Continuity™ provides the industry’s ONLY storage & backup security solution, to help you protect your most valuable data.
It’s high time we talk about the avoidable organizational risks that occur when teams that share business goals aren’t aligned with each other. We’re talking about cases when teams from different departments assume that the other is taking responsibility over a certain matter, when in fact no one is.
One specific case in point is the lack of clarity between infosec and infrastructure teams regarding ownership over the security of enterprise storage & backup systems.
When there’s no clear owner, each team passes the responsibility to the other; the end result is insecure storage & backup infrastructure that leaves an organization’s most valuable asset–its core data–unprotected.
With the frequency of cyberattacks at an all-time high, and the growing sophistication of ransomware attacks, enterprises can no longer afford to let this issue fall between the cracks; the matter of ownership over storage and backup system security must be addressed.
A quick review of the media coverage of a few recent attacks illustrates just a few of the risks caused by unclear ownership over data storage system security:
Data is the lifeblood of pretty much all modern organizations, and most create huge amounts of it on a daily basis. This data enables companies to smoothly conduct their business and to achieve greater efficiencies by discovering the operational insights it holds within. Data has become a strategic asset for every organization, a crown jewel that must be secured and protected.
With cyber threats now frequently coming from both within and outside of the organization, implementing robust storage security measures that empower easy access for authorized users while keeping unauthorized users out is a must.
Standard storage solutions like immutable storage and data encryption aren’t enough. Enterprises that continue to rely on them as their last line of defense put themselves at risk.
To truly keep their data safe, organizations need a well-planned strategy:
Note that even when backup copies are available, organizations are still potentially at risk because of the extended time required to restore the data they need to get their operations up and running.
Most data protection solutions are optimized for data ingestion and space-efficiency to support fast backup speeds. This made-for-backup architecture hinders fast recovery as data reconstruction is widely dispersed, and inherently time-consuming process – full restores can easily be 3-5 orders of magnitude [DP1] slower than incremental backups.
Let’s start by looking at things from the perspective of InfoSec teams, responsible for ensuring that critical business data cannot be modified, disrupted, deleted or accessed by unauthorized users. The definition of their role mandates that they can effectively:
Many of the organizations we partner with put their IT Infrastructure team – specifically their storage & backup managers – in charge of securing their data storage & backup systems.
Very similar to the InfoSec team, IT Infrastructure teams are occupied with the same storage security issues. They too must know how to:
Nearly every organization today has separate security and infrastructure teams. Both teams manage ongoing routine and operational functions and share the same interests – to keep systems and operations running smoothly to support business growth. They just take different approaches to achieving these goals.
The fact that the two groups tend to report to different stakeholders can also create political problems; while infrastructure teams report to the CIO, security teams are supervised by the CISO, who in many cases (but not all), is accountable to both the CIO and, due to compliance issues, the CFO.
This division of authority means that inter-office politics can often influence the way problems are resolved between the two departments.
Another cause of this conflict is security teams’ oversight responsibilities mandated by regulations such as Sarbanes-Oxley and PCI. These dictate that proper cybersecurity measures be part of any significant IT changes.
However, when timely response is required to solve critical network issues, Infrastructure teams will often give in to the pressure and resolve issues without infosec team change approval or risk verification.
Organizational silos are a necessary evil that create tension and lack of alignment between teams, resulting in less secure organizations. Recent interviews that we conducted with CISOs from around the world generated some interesting insights that are relevant to this discussion:
Communication is paramount to ensuring high levels of security. This is particularly true for large-scale, globally distributed organizations.
In our experience, those enterprises that were able to act in unison were better at applying new security procedures. This can only be achieved when communication regarding security practices is aligned across both infosec and infrastructure teams.
That’s the way to ensure that security best-practices are universally put in place so that the enterprise and its valuable data remain secure.
Those enterprises that were most successful at generating a long-lasting, robust security posture drove home the feeling of shared responsibility and integrated the people, processes and technology required to keep business risks down to a minimum.
At the end of the day, siloes between infosec and infrastructure teams can only be brought down in a culture that advocates such measures.
Security teams must be made more aware of storage & backup capabilities, protocols and the attack surface.
At the same time, the storage & backup managers need to rethink their take on security. To understand that security doesn’t have to complicate storage management (although it probably will) and that security and performance are no longer incompatible.
Responsibility should be clearly set. Collaboration is highly valuable, of course: teams should share knowledge (storage and backup teams need to learn much more about security, and infosec teams need to learn much more about storage technology); teams should seek advice from each other; teams should review internal and external audit results and work together to continually improve.
One way to kickstart this process would be for both teams to jointly conduct a one-time assessment of their organizations’ storage & backup security, to identify any blind spots.
Organizations must keep in mind that shared responsibility might easily turn into no responsibility. Of course, teams should collaborate – but the responsibilities should be defined very crisply. For example: InfoSec is responsible to define DETAILED standards and expectations (IT can and should consult and support). IT is responsible for implementing – reporting on progress, and identifying gaps.
Inspection of gaps should be closely supervised by Infosec. It may also be necessary to engage external auditors to help both teams improve.