Data storage security involves protecting storage resources and the data stored on them – both on-premises and in external data centers and the cloud – from accidental or deliberate damage or destruction and from unauthorized users and uses. It’s an area that is of critical importance to enterprises because the majority of data breaches are ultimately caused by a failure in data storage security.
Well-designed data storage security is also mandated by various compliance regulations such as PCI-DSS and the EU’s General Data Protection Regulation (GDPR), thus adding legal weight to storage security demands. Increasingly, security companies are tailoring security solutions to help companies comply with those regulations, such as the growing market for GDPR solutions.
In general, good data storage security minimizes the risk of an organization suffering data theft, unauthorized disclosure of data, data tampering, accidental corruption or destruction, and seeks to ensure accountability and authenticity of data as well as regulatory and legal compliance.
Threats to data security
Before looking at how to implement data storage security, it is important to understand the types of threats organizations face.
Threat agents can be divided into two categories: external and internal.
External threat agents include:
- Nation states
- Hackers, cybercriminals, organized crime groups
- Competitors carrying out “industrial espionage”
Internal threat agents include:
- Malicious insiders
- Poorly trained or careless staff
- Disgruntled employees
Other threats include:
- Fire, flooding and other natural disasters
- Power outages
Data storage security principles
At the highest level, data storage security seeks to ensure “CIA” – confidentiality, integrity, and availability.
- Confidentiality: Keeping data confidential by ensuring that it cannot be accessed either over a network or locally by unauthorized people is a key storage security principle for preventing data breaches.
- Integrity: Data integrity in the context of data storage security means ensuring that the data cannot be tampered with or changed.
- Availability: In the context of data storage security, availability means minimizing the risk that storage resources are destroyed or made inaccessible either deliberately – say during a DDoS attack – or accidentally, due to a natural disaster, power failure, or mechanical breakdown.
How to protect data storage assets
The relevant international standard for storage security is ISO/IEC 27040, which calls for the application of physical, technical and administrative controls to protect storage systems and infrastructure as well as the data stored within them. It notes that these controls may be: preventive; detective; corrective; deterrent; recovery; or compensatory in nature.
The bottom line, according to the Storage Networking Industry Association (SNIA) is that ISO/IEC 27040 defines best practices that ultimately set the minimum expectations for storage security.
Data storage security: Physical controls
Physical controls are designed to protect storage resources and the data they contain from physical, as opposed to logical, access by unauthorized or malicious persons.
These physical controls come in many forms but may include:
- Guards or other security personnel monitoring data centers and storage resources to prevent unauthorized access
- CCTV monitoring with video retention
- Access controls such as biometric readers or smart card readers to prevent unauthorized access, along with anti-tailgating/anti pass-back turnstile gates that permit only one person to pass through after authentication
- Internal environment monitoring using systems such as temperature sensors and smoke detectors
- Alternative power sources such as a backup generator
Data storage security: Technical controls
Technical controls include many of the security procedures that are familiar to IT security professionals such as network perimeter security measures, intrusion detection and prevention systems, firewalls, and anti-malware filtering.
In relation to data storage security in particular, the following controls are recommended:
User authentication and access controls: SNIA recommends focusing much of the data storage security effort on user authentication and access controls to help provide secure access to authorized users while keeping unauthorized users out. Many commercial user access and control security systems are available to protect storage resources and data, and best practices dictate taking the following precautions in particular when using them:
- Changing all default credentials
- Avoiding the use of shared credentials, which make accountability difficult or impossible
- Ensuring that users have the minimum privileges they need to carry out their role
- Ensuring that user access rights are retired automatically as part of the HR termination process when employees leave or are transferred to a new role
Traffic profiling: One of the most useful controls that can be applied to data storage security is the profiling of normal data access and movement patterns so that anomalous or suspicious behavior can be detected and flagged for closer investigation. This can be achieved using user and entity behavior analytics (UEBA) software, which is increasingly being incorporated into security information and event management (SIEM) solutions.
Monitoring and reporting: SNIA recommends implementing effective monitoring and reporting capabilities, including enabling application as well as systems logs, to help detect and understand security breaches and prevent similar ones in the future.
Protection of management interfaces: Many organizations set controls to protect data storage resources and data from unauthorized access while forgetting to secure the management systems themselves. This could enable an attacker to set themselves up with access credentials or elevate their privileges, enabling them to access data that they should not.
This is by no means a comprehensive list of technical controls. Other storage security measures that should be considered include:
- Strong encryption for data both at rest in storage systems and in motion on the network. This needs to be applied with an effective key management system.
- Endpoint protection for all PCs, laptops and other devices that can access data to minimize the risk of malicious software being installed that could compromise stored data.
- Special measures to protect databases that contain credit card information and other valuable or commercially sensitive data. Database security best practices include database hardening, the use of database firewalls, database activity monitoring and other database security tools.
- Effective lifecycle management for data and storage devices, which ensures that data is securely deleted (including from the cloud) when no longer required. This follows the principal that attackers cannot compromise data that is no longer there. A procedure should also be in place for the secure deletion or destruction of obsolete storage media.
Storage Security: Administrative controls
Administrative controls come down to the three Ps: Policy, Planning, and Procedures, all of which play an important role in data storage security. In particular, security policies for data should include where different types of data can be stored, who can access it, how it should be encrypted, and when it should be deleted.
SNIA recommends considering:
- Incorporating storage considerations into policies after identifying the most sensitive and business-critical data categories and their protection requirements
- Integrating storage-specific policies with other policies where possible
- Addressing data retention and protection
- Addressing data destruction and media sanitization
- Ensuring that all elements of storage infrastructure comply with policies
Compliance considerations for data storage security
Depending on the industries your organization operates in, and the countries in which it does business, your company may be subject to one or more regulations that have implications for storage security, including PCI-DSS, Sarbanes Oxley, HIPAA, and GDPR, among others.
Penalties for failing to protect data under these regulations can be severe – including heavy fines and custodial sentences – yet in some cases they do not prescribe specific security measures.
For example, encryption is mentioned in GDPR, but its use is not mandatory. But in the case of a serious breach, the fact that encryption was not used would reflect badly on an organization, and could even be used to establish that insufficient measures were in place to comply with GDPR.
Other regulations are more specific. For example, PCI-DSS requires that cardholder data be encrypted when transmitted across open public networks.
The key thing to remember is that regulations are designed to help ensure that security is effective. Attaining regulatory compliance does not mean that an organization is secure, but it is very rare that measures taken to ensure compliance would make an organization less secure than they otherwise would be.