One of the biggest challenges of data storage security is preventing intruders from accessing critical storage resources. To ensure that data is secure, organizations must keep track of the location of company data and who can access it. Security policies require regular updates, as well.
Meeting data storage security best practices will help mitigate the threat of cyberattacks, and this begins with developing comprehensive defense-in-depth and tiered protection strategies.
"Organizations must identify all logical paths and connections into their storage environments and ensure that proper permissions with ... privileged and zero-trust access models [are] in place for all interfaces," said Tony Sharp, a senior vice president at business consulting firm Booz Allen Hamilton. He added that the models should be supported with instrumented detection and response controls. Sharp suggested that organizations monitor for anomalies in access, data and traffic patterns, as well as compliance with established security policies.
"Encryption should be done at rest and in-transit, so even if an attacker gets access to the data, it limits the ability to read it," said Konstantine Zuckerman, CEO and co-founder at consulting firm Cybri. "The encryption should be strong enough so that by the time the data can be cracked, it's no longer usable."
Don't overlook data in the cloud
One of the biggest mistakes organizations make with cloud-based storage nodes is not knowing that they even exist, said Jacob Ansari, a senior manager at Schellman & Company, a global independent IT audit and certification firm. It's easy to set up a storage node that gives access to anyone with the relevant URL access, he said.
"A corporate information security team should have some awareness of what storage nodes exist under the known cloud service provider accounts used by the entity and should attempt to learn where other individuals or business units have created their own accounts," Ansari said. Identifying storage points and protecting them with access controls can significantly limit the potential for data exposure or loss.
Ryan O'Ramsay BarrettCEO, Oram Corporate Advisors
A proven data storage security best practice against cyberattacks is to ensure that storage resources are properly siloed apart from the network infrastructure.
"This is done via robust ACL [access control list] whitelisting, only allowing the appropriate access and nothing more, and ensuring that the users who have access to it can only do so in a protected fashion without extraneous permissions," Zuckerman said. "This is effective, as we most often see attackers gaining access via an over-permissioned user account or via network services that should have been blocked by ACLs on the firewalls."
Another common misstep organizations make with putting data in the cloud is assuming data storage security is already taken care of. Cloud storage users often operate under the mistaken notion that the cloud itself is somehow inherently secure. In fact, most cloud storage operators adopt a shared responsibility concept under which the provider is responsible for security "of" the cloud and customer is responsible for security "in" the cloud.
Avoid haphazard data management
Organizations often leave storage resources vulnerable by failing to properly control information flow.
"This can [include] allowing data to go to any system -- not necessarily one that needs the data -- or by not properly removing data when decommissioning or repurposing a resource," Zuckerman said. Companies can put clients at risk by holding onto old servers packed with data such as Social Security numbers or credit card information.
Haphazard data management is another critical data storage security mistake.
"All of your business data should be categorized by the level of security that it requires," said Ryan O'Ramsay Barrett, CEO at IT and security consulting firm Oram Corporate Advisors. "You should also know where each piece of your digital and hard copy data is stored at all times."
One way organizations can keep track of where their copies of data are is by implementing the 3-2-1 method of backup. This means having three copies -- one primary and two backups -- stored on two different types of storage media and one copy of the data is stored off site.
Yet another critical error is a lack of basic security protocols.
"Every business should be employing the principle of least privilege, which means giving access to stored data only to the employees who truly require it to perform their job functions," Barrett said. "Additionally, this means employing standard firewalls, antivirus and antimalware programs, and keeping them updated at all times."
Ransomware poses a challenge to most organizations, but many can protect their stored data by implementing strong security technologies, practices and training methods. The right backup strategy can go a long way in protecting data from ransomware attacks. For example, if tape backups are stored offline and not connected to a network, that data cannot be accessed by a cybercriminal.
"You can safeguard your stored data by backing it up regularly," Barrett said. "If the worst should occur, and your storage resources are breached, you'll still have your data, which prevents the hacker from trying to 'sell' it back to you by holding it ransom."