Part 3 in a series of 4: The what, why, and how of securing storage and backup
In part 1 of this series, the difference between securing data and securing storage or backup infrastructure. In part 2, we analyzed storage risks, we overviewed the storage attacks landscape, and we also raised awareness of the industry’s knowledge gaps. In here we cover strategies for ensuring enterprise storage security.
The cost of a single data storage breach could overwhelmingly exceed the investment in a storage security framework and controls (we will cover financials in more detail in the next article in the series).
Data-centered attacks are growing more frequent and intense for obvious reasons. CISOs and security teams therefore expand their framework to encompass storage assets and add controls specific to their unique needs. They do it as the more they define and enforce detailed security policies, the more they reduce their risk.
“The hackers are after our crown jewels: our data. In a bank, data is money. This is why I’m a big believer in securing storage.” Erdal Ozkaya – Former Regional CISO, Standard Chartered
If you’re taking your first storage-security steps, we urgently recommend getting to know prominent storage security guidelines and frameworks. Examples include the NIST Security Guidelines for Storage Infrastructure (published in 2020), ISO 27040 (published in 2015), and SNIA’s storage security publications.
Here are six strategies that security leaders must take to safeguard their data in storage and backup systems:
Steer a culture that breaks the silos between security and storage teams. Security teams often lack a good understanding of storage capabilities, protocols, and the attack surface. Storage teams often adopt a naïve approach to security. They assume it complicates storage management (somewhat true) and that security and performance are contradictory (valid years ago, much less so today). A good first step could be to perform a one-time joint audit for storage security.
Build safeguards into your storage security processes and practices. Start by creating secure storage designs, implementations, and management procedures. Walk yourselves through the storage lifecycle from technology inception through security updates and patches to retiring storage devices.
Raise your security baseline to include identity and access management controls that separate administration within and between different data-planes (such as primary storage, backup, and DR), business functions, and environments (such as production, development, and testing). You can bake security baselines, guidelines, and quality controls into your IT management DNA and apply them with every new storage initiative.
Deploy and inventory storage in adherence with your baseline security.
Monitor and measure change against your baselines 24/7 to make sure you never deviate from them.
Expand your incident response and recovery plan to cover storage, using metrics on the likelihood and severity of incidents as they apply to your business. (Use available data to benchmark your environment against other organizations for reference.) Run tabletop exercises to decide how to recover from scenarios such as these:
An attack wipes out a large storage array supporting thousands of servers, VMs, and operating system instances. The onslaught has erased your data and storage configurations. You must rebuild the array, create the LUNs, and remap them to those servers and data stores.
A criminal hacker deletes your SAN settings, including zoning and masking. It took years to design and roll out those configurations. Now you must fall back on your documentation and backups. Do you have automation in place to recover quickly?
An unidentified strain of ransomware targeting a zero-day vulnerability in SAN storage software has hit your storage plane. The ransomware targets primary storage and backups. You need to keep secure backups so you can recover once you stop the attack. You must defuse the malicious software as soon as possible.
If you ask us what’s the best thing to do as a starting point, we’d say “easy!”. Obviously, it’s to reach out to experts who can identify the “gaps”. They can map your infrastructure and conduct a one-time audit to get you on your way.