virtualization hosts, and a different array used for standard virtual machine shared filesystems.

Defense in Depth

But there are other tools at our disposal to produce even greater defense in depth. These tools range from properly placing firewalls into IP based storage networks to guarantee the proper flow of data into and out of our storage devices, increasing our auditing to determine if there are any missteps in presentation, zoning, and array selection, as well as encrypting data in motion.  The key is how to provide an increased level of security without impacting the storage network performance.

Security should be invisible until it is needed, so implementing additional security functions within a virtual or hybrid cloud environment may not be possible very close to the physical storage layers outside of data at rest encryption, but we can provide alternative paths to that storage. Perhaps via the use of Virtual Storage Appliances (VSA). VSAs provide a way to either optimize storage traffic, augment storage functionality, or provide gateways to cloud based storage. VSAs have the potential to improve overall storage security. Perhaps the easiest use of a VSA is to provide storage targets that are segregated by trust zone that also provides data at rest encryption. Since the data at rest encryption is happening within the VSA, the data is transmitted over the wire from the virtualization host to the physical storage device in an encrypted fashion (data in motion encryption) and storage encrypted at rest.

Now if we had more than one VSA in place, we could create a storage virtualization layer per trust zone and/or type of data. For example, DMZ storage could be encrypted within one VSA while another could be used for an internal web farm, and a third could be used to present storage directly to virtual machines for application storage uses. The list is endless. We can even use a VSA acting as a storage gateway to share application data between our local data center and our hybrid cloud instance, which is one use for Trend Micro’s Secure Cloud product.

Data Discovery and Compliance

However, if we add into the mix all these VSAs, we need to ensure what is in them obey the security policies for the trust zone, which means we need a way to inspect the data to ensure the data we are storing does not violate the policy. One such way to do this is to implement scanning software that will periodically look for key strings of data within the stored data within the trust zone. VMware vShield App with Data Security will do this for unencrypted PCI and other workloads. If a VSA was for a non-PCI workload, we should not for example find a social security number within the data store. Such scanning is often required to ensure compliance.

What makes this scanning difficult is the possible need to  decrypt the data in order to inspect it and determine if compliance is being met or not. Most modern VSAs do not have this capability, which either means that either the data has to be unencrypted or the VSA itself has to provide a compliance module to allow data inspection. This is a definite limitation to data loss prevention or for data compliance.

Data Protection

The last part of our defense in depth is to provide a way to protect the data from destruction or catastrophic loss. This normally implies some form of data protection should be employed. This often implies the use of backup tools but can also apply to replicating virtual storage appliances. We mentioned previously that VSAs can augment existing storage devices by providing functionality not found within the underlying layers. Data replication is one such augmentation. Within a VSA however, data replication can not only augment but unify all storage devices to appear as the same type of storage. When we replicate our data through a storage gateway VSA, we can provide a level of data protection that not only allows local copies to be made but copies that can be made out into the cloud. The new DataCore‘s SanSymphony is one such VSA that provides augmentation and unification of underlying storage devices by not only providing a common storage platform, replication, but also advanced functionality like VAAI to further augment and improve the performance of a VSA.


Given the nature of Virtual Storage Appliances to augment current storage layers, these devices can also be used to provide unexpected security capabilities. Yes tools such as Afore and HighCloud Security intentionally provide data at rest encryption, but they also provide data in motion encryption as well as a way to segment storage workloads by trust zones without need for even more hardware.  With judicious use of physical virtual firewalls we can ensure the data intended for one trust zone’s VSA does not go astray. It is time we made more use of storage hypervisors not just for the obvious benefits but to provide enhanced security above and beyond the typical storage security models.

But one thing is sure, if we add in a storage virtualization layer as described, we need to also increase our auditing of the virtual storage appliances to ensure that there are no configuration or networking changes that could impact over all security in addition to using tools that prevent movement of VMs between storage security zones (such as those tools that provide tagging, which is a topic for another post.)