Don’t rely on your Storage & Backup Vendors for Security
I hear this a lot:
“Why do I need to scan my storage & backup systems for security risks? Don’t my storage vendors already do this for me?”
Those same people believe that since their storage & backup vendors already provide patching and ongoing upgrades, they must also check for vulnerabilities.
Let me shed some light on this myth.
While storage vendors provide excellent tools to manage availability and performance of storage systems, they DO NOT do the same for the security of those same storage systems.
Some storage and backup vendors publish security best practice guides. However, implementation and monitoring of security features, and configurations is the responsibility of the organization’s Infrastructure and/or Security departments.
It’s time to get in the driver’s seat
Challenges can often arise when the infrastructure team overestimates the responsibility of their storage and backup vendor.
They assume it provides more than it really does – especially when it comes to security.
In reality, it’s more like a car rental service:
It provides you with the car, but you’re responsible for driving it. The car rental provider isn’t checking to see if your seatbelt is on.
The responsibility lies with the driver or the passengers. In our case, it’s the organization’s infrastructure or security teams – not the storage and backup vendors.
If you want anything more than the standard safety features it offers, that’s down to you.
Many storage and backup systems are shipped with non-secure default settings and customers are required to enable and correctly configure various settings to secure these systems.
Storage & backup vendors are benchmarked based on performance. So, it’s not surprising the vendors are, by their very nature, not enthusiastic about enabling additional security features, which occasionally may have certain performance implications.
There are no tools from the storage and backup vendors that automatically scan and validate security configurations – such as authentication config, access control settings, ransomware preparedness config, administrative access, encryption, and other security configuration categories.
In addition, when it comes to CVEs, vendors publish security advisories from time to time, but they do not provide automatic scan and detection.
What could possibly go wrong?!
Storage and backup systems are central data systems that retain petabytes of data.
If compromised, an enormous amount of production data will be affected. A compromised storage system is the equivalent of breaching hundreds of database servers!
In addition, storage and backup systems are the final line of defense against ransomware and other cyberattacks. If compromised, valid snapshot and backup data copies will not be available for the cyber-recovery process.
Where do I go from here?
Our CTO, Doron Pinhas, co-authored the recent NIST ‘Security Guidelines for Storage Infrastructure’. This is such a great resource to give you a set of recommendations for the secure deployment, configuration, and operation of storage resources.
I also suggest learning about our product, StorageGuard.
StorageGuard is the only solution that provides continuous validation for storage and backup security.
It scans and automatically detects security configuration issues and vulnerabilities for storage and backup systems, using a vast knowledgebase of automatic checks.
The automatic checks are continuously updated based on vendor security best practice guides, industry standards (NIST, CIS, SNIA, ISO, PCI and others), community-driven baseline guidelines and found vulnerabilities.
Check out this 40-second video of StorageGuard to see how it could help you.
Let me put it another way.
Without any way to continuously validate for storage and backup security, your storage and backup systems are likely to include security misconfigurations and vulnerabilities that can be exploited by attackers to compromise production and recovery systems and data on them.
Click here to see some examples of recent news headlines.
The post Don’t rely on your Storage & Backup Vendors for Security appeared first on Continuity™.
*** This is a Security Bloggers Network syndicated blog from Continuity™ authored by Yaniv Valik. Read the original post at: https://www.continuitysoftware.com/blog/dont-rely-on-your-storage-backup-vendors-for-security/
