How can you protect confidentiality of data at-rest against physical theft of a hard drive?

Data storage security involves protecting storage resources and the data stored on them – both on-premises and in external data centers and the cloud – from accidental or deliberate damage or destruction and from unauthorized users and uses. It’s an area that is of critical importance to enterprises because the majority of data breaches are ultimately caused by a failure in data storage security.

Secure Data Storage:

Secure data storage applies to data at rest stored in computer/server hard disks, portable devices – like external hard drives or USB drives – as well as online/cloud, network-based storage area network (SAN) or network attached storage (NAS) systems.

How Secure Data Storage is Achieved:

• Data encryption
• Access control mechanism at each data storage device/software
• Protection against viruses, worms and other data corruption threats
• Physical/manned storage device and infrastructure security
• Enforcement and implementation of layered/tiered storage security architecture

Secure data storage is essential for organizations which deal with sensitive data, both in order to avoid data theft, as well as to ensure uninterrupted operations.

Data Security vs Data Protection:

Storage security and data security are closely related to data protection. Data security primarily involves keeping private information out of the hands of anyone not authorized to see it. It also includes protecting data from other types of attacks, such as ransomware that prevents access to information or attacks that alter data, making it unreliable.

Data protection is more about making sure data remains available after less nefarious incidents, like system or component failures or even natural disasters.

But the two overlap in their shared need to ensure the reliability and availability of information, as well as in the need to recover from any incidents that might threaten an organization’s data. Storage professionals often find themselves dealing with data security and data protection issues at the same time, and some of the same best practices can help address both concerns.

Threats to Data Security:

Before looking at how to implement data storage security, it is important to understand the types of threats organizations face.

Threat agents can be divided into two categories: external and internal.

External threat agents include:

• Nation states
• Terrorists
• Hackers, cybercriminals, organized crime groups
• Competitors carrying out “industrial espionage”

Internal threat agents include:

• Malicious insiders
• Poorly trained or careless staff
• Disgruntled employees

Other threats include:

• Fire, flooding and other natural disasters
• Power outages

Storage Vulnerabilities:

Another huge driver of interest in data storage security is the vulnerabilities inherent in storage systems. They include the following:

• Lack of encryption — While some high-end NAS and SAN devices include automatic encryption, plenty of products on the market do not include these capabilities. That means organizations need to install separate software or an encryption appliance in order to make sure that their data is encrypted.

• Cloud storage — A growing number of enterprises are choosing to store some or all of their data in the cloud. Although some argue that cloud storage is more secure than on-premises storage, the cloud adds complexity to storage environments and often requires storage personnel to learn new tools and implement new procedures in order to ensure that data is adequately secured.

• Incomplete data destruction — When data is deleted from a hard drive or other storage media, it may leave behind traces that could allow unauthorized individuals to recover that information. It’s up to storage administrators and managers to ensure that any data erased from storage is overwritten so that it cannot be recovered.

• Lack of physical security — Some organizations don’t pay enough attention to the physical security of their storage devices. In some cases they fail to consider that an insider, like an employee or a member of a cleaning crew, might be able to access physical storage devices and extract data, bypassing all the carefully planned network-based security measures.

Data Storage Security Principles:

At the highest level, data storage security seeks to ensure “CIA” – confidentiality, integrity, and availability.

• Confidentiality: Keeping data confidential by ensuring that it cannot be accessed either over a network or locally by unauthorized people is a key storage security principle for preventing data breaches.
• Integrity: Data integrity in the context of data storage security means ensuring that the data cannot be tampered with or changed.
• Availability: In the context of data storage security, availability means minimizing the risk that storage resources are destroyed or made inaccessible either deliberately – say during a DDoS attack – or accidentally, due to a natural disaster, power failure, or mechanical breakdown.

Data Security Best Practices:

In order to respond to these technology trends and deal with the inherent security vulnerabilities in their storage systems, experts recommend that organizations implement the following data security best practices:

1. Data storage security policies — Enterprises should have written policies specifying the appropriate levels of security for the different types of data that it has. Obviously, public data needs far less security than restricted or confidential data, and the organization needs to have security models, procedures and tools in place to apply appropriate protections. The policies should also include details on the security measures that should be deployed on the storage devices used by the organization.
2. Access control — Role-based access control is a must-have for a secure data storage system, and in some cases, multi-factor authentication may be appropriate. Administrators should also be sure to change any default passwords on their storage devices and to enforce the use of strong passwords by users.
3. Encryption — Data should be encrypted both while in transit and at rest in the storage systems. Storage administrators also need to have a secure key management systems for tracking their encryption keys.
4. Data loss prevention — Many experts say that encryption alone is not enough to provide full data security. They recommend that organizations also deploy data loss prevention (DLP) solutions that can help find and stop any attacks in progress.
5. Strong network security — Storage systems don’t exist in a vacuum; they should be surrounded by strong network security systems, such as firewalls, anti-malware protection, security gateways, intrusion detection systems and possibly advanced analytics and machine learning based security solutions. These measures should prevent most cyberattackers from ever gaining access to the storage devices.
6. Strong endpoint security — Similarly, organizations also need to make sure that they have appropriate security measures in place on the PCs, smartphones and other devices that will be accessing the stored data. These endpoints, particularly mobile devices, can otherwise be a weak point in an organization’s cyberdefenses.
7. Redundancy — Redundant storage, including RAID technology, not only helps to improve availability and performance, in some cases, it can also help organizations mitigate security incidents.
8. Backup and recovery — Some successful malware or ransomware attacks compromise corporate networks so completely that the only way to recover is to restore from backups. Storage managers need to make sure that their backup systems and processes are adequate for these type of events, as well as for disaster recovery purposes. In addition, they need to make sure that backup systems have the same level of data security in place as primary systems.

Hypertec’s Professional IT Services On Demand:

Hypertec Professional IT Services offers a team of technical experts and project management professionals to help you maximize your investment in information technology. Hypertec’s experienced team offers a variety of professional services from consulting to deployment designed to help you realize a faster time to value.

Do you know how much time is spent unproductively while you or your staff attempt to self-configure and patch problems by phone? Hypertec offers a variety of managed services including network monitoring and remote-control support to do automatic updates. Fewer support sessions mean the IT department can focus on important tasks at hand.

How do you protect your data at rest?

How do you secure data at rest in use and in motion?

How should they protect their customer's information at rest and in transit?

How do you protect data and files?