Data storage security involves protecting storage resources and the data stored on them – both on-premises and in external data centers and the cloud – from accidental or deliberate damage or destruction and from unauthorized users and uses. It’s an area that is of critical importance to enterprises because the majority of data breaches are ultimately caused by a failure in data storage security.
Well-designed data storage security is also mandated by various compliance regulations such as PCI-DSS and the EU’s General Data Protection Regulation (GDPR), thus adding legal weight to storage security demands. Increasingly, security companies are tailoring security solutions to help companies comply with those regulations, such as the growing market for GDPR solutions.
In general, good data storage security minimizes the risk of an organization suffering data theft, unauthorized disclosure of data, data tampering, accidental corruption or destruction, and seeks to ensure accountability and authenticity of data as well as regulatory and legal compliance.
Before looking at how to implement data storage security, it is important to understand the types of threats organizations face.
Threat agents can be divided into two categories: external and internal.
External threat agents include:
Internal threat agents include:
Other threats include:
At the highest level, data storage security seeks to ensure “CIA” – confidentiality, integrity, and availability.
The relevant international standard for storage security is ISO/IEC 27040, which calls for the application of physical, technical and administrative controls to protect storage systems and infrastructure as well as the data stored within them. It notes that these controls may be: preventive; detective; corrective; deterrent; recovery; or compensatory in nature.
The bottom line, according to the Storage Networking Industry Association (SNIA) is that ISO/IEC 27040 defines best practices that ultimately set the minimum expectations for storage security.
Physical controls are designed to protect storage resources and the data they contain from physical, as opposed to logical, access by unauthorized or malicious persons.
These physical controls come in many forms but may include:
Technical controls include many of the security procedures that are familiar to IT security professionals such as network perimeter security measures, intrusion detection and prevention systems, firewalls, and anti-malware filtering.
In relation to data storage security in particular, the following controls are recommended:
User authentication and access controls: SNIA recommends focusing much of the data storage security effort on user authentication and access controls to help provide secure access to authorized users while keeping unauthorized users out. Many commercial user access and control security systems are available to protect storage resources and data, and best practices dictate taking the following precautions in particular when using them:
Traffic profiling: One of the most useful controls that can be applied to data storage security is the profiling of normal data access and movement patterns so that anomalous or suspicious behavior can be detected and flagged for closer investigation. This can be achieved using user and entity behavior analytics (UEBA) software, which is increasingly being incorporated into security information and event management (SIEM) solutions.
Monitoring and reporting: SNIA recommends implementing effective monitoring and reporting capabilities, including enabling application as well as systems logs, to help detect and understand security breaches and prevent similar ones in the future.
Protection of management interfaces: Many organizations set controls to protect data storage resources and data from unauthorized access while forgetting to secure the management systems themselves. This could enable an attacker to set themselves up with access credentials or elevate their privileges, enabling them to access data that they should not.
This is by no means a comprehensive list of technical controls. Other storage security measures that should be considered include:
Administrative controls come down to the three Ps: Policy, Planning, and Procedures, all of which play an important role in data storage security. In particular, security policies for data should include where different types of data can be stored, who can access it, how it should be encrypted, and when it should be deleted.
SNIA recommends considering:
Depending on the industries your organization operates in, and the countries in which it does business, your company may be subject to one or more regulations that have implications for storage security, including PCI-DSS, Sarbanes Oxley, HIPAA, and GDPR, among others.
Penalties for failing to protect data under these regulations can be severe – including heavy fines and custodial sentences – yet in some cases they do not prescribe specific security measures.
For example, encryption is mentioned in GDPR, but its use is not mandatory. But in the case of a serious breach, the fact that encryption was not used would reflect badly on an organization, and could even be used to establish that insufficient measures were in place to comply with GDPR.
Other regulations are more specific. For example, PCI-DSS requires that cardholder data be encrypted when transmitted across open public networks.
The key thing to remember is that regulations are designed to help ensure that security is effective. Attaining regulatory compliance does not mean that an organization is secure, but it is very rare that measures taken to ensure compliance would make an organization less secure than they otherwise would be.
eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.
Advertise with TechnologyAdvice on eSecurity Planet and our other IT-focused platforms.
Property of TechnologyAdvice.
© 2021 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.