Joel Fulton

6 Steps to Ensure Compliance For Your Storage & Backup Systems

  • November 3, 2022
  • 5 min read

About Continuity™

Continuity™ provides the industry’s ONLY storage & backup security solution, to help you protect your most valuable data.

Read more

Compliance to industry standards and regulatory mandates can absorb an inordinate amount of IT and executive attention. Organizations spend a great deal of time verifying they comply with the different requirements of security frameworks requirements and regulations such as CIS, NIST, PCI DSS, NERC CIP, PHI/HIPAA-HITECH, DISA, FFIEC, NIS Directive, MAS-TRM, FISMA, ISO, NYDFS and others).

Further, many of these standards want organizations to verify that they are carrying out their fiduciary responsibilities concerning Common Vulnerabilities & Exposures (CVEs).

The big problem is time.

Storage and Backup Compliance is Time Consuming

Some organizations spend countless hours manually preparing for compliance-related activities such as a PCI audit. Once the preparations are complete, more time is absorbed in writing reports that demonstrate compliance. 

According to NIST document SP 800-209 Security Guidelines For Storage Infrastructure, organizations are required to, “Periodically and proactively assess configuration compliance to storage security policy:

  • Make sure that the actual configuration meets the storage security baselines and identify gaps.
  • Track the remediation of gaps in a timely manner.
  • Consider developing KPIs to track the compliance to storage security baselines based on types of data, their organization function, and their sensitivity.” 

Historically, these have been weak areas within organizations. The reasons are not difficult to comprehend. The scope of compliance for storage and backup infrastructure is immense – and many of the tools used to scan for vulnerabilities and security misconfigurations do a poor job in identifying areas of potential risk. In fact, they may cause the organization to falsely claim compliance when numerous storage and backup security threats remain.

6 Key Areas to Check for Storage and Backup Compliance 

Here are just a few of the areas that must be considered to ensure thoroughness in verifying backup and storage compliance:

1. Storage OSes and Software: Storage and backup systems suffer from CVEs, yet many organizations are either unaware that they exist, or have been lulled into a false sense of security that all critical CVEs have been addressed. The plain fact is that storage OSes are often riddled with vulnerabilities that can enable malicious actors to gain unauthorized access, elevate permissions, and run arbitrary code.

As well as being present within storage and backup systems, vulnerabilities may also be found in underlying components and modules, and any embedded switches, controllers, boards, drivers, firmware, or other components.

Unfortunately, most vulnerability scanners and vulnerability management systems fail to comprehensively assess storage and backup systems. They often miss critical CVEs and misconfigurations.

Check out the latest list of vulnerabilities – broken out by storage & backup vendor:

2. SAN Zoning and Masking: Zoning and masking mistakes are more common than many realize. LUNs may have been left accessible to unintended hosts. Replicated copies and snapshots, too, may not have been properly secured. If that is the case, a hacker may be able to mount unauthorized clients.

3. Audit logging misconfigurations: Many storage and backup systems are not configured sufficiently for audit logging. This manifests in ways such as missing audit log content, audit logs not relayed to central syslog servers, and the use of unapproved audit logs. These errors make it more difficult for the organization to detect brute force attacks and anomalous behavior patterns. They also impede forensic investigation and can curtail recovery efforts.

4. Default accounts and passwords: A surprising number of storage and backup systems will be found to still be operating with the default administrative usernames and passwords they were shipped with. These factory settings can be easily exploited by unauthorized employees and malicious actors to do serious damage. Compliance efforts must carefully look over the different storage subsystems and respective user accounts to verify password policy is being followed.

5. Control over administrative access: Configuration drift and oversights result in more user accounts with administrative access than required. Such dormant accounts can be exploited by malicious actors. Furthermore, storage management components, including Command Line and API components should be configured with required users only, strong authentication and least privileges.

6. Backup isolation and immutability: Various standards require that backup data shall be kept in an isolated, inaccessible environment that does not overlap with production network.

These are just a few of the many vulnerability and configuration challenges that are typically present in any storage and backup infrastructure. There are many other areas to check.

Fines and Penalties Galore

Any organization where these situations are present is subject to heavy fines and penalties. These days, there are more eyes on IT infrastructure than ever:

  • PII and PHI/HIPAA-HITECH, for example, are of interest to the SEC, PCI Council, and others.
  • SOX and PCI-DSS are very much under the microscope of regulators in financial services, retails, and public corporations.
  • Healthcare organizations must watch out for HIPAA compliance lawsuits in federal court
  • Too-big-to-fail organizations follow NIST, FFIEC and more
  • Federal organizations follow NIST
  • Critical Infrastructure organizations must adhere to NERC CIP
  • Retail, Financial and many others follow PCI

Since becoming law in 2016, almost 900 organizations have been fined more than a 1.25 billion Euros due to violations of GDPR. Amazon Europe alone was fined three quarters of a billion. Fines have been imposed on the likes of WhatsApp, Google, Target, Yahoo, Marriott, Equifax, and Facebook. They were doled out for various PII violations.

Simplified Compliance

StorageGuard by Continuity is the fast and accurate way to ensure storage and backup compliance, and pass stringent security audits. It checks for thousands of storage and backup vulnerability and configuration issues to ensure they are compliant with security regulations and standards. StorageGuard saves a tremendous amount of time and effort in checking all systems. It detects problems lurking within the storage and backup infrastructure that most other tools miss. Further, it can customize the data organizations need to meet their specific compliance requirements.

Talk To An Expert

It’s time to automate the secure configuration of your storage & backup systems.

We use cookies to enable website functionality, understand the performance of our site, provide social media features, and serve more relevant content to you.
We may also place cookies on our and our partners’ behalf to help us deliver more targeted ads and assess the performance of these campaigns. You may review our
Privacy Policy I Agree