Study reveals storage security flaws

Sheila Zabeu -

November 29, 2021

Storage systems have a significantly weaker security posture than the other two layers of IT infrastructure, computing, and networking resources. The conclusion came after a study looked at vulnerabilities and misconfigurations in storage systems from multiple vendors, including Dell EMC, IBM, Hitachi Data Systems, Cisco, Brocade, and NetApp.

“Of the three main classes of IT infrastructure, storage is often the most valuable, both from a security and a business perspective,” said Gil Hecht, CEO of Continuity, responsible for the survey. “Security vulnerabilities and misconfiguration of storage devices pose a significant threat, especially as ransomware attacks have taken over companies in recent years. Still, based on our analysis, the security posture of most storage systems in companies is extremely weak,” adds the executive.

The storage systems evaluated showed, on average, 15 security vulnerabilities. Approximately three of them were considered high risk or critical, that is, they could cause great damage if exploited. The five most common types of vulnerabilities found are:

1. Use of Vulnerable Protocols/Inappropriate Settings – These protocols cover traditional networks (IP over Ethernet and WAN) and dedicated storage networks. It is critical to secure these protocols during session establishment and also during data exchange. However, in a very high number of cases and in most environments, it is still common to find inappropriate settings.

2. Unresolved common vulnerabilities (CVEs) – There are several components used with storage devices and networks, such as operating systems, controller firmware, APIs, and management systems. Vulnerabilities in these components are frequently discovered and recorded in widely publicized CVEs (Common Vulnerability and Exposure). In most cases, fixes in the form of an update are suggested, but not always implemented.

3. Access rights issues causing overexposure – Many devices were improperly configured, which included unrestricted access to shared storage systems, non-recommended zoning and masking, and permission to reach storage elements from external networks.

4. Insecure user management and authentication – Storage devices are managed from users and roles and, in many cases, data access is also similarly controlled. There are basic recommendations for managing and authenticating users that, for various reasons, are not followed for storage devices with the same rigor applied to computing and network resources.

5. Insufficient logging – Reporting and auditing are fundamental requirements of any solid security practice, including those related to storage systems. All configuration, management, and access to critical data activities must be properly recorded, including time, details at an appropriate level, types of events, among other information. The study found that about 15% of production storage systems did not have reports, and another substantial portion had reports susceptible to manipulation.

The study highlights that it is essential to strengthening the security strategies of storage systems, as data-centric attacks are increasingly sophisticated and regulations, stricter. Furthermore, the business implications resulting from ineffective measures in this sector can be devastating for companies.

The recommendation is to evaluate the internal security processes to determine if they cover the storage infrastructure sufficiently. The study lists some questions that can help clarify the maturity level of storage security planning:

  • Does your security policy specifically cover the risks associated with storage systems and networks and backup solutions?
  • Is the security of the storage infrastructure frequently evaluated?
  • Are there detailed plans and procedures for recovery in the event of an attack on storage or backup systems? Are they tested from time to time?
  • And finally, after the revelations in this study and others like it, how reliable can the storage environment be considered?