Alex - stock.adobe.com
- Paul Crocetti, Executive Editor
Security. Security. Security.
That's what a lot of data storage administrators reply when asked, "What's the most pressing issue for your organization?"
For a multitude of reasons, data security is rightfully top of mind. The pandemic's effect on the workplace and the ensuing shift to remote work caused a cybersecurity nightmare for many. Home networks are not as secure as those at work, and attackers have taken advantage of users who let their guards down during a time of heightened stress and pain.
So, what can you do to best combine data storage and security? The answer: a lot.
The state of storage security
"The attackers are smart, innovative and well-funded, making it difficult for IT shops to stay one step ahead," said Krista Macomber, senior analyst at Evaluator Group. "A ransomware resiliency strategy spans many areas of IT and really needs to be unique to the business."
Ransomware is not the only data storage and security issue, though.
After using its automated risk detection engines to analyze more than 400 enterprise storage devices, Continuity Software published "The State of Storage Security Report" in October 2021. The vendor detected 6,300 discrete security issues and found that the average enterprise storage device has 15 vulnerabilities -- three of which are a high or critical risk.
The most common vulnerabilities were the use of vulnerable protocols, unaddressed common vulnerabilities and exposures, access rights issues, insecure user management and authentication, and insufficient logging. Additional issues were incorrect use of ransomware protection features and vulnerabilities in storage software supply-chain management.
"The state of enterprise storage security is significantly lagging behind that of compute and network security," the report said. "This is a significant gap that should be addressed as soon as possible. With growing sophistication of data-centric attacks and with tightened regulations, the business implications of ineffective resolution could rapidly increase."
The lag in proper storage security is a result of choosing to be reactive rather than proactive, a lack of coordination and ownership, and a dearth of appropriate risk detection tools, said Doron Pinhas, CTO at Continuity Software.
"Historically, attacks on data integrity, storage and backup systems were a rarity," Pinhas said. "In recent years we've noticed a sharp change: Ransomware is on the rise, as well as early signs of even more alarming data-targeted attacks."
Pinhas noted ransomware gangs such as Conti and Hive can demolish data backups, while other criminals can hijack supply chains like they did in the SolarWinds attack.
Pinhas pointed out two common traits for all the data storage and security issues in the report.
"They are all the result of lack of awareness and education," Pinhas said. "[And] they could have all been prevented by automating risk detection and remediation."
Doron PinhasCTO, Continuity Software
Take a proactive storage security stance
There are numerous steps organizations can take to get ahead of data storage and security issues.
They can ask the right questions of themselves, Pinhas said. For example, are they confident they can recover from a ransomware attack and a direct attack on storage and backup systems?
"We should assume it's a question of 'when,' not of 'if,'" Pinhas said. "When an attack succeeds, storage and backup are the last line of defense."
Pinhas suggested organizations close knowledge gaps by consulting data storage and security resources such as "Security Guidelines for Storage Infrastructure" from NIST, hiring consultants and conducting a security assessment that focuses on storage and backup. They could also analyze their environment, define security baselines for storage and backup, update plans, define clear ownership and implement controls such as automation.
Evaluator Group's Macomber advised administrators to implement strong access control in the backup environment, including multifactor authentication, role-based access control and two-person concurrence for critical administrative actions.
"This is especially important as data extortion becomes more popular," she said.
"Encryption of data at rest and in flight and immutability are also checkbox items. Several vendors have recently launched cloud-based vaults that are intended to offer an alternative to tape, offering some isolation or air gapping but with faster recovery times and less administrative hassle," Macomber added. "These are definitely worth considering."
Of the IT infrastructure categories of storage, compute and networking, storage potentially holds the greatest value, according to the Continuity Software report.
"While compromise or loss of compute or network infrastructure could be highly disruptive -- resulting in downtime -- one imposed on storage presents a completely different threat," the report said. "If damage to data is sufficiently extensive, most organizations could sustain a devastating injury."
It should come as no surprise that 62% of respondents to TechTarget's 2022 IT Priorities Survey for North America said security is more important for 2022 due to changes driven by the pandemic. That figure was twice as big as the next closest factor: cloud computing. Other analyst reports show similar feelings.
For third-party data storage and security, look no further than Storage magazine's and SearchStorage's 2021 Products of the Year. Our judges found that vendors added major security measures across all five product categories, but most notably in the backup and disaster recovery hardware, software and services category, with ransomware protection part of several updates.
It may not be feasible to do everything suggested here, but you should do what you can to be ready for the next incident.
Dig Deeper on Storage management and analytics
Ransomware: All the ways you can protect storage and backupBy: Stephen Pritchard
Almost all ransomware attacks target backups, says Veeam
Nebulon aims Tripline at ransomware detection in storage
Podcast: Ransomware, data protection and compliance