By Ian Lock, GlassHouse Technologies (UK), storage & backup service director
Recently I have been asked by several clients about the security of shared storage and backup environments, and in particular whether any element of their storage infrastructure should be shared between internal production and external DMZ servers.
The general consensus for many years for most of my clients has been a definite ‘no’ to this question; the only link between external and internal networks should be a firewall and nothing else. Such rules are normally written in stone and policed by the security team with draconian penalties for anyone who dares to disobey.
I have up to now agreed wholehearted with these rules; they’re there for a very good reason, right? They limit the risk of nasty things or people getting to your production data from the outside.
However, during the course of recent conversations I began to wonder if there wasn’t an argument for some carefully managed sharing of storage resources?
The question seems to have started to crop up a lot more frequently as storage arrays become more and more ‘unified’ and servers become more and more ‘virtualised’.
Companies have realised the benefits of consolidating and virtualising previously separate physical systems to drive down costs, so it goes against the grain to keep discrete storage arrays for production and DMZ.
Most centralised backups systems are, after all, allowed to protect servers in the DMZ, as long as the backup data passes through the firewall. And many clients allow virtual machines residing on the same physical hosts to be provisioned for both production and DMZ use.
As long as all storage management interfaces and software tools are kept carefully locked down inside a secure internal VLAN, what are the actual risks of presenting a LUN to DMZ and production hosts from the same array?
Perhaps the answer is to allow sharing of storage resources, but only with better end-to-end security, including tighter intrusion detection systems and maybe encryption of data at rest embedded into storage arrays. That way you get the best of both worlds.