A 4-part blog series
PART 1: Building the Need: The Reasons for Data Storage Security
Vulnerabilities from within and without are plaguing data storage. Storage hardening is a low priority even as infosec professionals are in high demand and low supply. Security managers task the talent they have with OS and network hardening, leaving storage technologies vulnerable.
Security managers are under the assumption that central storage and backup systems are far too deep in their datacenter core to reach and far too obscure to pose a meaningful attack surface. This assumption has now been proven wrong by cybercriminals and insider threats. And so it’s time for CISOs to close the gap.
Meanwhile, legacy perimeter security has evaporated. Mobile and remote working employees are the new perimeter. New and traditional storage technologies don’t live inside the new perimeter and must do without its protections.
Each storage technology comes with its hazards. “A quick Google search will show you the open Amazon S3 buckets; there are millions of them, and the risk is dramatic,” says Dick Wilkinson, CISO, New Mexico Supreme Court. Cloud storage misconfigurations like these are commonplace, regularly starring in stories of significant data exposures.
Storage arrays have Operating Systems (OS), and OS vulnerabilities are routine. SAN technologies risk flaws in open-source software, vulnerable programming languages such as Java, and virtualization technologies such as software containers. Ransomware encrypts on-premise storage and backups, leaving enterprises with no alternative but to pay the ransom.
Complexity always increases vulnerabilities. Data storage is more complicated than you think. According to NIST Special Publication 800-209, Security Guidelines for Storage Infrastructure, data storage management complexities have multiplied due to a blend of traditional storage services such as block, file, and object storage and advanced storage architectures such as storage virtualization, storage architectures for virtualized servers, and cloud storage. The greater the complexities, the more the configuration errors and security threats.
Now storage teams must return to fix errant configurations and manage realized risks from security threats. They can’t do it alone.
You care about your organization’s most precious data, safeguarding it in transit and use. Networks, applications, and devices remain secure because of you. But the same data lives at rest, too, in largely undefended storage systems.
Storage may seem relatively minor in your IT stack, but there are other ways to consider its size. The world’s data reached about 59 zettabytes last year, according to Statista. Storage will grow to meet demand as data multiplies exponentially. Statista expects global spending on data storage units to exceed 78 billion U.S. dollars this year.
Size isn’t the best measure of the criticality of storage. Let’s compare storage to the human heart. The heart is modest in size but pumps life-giving blood throughout the body. So, storage houses critical high-risk data that feeds your applications and devices. Just as shooters aim for the heart, so criminal hackers target data where it lives. If you let cybercriminals leak data from storage, they can sell it or give it away. Ransomware encrypts data in storage, cloud storage, and backups, which could kill the company.
It’s time to stop pushing storage security off as someone else’s responsibility.
“There are gaps in the roles and responsibilities between the security and storage/infrastructure teams. Storage has been a grey area; nobody owns it,” says Sunil Varkey, Global Head of Cyber Security Assessments, HSBC. Someone has to own storage. IT security can’t account for all security if no one on the team owns storage security.