Encryption is a fundamental element of building a secure storage system, but organizations need more than just encryption. Encryption works when the outside attacker can’t authenticate themselves, but if the outside attacker can compromise a user or admin account, then that also means that they have full access to the data. Cyber-secure systems need to take steps to reduce the potential for account compromise, alert administrators to a potential breach and take measures to recover from a breach.
Eliminating Dependency on Users and Administrators
Reducing the chance of compromising the storage system requires reducing the dependency on users and administrators. The first step is to reduce the number of super-user accounts. These accounts, standard in the enterprise, perform a variety of functions like data protection and data management. It is common for organizations to purchase software applications that perform these functions and each of them require super-user access. The more of these applications that are in use, the higher the chances are of an account breach.
To reduce the number of super-user accounts, storage systems need to provide more services and not count on external applications. The primary storage system should protect itself by using snapshot technology and replicating those snapshots to a secondary storage system or to the cloud. IT should also make sure that the snapshots are secure, read-only copies of data, only accessible by the storage system. If the organization still desires a third-party backup solution, that application should only have access to the secondary storage system, not the primary, again reducing the number of accounts that have access to the primary storage system.
Data management, the process of moving older data to less expensive storage could also integrate into the primary storage software instead of requiring a separate stand-alone purchase. The data management software, using the same account used for data protection, could identify data not accessed for a user-defined time. It could then move qualifying data to a less expensive storage tier, either internal to the primary storage system, or to a second storage system, or the cloud. With the right primary storage solution, IT can reduce the number of super-user accounts down to one.
Another aspect of data management is data retention. Organizations increasingly need to maintain specific data sets for a legally required period. They also need to prove via reports that they are meeting data retention or deletion requirements.
With core capabilities like data protection and data management in place, the next step to reduce the potential for a breach is to automate the management of the storage system as much as possible. For example, the entire process of taking a snapshot and replicating that snapshot to another storage system should occur automatically on a user-defined schedule. There should be a complete set of policy-driven micro-services for each of the typical processes like data protection, data archiving, data retention and encryption. Even storage settings should automatically change based on the current condition of the data center.
Encryption is a critical aspect of creating a cyber-secure primary storage system but limiting the number of super-user accounts is also critical in reducing the potential for compromising an account. Automation also plays a vital role because it reduces the frequency with which users need to interact with the system. Our next blog discusses the importance of real-time interactive reporting to deliver a clear picture of activity and complete file auditing.
In our on demand webinar “Three Reasons Storage Security is Failing and How to Fix it” we discuss how to design a single storage system that can meet performance expectations, manage data to drive down costs, and integrate encryption to secure data, all while making sure data is adequately protected.