Features
- Cover Type: Paperback with 408 pages
- Published by: Wiley
- Edition: 1st Edition December 20, 2002
- Written in: English
- ISBN 10 Number: 0764516884
- ISBN 13 Number: 978-0764516887
-
Book Dimensions:
9 x 7.5 x 0.9 inches
- Weighs: 1.4 pounds
Reader Reviews
Securing storage sub-systems is an important, but omitted task. Will this text help you to do what is necessary to secure your storage fabrics? On my third read, the answer remains illusive. Important parts that should be part of standard decision protocol are missing. Will the text help you to understand security as a general topic? Certainly, the text attempts to apply CISSP concepts to the storage security topic. In Chapter 1, trade articles cite storage pundits on the typical security grind, with a few small customer comments. All neglect in some form the fact that administrative error is the number one risk to availability, and by ISO17799, a security threat. Security is proactive rather than reverse engineered. The listing of security domains is certainly useful as a template for consideration. Chapter 2 (DAS) discusses at length issues of data protection (RAID), discussion of interface technologies and a useful CISS matrix that is then applied to each interface. Rather than offer mitigation strategies for each interface, security resorts to the traditional CISSP analysis approach, classify, use standards, and build a plan, etc. when people really need situational case studies and risk mitigation. (Certainly, it remains important to do the analysis, but that is part of a CISSP text.) Chapter 3 (NAS) begins with discussion of the NAS technology and their reasons for values supporting their security evaluation criteria. I found no serious discussion of the relationship of NAS to the outside world (Windows and UNIX) and the risks that this creates (need for authentication, etc.) In addition, one would expect a discussion of NFS flavors, CIFS and active directory, but this too was absent. One nit was a "weakness: NAS may not be good for databases," which with the new locking mechanisms is becoming more popular (although I personally still have a hard time with the idea.) Some protocols discussed are no longer in use. It includes a passable discussion on NASD and key management. Chapter 4 (SAN) As with the others begins with discussion of technologies in the broad sense of the storage fabric including iSCSI and FC, followed by a SAN security matrix. The discussion of "Manageability" and "Access Control Management" including techniques by title and model remain as definitions without an interpretation within the technology - e.g. The Bell-LaPadula Model includes mandatory access control by determining access rights from different security levels, and discretionary access control by cross-referencing access rights from a matrix. How do we create the matrix in SAN terms, develop security levels, and determine access control rights? When is it appropriate to use this model? Very little discussion of authentication, other than user or administrator rights - techniques were in existence at the time of publication. I could continue, but my findings remain that this is a book about security, not storage security. It has a lot of potential if the models are given life with real life interpretation.
Comment | |
(Report this)
Search for books at
