Traditionally, storage and security have been separate disciplines within IT. While the two groups had some overlapping concerns and worked together on some projects, they were largely distinct.
These days, that model is changing. The constant news about security breaches at well-known companies like Sears and Delta Air, Panera Bread, Saks Fifth Avenue and Lord & Taylor, MyFitnessPal, Orbitz, FedEx and the city of Atlanta have enterprise IT leaders very concerned about their own risk.
Many are adopting DevSecOps, an approach that makes everyone in the organization responsible for security. For storage professionals, that means paying greater attention to data storage security.
What Is Data Storage Security?
Data storage security is a subset of the larger IT security field, and it is specifically focused on securing storage devices and systems.
The Storage Networking Industry Association (SNIA) Dictionary offers the following, more technical definition data storage security:
Storage Security: Application of physical, technical and administrative controls to protect storage systems and infrastructure as well as the data stored within them. Storage security is focused on protecting data (and its storage infrastructure) against unauthorized disclosure, modification or destruction while assuring its availability to authorized users. These controls may be preventive, detective, corrective, deterrent, recovery or compensatory in nature.
The SNIA also notes that secure storage "may also be the last line of defense against an adversary, but only if storage managers and administrators invest the time and effort to implement and activate the available storage security controls."
For storage administrators and managers, ensuring proper data storage security is a careful balancing act. They must weigh three primary concerns covered by the acronym CIA: confidentiality, integrity and availability. They must keep sensitive data out of the hands of unauthorized users and they must assure that the data in their systems is reliable, while also making sure that data is available to everyone in the organization who needs to access it.
At the same time, they need to be very cognizant of costs and the value of their data. No one wants to end up with data storage security systems that are more expensive than the value of the data they are protecting. Yet organizations also need to have strong enough security systems that breaching them would require potential attackers to expend more time and resources than the data would ultimately be worth.
Data Security vs Data Protection
Storage security and data security are closely related to data protection. Data security primarily involves keeping private information out of the hands of anyone not authorized to see it. It also includes protecting data from other types of attacks, such as ransomware that prevents access to information or attacks that alter data, making it unreliable.
Data protection is more about making sure data remains available after less nefarious incidents, like system or component failures or even natural disasters.
But the two overlap in their shared need to ensure the reliability and availability of information, as well as in the need to recover from any incidents that might threaten an organization’s data. Storage professionals often find themselves dealing with data security and data protection issues at the same time, and some of the same best practices can help address both concerns.
Data security and data protection are clearly overlapping concerns. Image Source: SNIA
Key Drivers for Data Storage Security
Several recent trends are increasing enterprise interest in data security. They include the following:
- Data growth — According to IDC, the amount of data stored in the world's computer systems is roughly doubling every two years. For enterprises, that means constantly needing to add new storage in order to keep up with business needs. And as storage volumes grow, they become more valuable as targets and more difficult to protect.
- Cyberattack growth — The Verizon 2018 Data Breach Investigations Report uncovered 53,000 security incidents last year, including 2,216 data breach incidents — and that's only a fraction of the actual events experienced by organizations. And a recent report from a UK government agencyfound found that 2017 had more cyberattacks than any other year on record. New attacks seem to be in the news nearly every day, and that has businesses worried about their security posture.
- Cost of data breaches — Recovering from a data breach is incredibly expensive. The Ponemon Institute 2017 Cost of a Data Breach Study found that companies experiencing breaches spent an average of $3.62 million, or about $141 per record lost, to recover from incidents in 2017. Those expenses can be a powerful encouragement to improve data security.
- Increasing data value — Thanks to the rise of big data analytics, organizations are more aware than ever of the value of their data. According to Gartner the big data analytics market grew by as much as 63.6 percent in recent years, and by 2020, enterprises will likely spend $22.8 billion on tools to help them uncover valuable insights in their data. But in order for analytics to prove useful, enterprises need to be able to ensure the veracity of their data, and that means investing in security.
- Edgeless networks — Thanks to trends like cloud computing and the Internet of Things (IoT), enterprises now have data spread out in more places than ever before. Corporate networks no longer have a hard edge that organizations can define and protect with firewalls. Instead, they must rely more strongly on defense in depth, including storage security, to protect their information.
- Regulation — Governments are taking an increasing interest in data security and passing stronger laws as a result. The EU's General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, is forcing companies around the world to take stronger measures to protect customer privacy, and that will impact storage security as well.
- Need for business continuity — 2017 was a record year for natural disasters in the US, highlighting the need for business continuity and disaster recovery capabilities. This is driving demand for secure backup and other storage security technologies.
- DevSecOps approaches — According to Forrester, 63 percent of organizations have already implemented DevOps, and another 27 percent are planning to do so. As DevOps grows, more companies are becoming interested in DevSecOps, which integrates security into the approach and spreads responsibility for security throughout the organization — including the data storage team.
Another huge driver of interest in data storage security is the vulnerabilities inherent in storage systems. They include the following:
- Lack of encryption — While some high-end NAS and SAN devices include automatic encryption, plenty of products on the market do not include these capabilities. That means organizations need to install separate software or an encryption appliance in order to make sure that their data is encrypted.
- Cloud storage — A growing number of enterprises are choosing to store some or all of their data in the cloud. Although some argue that cloud storage is more secure than on-premises storage, the cloud adds complexity to storage environments and often requires storage personnel to learn new tools and implement new procedures in order to ensure that data is adequately secured.=
- Incomplete data destruction — When data is deleted from a hard drive or other storage media, it may leave behind traces that could allow unauthorized individuals to recover that information. It's up to storage administrators and managers to ensure that any data erased from storage is overwritten so that it cannot be recovered.
- Lack of physical security — Some organizations don't pay enough attention to the physical security of their storage devices. In some cases they fail to consider that an insider, like an employee or a member of a cleaning crew, might be able to access physical storage devices and extract data, bypassing all the carefully planned network-based security measures.
Data Security Best Practices
In order to respond to these technology trends and deal with the inherent security vulnerabilities in their storage systems, experts recommend that organizations implement the following data security best practices:
- Data storage security policies — Enterprises should have written policies specifying the appropriate levels of security for the different types of data that it has. Obviously, public data needs far less security than restricted or confidential data, and the organization needs to have security models, procedures and tools in place to apply appropriate protections. The policies should also include details on the security measures that should be deployed on the storage devices used by the organization.
- Access control — Role-based access control is a must-have for a secure data storage system, and in some cases, multi-factor authentication may be appropriate. Administrators should also be sure to change any default passwords on their storage devices and to enforce the use of strong passwords by users.
- Encryption — Data should be encrypted both while in transit and at rest in the storage systems. Storage administrators also need to have a secure key management systems for tracking their encryption keys.
- Data loss prevention — Many experts say that encryption alone is not enough to provide full data security. They recommend that organizations also deploy data loss prevention (DLP) solutions that can help find and stop any attacks in progress.
- Strong network security — Storage systems don't exist in a vacuum; they should be surrounded by strong network security systems, such as firewalls, anti-malware protection, security gateways, intrusion detection systems and possibly advanced analytics and machine learning based security solutions. These measures should prevent most cyberattackers from ever gaining access to the storage devices.
- Strong endpoint security — Similarly, organizations also need to make sure that they have appropriate security measures in place on the PCs, smartphones and other devices that will be accessing the stored data. These endpoints, particularly mobile devices, can otherwise be a weak point in an organization's cyberdefenses.
- Redundancy — Redundant storage, including RAID technology, not only helps to improve availability and performance, in some cases, it can also help organizations mitigate security incidents.
- Backup and recovery — Some successful malware or ransomware attacks compromise corporate networks so completely that the only way to recover is to restore from backups. Storage managers need to make sure that their backup systems and processes are adequate for these type of events, as well as for disaster recovery purposes. In addition, they need to make sure that backup systems have the same level of data security in place as primary systems.
Learn More About Data Storage Security
- Storage Security, the Last Line of Defense
- Improving Storage Security: Fighting Cybercriminals
- Storage Security Basics
- Storage Security Basics: Confidentiality and Integrity
- Rootkit Security: The Next Big Challenge
8 Data Security Best Practices
Write and enforce data security policies that include data security models.
Implement role-based access control and use multi-factor authentication where appropriate.
Encrypt data in transit and at rest.
Deploy a data loss prevention solution.
Surround your storage devices with strong network security measures.
Protect user devices with appropriate endpoint security.
Provide storage redundancy with RAID and other technologies.
Use a secure backup and recovery solution.