What is storage security?
Storage security is the group of parameters and settings that make storage resources available to authorized users and trusted networks -- and unavailable to other entities. These parameters can apply to hardware, programming, communications protocols and organizational policy.
Several issues are important when considering a security method for a storage area network (SAN). The network must be easily accessible to authorized people, corporations and agencies. It must be difficult for a potential hacker to compromise the system. The network must be reliable and stable under a wide variety of environmental conditions and volumes of usage. Protection must be provided against online threats such as viruses, worms, Trojans and other malicious code.
Sensitive data should be encrypted. Unnecessary services should be disabled to minimize the number of potential security holes. Updates to the OS, supplied by the platform vendor, should be installed on a regular basis. Redundancy, in the form of identical -- or mirrored -- storage media, can help prevent catastrophic data loss if there's an unexpected malfunction. All users should be informed of the principles and policies that have been put in place governing the use of the network.
Two criteria can help determine the effectiveness of a storage security methodology. First, the cost of implementing the system should be a small fraction of the value of the protected data. Second, it should cost a potential hacker more, in terms of money and/or time, to compromise the system than the protected data is worth.
Why is storage security important?
Storage security is important because storage is where the data resides. As such, storage security is what must prevent unauthorized access to data stored on the underlying storage systems.
Although nearly every organization employs additional security measures to prevent data from being accessed by hackers or unauthorized users, storage security is often the last layer in a defense.
What are common data security threats and vulnerabilities?
There are innumerable threats to an organization's data, ranging from malicious attacks to accidental data loss events. Some of the more common threats to an organization's data include:
- Ransomware attacks. Ransomware is probably the most widely known threat to an organization's data. A ransomware infection typically encrypts any available data in a way that prevents the victim from accessing the data until they pay a ransom to receive a key that unlocks the data. Ransomware infections can occur as a result of clicking on a malicious link or opening a malicious attachment, but hackers have also been known to plant ransomware on a victim's storage device. In addition to encrypting the victim's data, some ransomware attacks threaten to make the organization's sensitive data public if the ransom isn't paid.
- Unauthorized access. Unauthorized data access typically involves a data breach in which a hacker or a rogue user gains access to an organization's sensitive data.
- Unintentional access. Unintentional access can occur when poorly constructed access control lists accidentally grant users access to data that they shouldn't have access to. This sometimes happens as a result of overlapping group memberships.
- Data leakage. At its simplest, data leakage refers to sensitive data leaving an organization and making its way into the outside world. There are several ways in which data leakage can occur. A user might copy data to a USB storage device and walk out the door with that data. Similarly, a user could email the data to themselves or to someone else. Data leakage can also occur as a result of a user copying sensitive files to a consumer file-sharing service such as Dropbox.
- Accidental deletion. Not all data loss events are malicious. Data can be lost if a user accidentally deletes data that hasn't been backed up.
- Accidental modification. Accidental modification is another common threat to an organization's data. This can happen when a user accidentally overwrites good data with incorrect data.
Data security vs. data protection
The terms data security and data protection are often used interchangeably, but they refer to two different things.
Data security is focused on preventing unauthorized access to an organization's data by using mechanisms such as access control lists, storage encryption and multifactor authentication.
Data protection might best be described as backup and recovery. Data protection refers to the act of creating data copies that can be used to recover an organization's data following a storage infrastructure failure or other types of data loss events.
Although data security and data protection are two different things, they are somewhat related. If an organization were targeted by a ransomware attack, hopefully the organization's data security can stop the attack. If the attack succeeds, then the organization's data protection mechanism -- its backups -- is the best option for getting data back without paying the ransom.
As essential as data protection is, if it's poorly implemented, it can create an additional security risk. If an organization backs its data up to tape, but doesn't encrypt its backups, then an insider might be able to gain access to the organization's data simply by stealing a backup tape.
Organizations in regulated industries must examine any applicable compliance requirements when deciding how best to secure their data. Regulations such as HIPAA, PCI and GDPR focus heavily on data security and privacy. The requirements vary from one regulation to the next, but such regulations commonly establish mandates pertaining to the way that data is to be stored.
Regulations commonly require that all sensitive data be encrypted. Although the various regulations establish storage security requirements, the regulations often leave it up to the individual organizations to choose which products and mechanisms they use to meet regulatory requirements.
What are best practices for securing data?
Entire books have been written on keeping data secure. Even so, there are several best practices that organizations should follow regarding data security.
- Identify where data is stored. The first step in any data security initiative must be to locate the organization's data. Often organizations have data that is stored both on premises and in cloud storage. This might include cloud-based object storage such as AWS S3 or Azure Blog storage, but data might also be stored in cloud services such as Microsoft 365. Also, consider data that might be locked away in data siloes.
- Classify the data. After locating all the organization's data, classify that data based on its sensitivity. This makes it easier to secure the data later. Some organizations skip this step and treat all data as highly sensitive, whether it is or not. Although this model makes data security easier, it can also lead to higher costs.
- Protect sensitive data against leakage. To guard against leakage, adopt a data loss prevention (DLP) system. DLP products tend to vary in scope, but most focus on detecting sensitive data in outbound email messages. Such messages can then be intercepted -- and possibly even silently forwarded to the HR department -- before being sent to the outside world. Other DLP products focus on blocking access to USB storage devices.
- Audit access control lists. Access control lists determine who has access to what. Periodically audit access control lists to make sure they haven't been tampered with and ensure users have access to the data required to do their jobs, and nothing more.
- Implement multifactor authentication. Access control lists do little good if a user's account is compromised. One of the best ways to keep users from falling victim to stolen passwords is to implement multifactor authentication requirements.
- Segregate administrative responsibilities. Allowing a single administrator to have full access to all an organization's IT systems is dangerous. If the administrator's account were compromised, the attacker could gain access to everything. This includes the storage environment, cloud computing resources and administrative controls. Use a role-based access control mechanism to delegate administrative responsibilities on an as-needed basis rather than granting blanket administrative privileges.
- Encrypt everything. All storage devices, whether on premises or in the cloud, should be encrypted.
- Practice good patch management. One of the best ways to prevent a data breach is to install software patches and firmware updates as they become available. These patches often address known vulnerabilities.