Four critical data storage security questions CIOs must ask

Four critical data storage security questions CIOs must ask

Keeping data safe and protecting it from unauthorised access is a critical part of having a robust cybersecurity posture and is a top priority for CIOs and CISOs. Neil Stobart, VP Global Systems Engineering, Cloudian, discusses the four questions every CIO should be asking when it comes to securing their organisation’s data.

With each data breach comes another tale of millions lost, untold reputational damage and the set-back of costly recovery procedures. CIOs are under tremendous pressure to keep data secure and to maintain trust with customers, while avoiding financial loss.

It is critical CIOs take the time to review their current systems and ask these four vital data storage security questions and ensure data is protected from threats and can’t be compromised.

Can our data be made immutable?

The FBI has deemed ransomware the fastest growing malware threat, causing significant revenue loss, operational downtime and reputational damage. As ransomware encrypts data at the storage layer, backup data copies run the risk of being targeted in an attack. To avoid having to pay the ransom to decrypt data, organisations must ensure they have an immutable backup copy of data that can be restored in the event of an attack.

Magnetic tape storage allows backup copies to be physically removed and stored separately, therefore making the copy invulnerable to ransomware attacks. However, while an effective defence, tape storage is slow to recover and can take extensive time and resources to manage.

Object storage can also be leveraged to make data immutable, without the drawbacks of tape. A feature known as Object Lock is supported in select object storage systems and uses WORM (Write Once Read Many) technology to make backup data copies immutable for a set time frame. Once backup data is written, it cannot be changed or deleted until the time is up, meaning hackers can’t encrypt the data and a clean copy is available for quick and easy restore if an attack occurs. Object Lock works the same on-premises, in a private cloud or in the public cloud.

How are we protecting data at-rest?

Data theft is increasingly common today. Hackers threaten to expose a company’s proprietary information unless a ransom is paid. To protect your data from theft, it’s essential that it be encrypted on the storage device. CIOs would be wise to deploy AES-256 encryption — the specification established by the US National Institute of Standards and Technology (NIST) — using a system-generated encryption key (regular SSE) or a customer-provided and managed encryption key (SSE-C). This allows the upload and download requests to be securely submitted using HTTPS, and the system does not store a copy of the encryption key.

How are we protecting in-flight data?

It’s common for data to be breached through ‘eavesdropping’, where hackers ‘listen’ to data communications, looking for passwords or other information being transmitted in plaintext. CIOs must ensure data is secured in transit and in their storage system. 

Leveraging data encryption and secure transport protocols is the best defence against eavesdropping. CIOs should ensure their storage system supports these features:

  • Server-Side Encryption (SSE)
  • Amazon Web Services Key Management Service (AWS KMS)
  • OASIS Key Management Interoperability Protocol (KMIP)
  • Transport Layer Security / Secure Socket Layer (TLS/SSL)

Is our storage infrastructure fully compliant?

As CIOs know, storage systems must be compliant with industry regulations. CIOs should ensure their storage infrastructure has the following security certifications/validations to save time evaluating whether an enterprise’s storage system meets industry requirements:

  • Common Criteria (CC): The Common Criteria for Information Technology Security Evaluation — better known simply as Common Criteria — is an internationally-developed standard (ISO/IEC 15408) for computer security that attests to storage being tamper-proof.
  • Federal Information Processing Standard (FIPS): FIPS is a US standard developed by NIST. It establishes a set of requirements for technology solutions and is used by US government agencies when evaluating products and solutions.
  • SEC Rule 17a-4: This is a regulation issued by the US Securities and Exchange Commission that specifies (among other things) requirements for a WORM classification of the storage system.

As storage vendors are expected to invest extensive time and resources to pass most third-party security validations, having these certifications in place is a good way to confirm the storage system is secure. 

Asking these four questions is the first step for CIOs to take in securing their organisation’s data. By doing so, they can then take the recommended actions to ensure their data is protected in-flight and at-rest, backed up with data immutability and stored in systems that meet rigorous security certification requirements.

Browse our latest issue

Intelligent CISO

View Magazine Archive