How Object Storage Can Help Fight Ransomware
No organization is immune to the proliferation of ransomware. As some recent attacks have demonstrated, even companies that aren’t directly attacked can be impacted by a major ransomware attack. And that means no organization can ignore the problem. While your storage solution isn’t a direct cybersecurity solution, it can actually play a key role in your company’s overall security posture and go a long way toward keeping your important data secure.
Within an enterprise IT organization, there’s the overall IT infrastructure stack—composed of servers, networks and storage—as well as the network security layer including firewalls. Each layer of the stack plays a role in helping maintain a strong security posture, and storage is no exception. Multiple types and presentations of storage are deployed today including NAS, SAN and object storage, each optimized for different types of data, workloads and use cases.
Given the rapid growth of unstructured data content, object storage has become a common cornerstone of modern enterprise IT environments. From an industry perspective, object storage is deployed widely in security-sensitive domains such as financial services, health care (hospitals and biosciences), government agencies and more. Ransomware attacks are a current and real threat in these industries. A study by Cybersecurity Ventures found that attacks now occur globally every 11 seconds on average. While these attacks can take many forms, a common type involves encrypting user data with the threat that the data will be released (decrypted) or even deleted if a ransom is not paid. Attackers continuously innovate with new attack approaches and vectors, making preventing ransomware attacks a huge challenge. Today’s IT best practices assume that these attacks will happen and call for implementing measures and processes to protect, detect and, ultimately, recover from these attacks.
From a solutions perspective, ransomware attacks are now considered inevitable, not an “if” but a “when.” Smart enterprises are now implementing best practices that expect them to occur. Since ransomware attacks are typically long-lived and measured in weeks or months, enterprises should be prepared for early detection, protection and recovery from these attacks. While object storage (and storage in general) is part of an overall secure infrastructure stack, the object storage layer should also provide capabilities to help protect and recover from attacks.
The Network, Application and Storage Layer
To start, object storage is typically deployed in a data center behind other security layers and services. This includes secure firewalls, network security, application servers (which also provide authentication and access control at this layer) and, ultimately, data storage.
Authentication is about making sure your user is who they say they are. An object storage solution should validate your users when they’re coming in and ensure they are authorized. In an ideal setup, a user would first create an account and then, within the account, they would need to present their access keys. Otherwise, they’re unable to do anything, be it create an object or read something. AWS uses this type of authentication which they call signature V4 authentication.
This is an important step in making sure that only authorized users can access the information in your store and that bad actors are kept out. This is also a requirement in a scale-out solution where multiple users or application data are consolidated. Some object storage solutions provide a multi-tenancy model, or what’s referred to as identity and access management (IAM) in the AWS cloud. This provides the notion of separated tenant accounts and users to ensure data is kept isolated and inaccessible to unauthorized users.
Once you’ve authenticated, the question is: What can the user do? With an object storage solution, you can use the principle of least-privilege access—enforcing the minimal level of user rights or lowest clearance level needed for a user to perform their job. The administrator has to explicitly allow some actions to happen. Solutions should provide granular control to allow/deny access to specific actions on data. Some modern object storage systems now provide integration with popular directory services such as Active Directory and Kerberos, to centralize user identity management for access to the storage system.
Implementing Encryption
Encryption is another key component; there are two parts. First is the in-flight data and requests. In-flight means that if a request comes into the system, that request should be encrypted. That way, no snooping technology and no bad actor grabbing packets on the wire can figure out what the request is. That’s usually done through SSL (secure sockets layer), which means security certificates. You can have an encrypted, secure connection into the system all the way to the endpoint—that’s for both the data and the commands. The command comes in and nobody can figure out what it is unless they have a valid certification; it’s internal to the system.
There are SSL connections going on between the different services; that’s the in-flight part. Then you have what people call encryption at rest, which is encryption where the data is stored. That’s the second part of encryption. The last thing you want is a malicious actor accessing the system and grabbing and reading all the data. If you can encrypt the data, it loses its value because bad actors can’t access it.
Object-level encryption is available in some storage solutions. You can decide per object whether it should be encrypted or not. This came about years ago when the health care field started storing medical images. Understandably, almost all medical image storage is encrypted. This important idea has made its way across industries so that any organization can now use it to its advantage.
An encryption key is a crucial piece of technology for this process. To be able to encrypt and decrypt data, the storage system must not hold both the encrypted data and the key to decrypt it. That would be a violation of the principle of encryption. Organizations can use a key management server (KMS), which means there’s a trusted entity that holds those encryption keys apart from the data.
Ransomware Protection in Object Storage
Object storage naturally provides data immutability, meaning data cannot be updated in place unlike with a file system. Instead, its basic behavior only provides create, read and delete actions. This data immutability aspect is a fundamental difference from other storage models such as POSIX-based file systems, which naturally allow data to be modified in place, including incremental changes to an existing file. Moreover, many modern object storage systems follow the Amazon S3 Bucket Versioning API, which provides versioning of object data. By enabling versioning at the S3 Bucket (container) layer, any writes to an existing object will retain the previous version before storing the new version. This naturally provides a recovery capability to the previous version state of the object.
A few object storage systems now also implement a further step in data immutability: Object locking through the Amazon S3 Object Lock API. Essentially, this implements an irrevocable retention period on data during which the object cannot be updated, modified or deleted. This capability is strong enough to be validated for use in financial services and SEC compliance environments and blessed by certifying agencies such as Cohasset Associates.
Through natural data immutability, object versioning and object locking, object storage provides near-bulletproof ransomware protection and recovery capability for mission-critical use cases.
Ransomware has increased exponentially in the past year, and no sector seems to have gone unscathed. There’s a lot of fear, uncertainty and doubt about what organizations need to stay safe. Your storage solution can play a role in your security posture, however, to protect your sensitive information. Authentication and encryption are the technologies that help your storage solution act as a defense against ransomware. Authentication controls access, and encryption makes your data useless to criminals. Consider strong authentication and object-level encryption as partners in your security strategy.
