Amit Rawlani, Director of Solutions & Technology Alliances, Cloudian

State of Business Today

In this blog, we take a look at an organization’s security considerations, specifically from a CIO’s perspective. Here are three questions every CIO should ask about data storage security.

Question #1: How are we protecting data-in-flight and data-at-rest?

How costly? The average cost of a data breach for a US enterprise is estimated at $8.64 million*. Experiencing a data breach is also embarrassing. It’s an uncomfortable position having to notify your customers that their information—data they entrusted to you—has been compromised. And, of course, there are the time and resource costs of remediation: finding out how the breach occurred, assessing the extent of the damage that was done, defending your organization against legal action, and putting in place new measures and solutions to prevent the same problem from happening again.

  • Data can be stolen in many ways – cloud, on-premise, in-flight

Data can also be breached through a process called “eavesdropping.” With this technique, hackers “listen” to data communications, looking for passwords or other information being transmitted in plaintext.  In addition to securing data already in storage, CIO’s also have to ensure that the process of acquiring and moving data within the organization is secured.

The best defense is to use data encryption and secure transport protocols. This means looking closely at the features your storage system supports. For strong data storage security, here are some of the features to look for:

  • Server-side Encryption (SSE)
  • Amazon Web Services Key Management Service (AWS KMS)
  • OASIS Key Management Interoperability Protocol (KMIP)
  • Transport Layer Security / Secure Socket Layer (TLS/SSL)

These features, when deployed appropriately across all your storage platforms, make your data assets a lot more secure.

Question #2: Can our data be made immutable?

  • Data immutability

A new type of malware that is very prevalent and vicious in today’s world is ransomware. Typically, if your network security is breached, data security methodologies listed in the first question secure the organization’s data from being read. Ransomware, however, attacks in a different way. A cryptographic attack encrypts the organization’s data where it resides (or makes a copy of the data and deletes the original) and brings the business to a halt. The only way out is to pay a ransom, typically in bitcoin or other cryptocurrencies, and get the decryption key to unlock your business-critical data.

The best way to defend against a ransomware attack is to ensure you have tamperproof or immutable backup copies of your data. That way, if critical files become inaccessible, you can restore them from backups and continue operations without paying a ransom.

Writing files to magnetic tape is the most common way to ensure data immutability. But storing data on tape is a legacy solution with its own issues that are too large to list in this blog. Data immutability can be achieved best when utilizing storage with WORM (write once, ready many) capability. The primary benefit of WORM is that once the data is written to media, it can no longer be changed.

S3 Object Lock has quickly become the de-facto standard for data immutability in public/private cloud storage systems. With the popularity of object-based storage, the need for data immutability is increasing. With Object Lock, you can specify policies at the bucket level or object level to “lock” data for a certain period of time.

Question #3: Does our data storage architecture meet our compliance requirements?

As a CIO, you already know how important it is to make sure your systems are compliant with industry requirements. Compliance is a multi-faceted, complex undertaking. It involves due diligence, looking at all aspects of your operation—people, processes, and technology—to ensure requirements are being met. Evaluating a storage system on all of these is time-consuming and cumbersome.

The easy answer is to look at the security compliance certifications that your storage infrastructure vendor has acquired. Typically, such third-party security validation is rigorous, time, and resource-intensive for the storage vendor to pass, and therefore a reliable, unbiased means of comparing the data security of one storage vendor to another. Some of the security certifications /validations every CIO should look for:

Common Criteria (CC)

The Common Criteria for Information Technology Security Evaluation—better known simply as Common Criteria (CC)—is an internationally-developed standard (ISO/IEC 15408) for computer security.

Federal Information Processing Standard (FIPS)

FIPS is a U.S. standard developed by the National Institute of Standards and Technology (NIST). It establishes a set of requirements for technology solutions and is used by U.S. government agencies when evaluating products and solutions.

SEC Rule 17a-4

SEC Rule 17a-4 is a regulation issued by the U.S. Securities and Exchange Commission that specifies (amongst other things) requirements for a WORM classification of the storage system.

*Source: https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/

Next Steps:

A comprehensive security program is essential to ensure your organization is protected. And strong data storage security is a fundamental component of an effective program. Cloudian HyperStore is an on-prem object storage platform with a hardened security profile and the industry’s longest list of certifications for secure data storage.

To learn more about Cloudian HyperStore security, please visit https://cloudian.com/security.