StorageGuard - by Continuity™ - is the ONLY Security Posture Management solution for Storage & Backups, helping to ensure these systems are securely configured, and compliant with industry & security standards.
A few words about the author: John Meakin is a seasoned CISO with more than 30 years of experience in various financial services companies, such as RBS, Standard Chartered, and Deutsche Bank. He is also a member of Continuity’s advisory board.
It’s no secret that modern security is focused on data, particularly in the financial services industry. The rise – and sophistication – of ransomware attacks has been well documented – and these almost always focus on data, either for theft or destruction, or both. The most recent wave are attacks on storage and backups:
It’s for this reason that many regulatory bodies and industry standards are now taking a much closer look at the security of storage & backup systems:
[NIST Special Publication 800-209; Security Guidelines for Storage Infrastructure]
[ISO/IEC 27001; Information Security Management Systems]
[ISO 27040; Information Technology Security Techniques: Storage Security – to be published at the end of 2023]
[Cybersecurity and Infrastructure Security Agency (CISA) – Binding Operational Directive 23-01]
The need for change is also reflected in the research report Analysis of Storage & Backup Security in the Financial Services Sector, which highlights that:
Various industry and government regulators have woken upto the serious systemic threats from cyber insecurity. The latest regulation to enter the scene in Europe is the Digital Operational Resilience Act (Regulation (EU) 2022/2554) – also known as DORA.
DORA will have a significant impact on the way financial institutions secure data storage and backup systems. The framework requires financial institutions to have a robust and resilient storage and backup system in place to protect their data from unauthorized access, loss, or corruption. Without their data, preserved and secure, regulators know that businesses cannot be resilient faced with the current threat environment.
Specifically, with regard to data storage and backup, DORA requires financial institutions to:
Therefore, to ensure compliance with DORA and to get ahead of the regulators, CISOs should take the following 6 steps to ensure that their storage and backup systems are secure and resilient:
By taking these steps, CISOs can help to ensure that their businesses are compliant with DORA and that their data is protected from unauthorized access, loss, or corruption. Through this their businesses will be more resilient.
Automating the hardening of storage and backup systems to be resilient
There are a great many patch management and vulnerability management tools out there. They continually scan networks and systems for security risks. They do a fine job with operating systems (OSes) and enterprise applications. However, due to the slightly different architectures – and sometimes unclear responsibilities – they often miss security misconfigurations and vulnerabilities in storage and backup systems.
There are currently thousands of active CVEs out there that relate specifically to storage and backup systems. They can be used by hackers to exfiltrate files, initiate denial-of-service attacks, take ownership of systems, block devices, and delete data. Overall, about 20% of storage and backup devices are exposed and can be attacked successfully by ransomware.
In fact, many organizations fail to configure immutable backups properly, even when the infrastructure provides this important feature – possibly the result of insufficient understanding of the technology and its limitations. This allows adversaries to compromise those backup systems.
One way of avoiding these pitfalls is to deploy a tool that is specifically designed to focus on the storage and backup challenge, and help solve it through automated compliance checks. One such tool is…. StorageGuard which finds the security risks that other vulnerability management tools miss. Developed specifically for storage and backup systems, it runs automated compliance checks to detect thousands of possible security misconfigurations and vulnerabilities at the storage and backup system level that might pose a security threat to enterprises data.
It analyzes block, object, and IP storage systems, SAN/NAS, storage management servers, storage appliances, virtual SAN, storage networking switches, data protection appliances, storage virtualization systems, and backup devices.
StorageGuard ensures these systems will never be the weakest link in cybersecurity. Its comprehensive approach to the scanning of storage and backup systems offers complete visibility into blind spots, automatically prioritizing the most urgent risks, and remediating them.
It’s time to automate the secure configuration of your storage & backup systems.
On March 11, join Dell-Continuity Webinar: Securing Storage & Backup; the Forgotten Threat Vector
Register