Doron Youngerwood

Catch My Drift? How To Easily Manage Configuration Drift In Your Storage & Backup Systems 

  • May 15, 2024
  • 4 min read

About Continuity™

Continuity™ provides the industry’s ONLY storage & backup security solution, to help you protect your most valuable data.

Read more

Configuration drift happens when the configurations of storage & backup systems and software deviate from a baseline or standard configuration over time. When this happens, it can inadvertently introduce vulnerabilities into the systems, paving the way for breaches.  

  • Changes to port zoning, file shares, LUNs, access rights, backup policies, administrative accesses and other configuration items can adversely affect the security posture of your storage and backup systems. 
  • Upgrades, updates and hotfixes to storage OE, storage firmware, storage software components and backup software often result in hardened security settings being reverted to non-secure values, without the awareness of the organization. 

Such breaches can lead to loss of revenue, business disruption and damage to the reputation of the organization. Organizations stand to lose valuable data, as well, that they can’t necessarily replicate. 

In addition, configuration drift can cause storage & backup systems to deviate from regulatory standards, inviting both security risks and legal repercussions, which include hefty fines and reputational damage. 

Storage and backup system configurations change on a regular basis. So, it’s clear that staying on top of configuration drift and actively managing security misconfigurations can significantly mitigate these risks. 

How To Identify Configuration Drifts? 

There are three approaches to identifying configuration drifts when they occur.  

  1. Manual 

The first method involves manually reviewing each production configuration and comparing it to the target baseline. This is very time-consuming and expensive.  

During the test planning process, various spreadsheets that list all storage & backup hardware and software devices are brought together across the IT departments for comparison and reconciliation.  

These include traditional storage services (e.g., block, file, and object storage), storage virtualization, storage architectures designed for virtualized server environments, backup appliances, backup software, and storage resources hosted in the cloud.  

There are often large discrepancies between these different lists, which serve to compound the difficulty of the effort and miss configuration gaps entirely.  

  1. Using Automation – with a Homegrown Solution 

The second method to identifying configuration drifts involves developing custom scripts that run periodically to search for these gap “signatures” left by a configuration drift.   

This works well, however, it is often limited to a few gaps, and each script typically looks for one gap. Their scripts only grow as more configuration drifts are discovered. 

The problems with building your own custom scripts include: 

  • Costly to develop – most organizations can not scale beyond a couple of dozens of checks – which is hardly sufficient (quote our state of the storage and backup security report mentioning there are hundreds to thousands of checks required) 
  • Hard to maintain – as employees move 
  • Hard to take action on – difficult to track what’s happening over time, do not integrate well with IT Service Management solutions, like ServiceNow 
  • Difficult to gather the data in a consistent way – due to multiple APIs, interfaces, vendors, etc. And these also change over time) 
  1. Using Automation – with a Purpose-Built Commercial Solution 

Most configuration management vendors focus on host operating systems and web applications, and are unable to effectively communicate with the unique storage and backup technologies. 

The one solution, purpose-built for storage & backup systems is StorageGuard

StorageGuard audits the configuration of storage & backup systems, to ensure they’re hardened and not vulnerable. StorageGuard automatically detects configuration drift and unauthorized changes, while validating that all systems adhere to the required baseline.  

StorageGuard contains over 2,000 built-in security configuration checks, supporting all leading storage and backup vendors such as Dell, Hitachi Vantara, IBM, Pure, NetApp, Rubrik, Cohesity, and many others.  

These configuration checks cover a wide range of security categories such as: 

  • Authentication 
  • Authorization 
  • Administrative access 
  • Malware protection 
  • Interfaces and ports 
  • Anti-ransomware 
  • Access control 
  • Encryption 
  • Audit logging 
  • …and more 

Our checks repository is constantly updated based on the guidelines of leading security & industry standards, such as NIST, ISO/IEC, PCI DSS, CIS Control, FFIEC, SNIA, and more 

StorageGuard helps you detect and track changes to the storage & backup security configurations on a daily basis, thereby helping to identify unplanned or incorrect changes that may put these systems at risk. 

Check out this 3-minute video of StorageGuard to see how it could help you. 

Talk To An Expert

It’s time to automate the secure configuration of your storage & backup systems.

We use cookies to enable website functionality, understand the performance of our site, provide social media features, and serve more relevant content to you.
We may also place cookies on our and our partners’ behalf to help us deliver more targeted ads and assess the performance of these campaigns. You may review our
Privacy Policy I Agree