Data Protection vs. Storage Security: 5 Critical Differences – And What To Do About It

In a nutshell • The practice of data encryption helps ensure no one can read your data if a storage disk is lost, misplaced or stolen. • The practice of storage security helps ensure attackers cannot compromise central storage systems by exploiting vulnerabilities, misconfigurations, or weak security settings, or by deploying malware.

Today’s hackers find data storage systems attractive – and for good reasons. First, storage systems hold the enterprise’s most sensitive information, which makes a successful attack very promising for lucrative crimes, including ransom attacks, fraud, user identity theft, and more. 

Second, infosec teams often neglect their storage – as well as backup – systems, mistakenly thinking that data protection also covers storage/backup, thereby leaving an opening that hackers are happy to exploit. 

Yes, the game is on. Infosec teams overlook specific loopholes, hackers joyfully take their turns, the industry offers a remedy, and hackers go looking for gaps elsewhere… 

Back to basics: Data vs. Storage 

To understand what storage is, let’s start by defining data. Data is the information we store for processing and movement purposes. Ok, sounds simple enough.

Data is an integral part of various technologies and devices, including mobile, desktop, applications (such as Outlook, Slack, SAP), databases, servers, and more. 

Storage systems are centralized repositories used to hold, share, and manage different business-critical data elements. 

Storage systems – whether on-premises, cloud-based or hybrid – can typically manage data at a large scale for an appropriate number of users. 

And let’s not forget backup systems. 

Backup systems help organizations create copies of data that can be recovered in the event of an attack or outage.

You might say that data is the jewel resting inside the safe that is the storage system. 

And the backup is a secret time machine that is used to bring the jewel back if it disappears!

Safe and sound: Data and storage security measures

Now that we’ve (hopefully) clearly explained what data and storage are, let’s move on to the difference in security measures.

Data security is meant to protect valuable data, and there are different procedures, standards, and technologies to choose from. The goal is to ensure that only authorized parties can access and use the data and that its integrity is maintained at any given moment. 

Examples of data security solutions include malware detection and prevention, firewall network security solutions, intrusion detection, data privilege, access management, and more. 

Storage security, however, is meant to protect the central systems and prevent any unauthorized parties from accessing the system and its vast data volumes. 

Infosec teams have different strategies for safeguarding their storage and backup systems. 

Multiple aspects make up storage security, including constant identification, assessment, and protection of operating systems, applications, devices, plugins, and other data storage arenas. These are not covered by traditional data protection solutions. 

Remember our analogy? Our precious jewel (data) is not only resting inside the safe (storage), but should also be kept at the perfect temperature and conditions to maintain its qualities and value. In other words, the safe itself can protect or ruin the jewel. The storage safe uses multiple complex passwords and authentication mechanisms to keep the jewel safe and sound. 

If my data is protected, why do I need to secure my storage?

The importance of data encryption is not to be underestimated. This critical security measure helps keep sensitive information safe when it is stored on a hard disk that anyone can access (for example). 

As important as it may be, encryption is hardly enough to protect from storage attacks. If hackers find their way into a storage system (as data encryption alone won’t prevent them from doing so), they are free to cause severe damage by deleting and compromising petabytes of data – whether they’re encrypted or not. 

Hackers can corrupt the data, make them inaccessible, and apply ransomware. 

Let’s go back to the safe analogy we previously mentioned. If you never changed the default code when you bought the safe in the store – e.g. “1234” – then the jewel that’s stored inside is at risk of theft. 

In other words, placing your jewel in the safe doesn’t prevent anyone from exploiting the safe’s vulnerabilities and misconfigurations, in order to steal the jewel.

Let’s also remember the importance of securing your backup systems, because when the jewel is stolen or damaged, the backup is your ONLY way of getting it back!

An unsafe bet: storage vulnerabilities and attack likelihood

Start by understanding the chances of hackers infiltrating your storage systems, and the potential damage they might cause as a result. 

Understanding the risk is the first step towards a solution; read more about it in this Storage Security Handbook. 

How big is the risk in today’s reality? Fedor Sinitsyn said that “This year alone we have already detected several new ransomware families focused solely on NAS (Network-attached storage). This trend is unlikely to fade.” 

In fact, Gartner goes a step further and recommends “hardening the components of enterprise backup and recovery infrastructure against attacks by routinely examining the backup application, storage, and network access and comparing this against expected or baseline activity

Here are just a few incidents that were covered by the media: 

• Cybercriminals behind a string of high-profile ransomware attacks, including one extorting $11 million from JBS Foods recently, have ported their malware code to the Linux operating system. The unusual move is an attempt to target network attached storage (NAS) devices that run on the Linux operating system (OS). REvil is also targeting NAS devices as another storage platform with the potential to highly impact the affected companies.

• Eversource Energy, considered to be the largest energy supplier in the New England area, suffered a severe data breach. The company’s review found the cause to be a storage misconfiguration that led attackers to a folder containing unencrypted files with the personal information of thousands of customers. 

• Lion Air suffered a breach that exposed data of millions of passengers stored in poorly secured storage . The breached data quickly found its way to multiple questionable online forums. 

These examples are just a few out of many. In fact, we’ve reviewed thousands of misconfiguration incidents when putting together this State of Storage Security Report. 

Enterprises may want to quantify the risk (probability) and the potential harm of such an attack, which is why we’ve created this video that simulates ransomware attacks on storage systems. 

Keep in mind that data that’s breached at the end-user device or server level is typically less harmful. When the organization’s storage systems are compromised, it can reach petabytes of data. One storage system serving hundreds and even thousands of servers and virtual machines can easily cripple the entire system and impact the recovery path. 

Typical sizing of data stored on system

End-User Desktop	Server	Storage
Gigabytes	Terabytes	Petabytes

Effective solutions to a real problem

No single tech solution offers both data and storage protection. There are separate technologies for each. 

Data protection solutions cover malware detection, firewall, intrusion detection, data discovery and classification, access control and privilege management, and more. 

Storage security ones, on the other hand, include vulnerability management,  configuration management, storage security posture management, and cyberstorage (a new addition to Gartner’s recent Hype Cycle for Storage and Data Protection Technologies report).

Eventually, it’s critical to have comprehensive protection not just for the data but also for the storage that stores the bulk of an enterprise’s data. 

Is on-premises storage more secure than the cloud? Many executives we encounter are debating whether it’s safer to store their data in the cloud or on-premises, and there are advantages and disadvantages to each approach. Dell Technologies CEO Michael Dell famously said that “the public cloud is no more or less secured than on-premise”. Food for thought.