Storage is an integral part of every organization’s infrastructure. Cybersecurity is a vital element of every organization’s strategy. Yet somehow the two are rarely connected—and the lack of storage security is a gap that’s putting organizations at risk.
When it comes to preventing hackers from getting at their data, most organizations focus their security posture on protecting their perimeter and endpoints, and on analyzing traffic and user activity trends to detect anomalies. Today, IT leaders understand that attackers may eventually slip past even the best security protocols. That leaves storage and backup systems as the last line of defense. And attackers know it.
Through a Hacker’s Eyes
Look through a hacker’s eyes and you’ll see how appealing a target storage is. You could tap into the storage or backup plane to obtain a copy of the active directory server and spin it up in a testbed or sandbox environment—which probably is far less rigorously controlled. Now you can fire up an unmonitored VM using the copies, and break your way into production data. If the organization also uses cloud storage for offsite backup, you might try to alter the backup policy to piggyback the data you covet into one of those offsite data sets. Since data loss prevention (DLP) tools rarely (if ever) supervise storage and backup traffic—much less so from the cloud side—you’ll likely never notice your entire environment got cloned.
In another scenario, you might alter the configuration of an insufficiently secure storage system to map the disks of mission-critical databases or applications to servers you control. Now the data is concurrently visible by both the original production servers and yours, and you can use the unmonitored path you’ve just created to modify production data without tripping any wires. For those wondering how and why: Storage IO (that often uses non-IP protocols) is hardly ever monitored and threat detection tools typically rely on software agents deployed on production servers (which, of course, you took care not to deploy on yours).
Not motivated by money? If you’re a hacktivist or executing a nation–state attack looking to kneecap a large bank or utility provider, you’ll want to eradicate any chance of recovery by emptying all stored data. In addition to destroying snapshots, shadow copies and even backup systems that protect storage devices, you could also execute denial-of-service (DoS) attacks of storage networks and storage arrays. The latter is especially devastating because a single overloaded array can immediately cripple thousands of servers and an overloaded SAN can bring down the entire production environment all at once.
Yes, these are highly destructive scenarios—but they’re plausible ones, too, when security is left unguarded. Recently, we saw 10,000 data center attacks in a single week. Given the number of companies that pay ransoms, it’s clear these attacks are successful, which tells us these companies aren’t adequately protecting their security.
Shortfalls in Storage Security
First, let’s look at a few reasons why storage attacks are often so successful. Three organizational mistakes are a high priority:
- Assuming storage isn’t a target. Maybe your team thinks storage is too obscure to worry about. It’s in the back end of the infrastructure and only a few people have access; it’s not even connected to the internet. So why bother to spend time, effort or money protecting it, right?
- Underestimating data value. Too many IT professionals think storage is a basket of dusty, outdated information. But in 2021, data is a company’s lifeblood—and losing it can mean bankruptcy. Digital transformation has also amplified the scope and scale of backup and storage from a device-by-device basis to an organizational basis, giving successful attackers the entire dataset.
- Unfamiliarity with the complexity. Consider how many different types of storage services there are. Storage is comprised of block, device and file systems, object storage, databases, container images, network shares and many, many other services. Storage devices from multiple vendors can be involved, each providing different tiers of storage and using different management consoles. The security team may not know all the details, protocols and entry points or the dependencies and trust relationships between storage objects and backup objects and servers. Without a complete grasp of the attack surface, it’s easy to leave a layer unhardened—or inadvertently open an unknown number of attack vectors.
Six Ways to Improve Storage Security
Whatever the status of your current storage system, the following six steps can help you correct vulnerabilities and operate from a more informed standpoint.
1. Reevaluate your incident response plan.
What happens if attackers delete all backups and copies? What if someone gets the credentials of a storage array and deletes the data of 10,000 servers at once? The potential for damage is vast. Does your incident response plan account for all of this?
2. Calculate the business value of your data.
C-suite executives and risk and compliance officers often don’t know how much their data is worth. Look at your data as a business asset; what would it cost your organization to lose it? Once you have an accurate price tag, allocate security resources accordingly.
3. Designate ownership.
There’s an unfortunate trend of storage experts claiming security isn’t their problem while security experts point the finger of responsibility back at the storage team. Clearly define ownership and hold teams accountable for the progress of your storage security program.
4. Close the knowledge gap.
Inventory your storage assets and thoroughly understand their dependencies and components to get true visibility into your environment. There are lots of amazing resources out there, such as Security Guidelines for Storage Infrastructure from the National Institute of Standard Technology (NIST).
5. Build a plan.
To harden all layers and minimize your attack surface, you’ll want to define security baselines and automate their enforcement and validation, just as you would for operating systems or user management. Automation can position you to quickly correct vulnerabilities and drastically reduce the windows of opportunity for hackers to get in.
6. Seek outside help as needed.
Given the complexity of storage and security, it’s always helpful to tap the experts for advice. They’ll know best practices that can save you time and money and can share the latest threats and trends.
Securing Storage Systems Means Peace of Mind
No one expects the unthinkable to happen. But thoroughly executed data-targeted attacks devastate organizations every day. Storage systems may not be top of mind when it comes to cybersecurity, but it’s time to give them the protection they deserve—and ensure that you can count on bringing back your data and resuming operations when it matters most.