Traditionally, storage and security have been separate streams within IT. Although the two groups have overlapping concerns and are working together on specific projects, they are currently very different. This model is changing. News constants on security holes in well-known companies like Sears and Delta Air, Panera Bread, Saks Fifth Avenue and, MyFitnessPal, Orbitz, FedEx, and the city of Atlanta have IT managers very concerned about their risks. Many adopt DevSecOps, an approach that makes everyone in the organization responsible for security. For storage professionals, this means paying more attention to the protection of data storage.
What is data storage security?
Data warehousing security is a subset of the broader field of computer security, focusing specifically on the protection of storage devices and systems. The SNIA (Storage Network Industry Association) dictionary provides security for storing the following more technical definition data:
What is Storage security:
It is the application of physical, technical, and administrative controls to protect storage systems and infrastructures, as well as the data stored therein. Storage security focuses on protecting data (and its set-up) from unauthorized disclosure, adjustment, or destruction while ensuring its accessibility to authorized users. These controls can be preventive, detective, corrective, dissuasive, recovery, or compensatory. SNIA says that “secure storage may also be the last hope of defense on an adversary, but only if administrators invest time and effort to implement and activate accessible storage controls for security. “
Ensuring adequate data security is a delicate balancing act for administrators and storage managers. You need to weigh three main issues that fall under the CIA acronym: confidentiality, integrity, and availability. You must keep confidential data out of the reach of unauthorized users, ensure that the data on your systems is reliable, and ensure that the data is available to all members of the organization who need to enter it. At the similar time, they need to be aware of the cost and value of their data. Nobody wants to end up with data security systems that are more expensive than the value of the data they protect. However, companies must also have security systems that are so strong that potential attackers have to spend more time and resources than the data deserves because of their security breach.
Data Security vs. Privacy:
Storage security and data security closely linked to data protection. Data security is primarily about making private information accessible to people who are not authorized to consult it. This also includes protecting data from other types of attacks, e.g., B. Ransomware that prevents access to information, or attacks that change data and make it unreliable. Data protection is more about ensuring the availability of data after less harmful incidents such as system or element failures or even natural disasters. However, the two requirements overlap in their common need to ensure the reliability and availability of information and the need to recover from incidents that could compromise a company’s data. Storage professionals often face security and privacy issues at the same time, and some of the best practices can help resolve both.
Key drivers for data storage security:
Several current trends are increasing companies’ interest in data security. They include the following:
Data Growth :
According to the IDC, the amount of data stored in the world’s computer systems doubles approximately every two years. For businesses, this means continuously adding new storage space to meet the needs of the business. And with increasing storage volume, they become more valuable and difficult to protect as targets.
Verizon’s 2018 data breach investigation report uncovered 53,000 security incidents last year, including 2,216 data breaches – and that’s only a fraction of the actual events businesses have experienced. A recent report from a UK government agency found that 2017 saw more cyber attacks than any other year. Almost every day, there seem to be new attacks on the news that keep companies safe.
Data Breach Cost :
Recovering from a data breach is incredibly expensive. The Ponemon Institute’s 2017 study of the cost of a data breach found that victim organizations expended an average of $ 3.62 million, or about $ 141, per lost record to recover from the 2017 incidents. This expenditure can be a strong incentive to improve data security.
Increase the value of data:
With the advent of big data analysis, companies are more aware of the value of their data than ever. The big data analytics market has grown by 63.6% in recent years. By 2020, companies expected to spend $ 22.8 billion on tools that help them discover valuable information in their data. However, for the analysis to be useful, companies need to be able to ensure the accuracy of their data. Which means financing in safety.
With trends such as cloud computing and the Internet of Things (IoT), businesses have distributed data to more places than ever before. Enterprise networks no longer have a tangible benefit that organizations can define and protect with firewalls. Instead, they must rely more on defense-in-depth, including storage security, to protect their information.
Governments are becoming more and more interested in data security and therefore pass stricter laws. The General Data Protection Regulation (GDPR), come into force on May 25, 2018, requires companies around the world to take more stringent measures to protect customer privacy. It will also affect storage security.
Business continuity needs:
2017 was a record year for natural disasters in the United States, stress the need for business continuity and disaster recovery capabilities. This stimulates the demand for secure backup and other storage security technologies.
According to Forrester, 63% of companies have already implemented DevOps, and 27% plan to do so. With the growth of DevOps, more and more companies are becoming interested in DevSecOps, which integrates security into the approach and distributes responsibility for security throughout the enterprise – including the data storage team.
Another important driver of data storage security is the inherent vulnerabilities in storage systems. They include the following:
Lack of encryption:
Although some high-end NAS and SAN devices include automatic encryption, many products on the market do not include these capabilities. This means that organizations must install separate software or an encryption device to ensure that their data is encrypted.
An increasing number of companies are choosing to store all or part of their data in the cloud. While some dispute that cloud storage is more protected than on-premises storage. The cloud adds difficulty to storage environments and frequently requires storage personnel to learn new tools. And implement new procedures to ensure data is adequately protected.
Incomplete data destruction:
When data has erased from a hard disk or another storage medium. It can leave traces that could allow unauthorized people to retrieve this information. It is the responsibility of storage administrators and managers to ensure that all data deleted from the storage overwritten. So that it cannot recover.
Lack of physical security:
Some organizations do not pay enough attention to the physical security of their storage devices. In some cases, they do not consider that an insider. Such as an employee or a member of a cleaning team, can access physical storage devices and extract data. Bypassing all carefully planned network security measures.
Best practices for data security:
To address these technology trends and the security vulnerabilities inherent in their storage systems. Experts recommend that organizations implement the following best practices for data security:
Data warehouse security policies:
Businesses must have written policies that specify the appropriate security levels for the different types of data they have. Public data requires much less security than restricted or confidential data. And the organization must have security models, procedures, and tools to apply the appropriate protections. The policies should also include details of the security measures to be implemented on the storage devices used by the organization.
Role-based access control is essential for a secure data storage system, and in some cases, multi-factor authentication may be adequate. Administrators should also be careful to change the default passwords on their storage devices and to force the use of strong passwords by users.
Data must be encrypted in transit and at rest on storage systems. Storage administrators must also have a secure key management system to track their encryption keys.
Data loss prevention:
Many experts believe that encryption alone is not enough to ensure complete data security. They recommend that organizations also implement data loss prevention (DLP) solutions that can help find and stop ongoing attacks.
Enhanced network security:
storage systems do not exist in a vacuum; they must surround by robust network security systems such as firewalls, protection of anti-malware, security gateways, intrusion detection systems, and possibly advanced security solutions based on machine learning and analysis. These measures should prevent most cyber attackers from accessing storage devices.
Improved device security:
Companies also need to ensure that appropriate security measures are in place on PCs, smartphones, and other devices that access stored data. These endpoints, especially mobile devices, can otherwise be a weak point in a company’s cyber defense.
Including RAID technology, redundancy not only helps improve availability and performance but, in some cases, can also help businesses minimize security incidents.
Backup and restore:
Some successful malware or ransomware attacks endanger corporate networks so entirely that the only possible way to restore them is to restore them from backups. Storage managers must ensure that their backup systems and processes are suitable for this type of event and disaster recovery purposes. You must also ensure that the backup systems have the same data security as the primary systems.
Image source : Pinterest