4 Questions CIOs Must Ask About Data Storage Security
By Jon Toor, CMO of Cloudian, contributing to the #BUDRInsightJam.
Organizations face significant threats to their data security today, and the risks are only getting worse. In 2020, data breaches will cost US enterprises an average of $8.6 million. Meanwhile, ransomware attacks — arguably the greatest data security threat to all organizations — are up nearly 140% in the U.S. this year. CIOs are under tremendous pressure to safeguard their data and protect their businesses’ bottom lines. To avoid falling victim to a catastrophic breach, CIOs must ask themselves the following four questions about their data storage security.
How are we protecting in-flight data?
Data that’s in the process of being acquired or moved within an organization is particularly vulnerable to breaches. This in-flight data can be compromised through “eavesdropping.” Using this method, hackers “listen” to data communications, searching for passwords or other information being transmitted in plaintext.
The best way to prevent eavesdropping is through data encryption and secure transport protocols. CIOs can be sure they have strong encryption and transport protocols if their storage system provides the following features:
- Server-side Encryption (SSE)
- Amazon Web Services Key Management Service (AWS KMS)
- OASIS Key Management Interoperability Protocol (KMIP)
- Transport Layer Security / Secure Socket Layer (TLS/SSL)
How are we protecting data-at-rest?
Stored data is vulnerable to hacker attacks in two ways. The first is the theft of valuable personal information, such as credit card numbers, which a hacker can steal and then resell. A second vulnerability has recently emerged in which hackers steal information of all types and then threaten to make the information public unless a ransom is paid.
To protect stored data, it is best to employ AES-256 encryption — the specification established by the U.S. National Institute of Standards and Technology (NIST) — using a system-generated encryption key (regular SSE) or a customer-provided and managed encryption key (SSE-C). Here, the upload and download requests are securely submitted using HTTPS, and the system does not store a copy of the encryption key.
Can our data be made immutable?
It’s well documented that ransomware attacks have risen sharply over the past several years. Ransomware encrypts an organization’s data where it resides, at the storage layer. For organizations that fall victim and don’t have an uninfected copy of their data, the only way to get back control is to pay a ransom amount in exchange for a decryption key that unlocks the infected data.
Having a backup data copy may appear to be a good defense, but, in fact, the backup copies are often the first thing a hacker will target for encryption. The best way to defend against a ransomware attack is to ensure you have immutable backup copies of your data. That way, if critical files become inaccessible, you can restore them from the uninfected backups and continue operations without paying a ransom.
There are two storage architectures that provide data immutability. One is magnetic tape storage. Here, the backup copies can be physically removed from the library, making them inherently invulnerable to malware. However, tape storage is time-consuming to manage and can entail slow recovery, particularly for tape stored offsite.
The other option for data immutability is object storage. Select object storage platforms support a new feature called Object Lock. Object Lock uses WORM (Write Once Read Many) technology to enable organizations to create backup data copies that cannot be changed for a set period of time. Once the backup data is written to media, it cannot be deleted or overwritten until the “time lock” has elapsed, making it impossible for hackers to encrypt these backups and guaranteeing that a safe copy will always be available for recovery. Object Lock works the same on-premises, in a private cloud, or in the public cloud.
Is our storage infrastructure fully compliant?
CIOs realize it’s critical to ensure their IT systems comply with all industry regulations. Compliance can be complicated and involves many different layers. CIOs must be sure that their employees, business practices, and technology all conform to certain requirements.
It might seem time-consuming and difficult to evaluate a storage platform for all these factors. However, there’s a shortcut: take a look at all the security certifications that your storage infrastructure vendor has earned. Storage vendors must invest major time and resources to pass most third-party security validations, indicating that they’re a safe and accurate barometer for judging how secure a solution is.
There are a variety of different security certifications out there today. CIOs should put more weight on certain certifications based on their industry. However, regardless of sector, all CIOs should check for these certifications:
- Common Criteria (CC): The Common Criteria for Information Technology Security Evaluation—better known simply as Common Criteria—is an internationally-developed standard (ISO/IEC 15408) for computer security that attests to storage being tamper-proof.
- Federal Information Processing Standard (FIPS): FIPS is a U.S. standard developed by NIST. It establishes a set of requirements for technology solutions and is used by U.S. government agencies when evaluating products and solutions.
- SEC Rule 17a-4: This is a regulation issued by the U.S. Securities and Exchange Commission that specifies (among other things) requirements for a WORM classification of the storage system.
Data storage security is a critical part of any CIO’s job today. Organizations cannot simply protect their data by relying on perimeter security solutions alone — they must make sure their storage systems include comprehensive security capabilities. Ransomware attacks data where it lives at the storage layer, so it only makes sense to enable protection at the same layer. Features such as encryption, transport protocols, and Object Lock serve as this data’s last (and most important) line of defense. At the same time, it’s essential that storage solutions meet key security certification requirements.
About the author
Jon Toor leads Cloudian’s inbound and outbound marketing teams. Prior to Cloudian, Toor served as vice president of digital marketing and demand generation at Brocade. He also served as the vice president of marketing at Xsigo Systems, where he led the outbound marketing team, a group he led from company launch until the company acquisition by Oracle. Prior to Xsigo, he served at ONStor as vice president of marketing.