Data Security vs Data Protection

DevSecOps, An Approach That Makes Everyone In The Organization Responsible For Security.

 

Data storage security is a subset of the larger IT security field, and it is specifically focused on securing storage devices and systems.

 

The Storage Networking Industry Association (SNIA) Dictionary offers the following, more technical definition data storage security:

 

Storage Security: Application of physical, technical and administrative controls to protect storage systems and infrastructure as well as the data stored within them. Storage security is focused on protecting data (and its storage infrastructure) against unauthorized disclosure, modification or destruction while assuring its availability to authorized users. These controls may be preventive, detective, corrective, deterrent, recovery or compensatory in nature.

 

The SNIA also notes that secure storage "may also be the last line of defense against an adversary, but only if storage managers and administrators invest the time and effort to implement and activate the available storage security controls."

 

For storage administrators and managers, ensuring proper data storage security is a careful balancing act. They must weigh three primary concerns covered by the acronym CIA: confidentiality, integrity and availability. They must keep sensitive data out of the hands of unauthorized users and they must assure that the data in their systems is reliable, while also making sure that data is available to everyone in the organization who needs to access it.

 

Several recent trends are increasing enterprise interest in data security.

 

Key Drivers for Data Storage Security:

 

• Data Growth — According to IDC, the amount of data stored in the world's computer systems is roughly doubling every two years. For enterprises, that means constantly needing to add new storage in order to keep up with business needs. And as storage volumes grow, they become more valuable as targets and more difficult to protect.

 

• Cyberattack Growth — The Verizon 2018 Data Breach Investigations Report uncovered 53,000 security incidents last year, including 2,216 data breach incidents — and that's only a fraction of the actual events experienced by organizations.
  A recent report from a UK government agency found found that 2017 had more cyberattacks than any other year on record. New attacks seem to be in the news nearly every day, and that has businesses worried about their security posture.

 

• Cost of Data Breaches — Recovering from a data breach is incredibly expensive. The Ponemon Institute 2017 Cost of a Data Breach Study found that companies experiencing breaches spent an average of $3.62 million, or about $141 per record lost, to recover from incidents in 2017. Those expenses can be a powerful encouragement to improve data security.

 

• Increasing Data Value — Because of the rise of big data analytics, organizations are more aware than ever of the value of their data. According to Gartner the big data analytics market grew by as much as 63.6 percent in recent years, and by 2020, enterprises will likely spend $22.8 billion on tools to help them uncover valuable insights in their data. But in order for analytics to prove useful, enterprises need to be able to ensure the veracity of their data, and that means investing in security.

 

• Edgeless Networks — with emerging trends like cloud computing and the Internet of Things (IoT), enterprises now have data spread out in more places than ever before. Corporate networks no longer have a hard edge that organizations can define and protect with firewalls. Instead, they must rely more strongly on defense in depth, including storage security, to protect their information.

 

• Regulation — Governments are taking an increasing interest in data security and passing stronger laws as a result. The EU's General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, is forcing companies around the world to take stronger measures to protect customer privacy, and that will impact storage security as well.

 

• Need For Business Continuity — 2017 was a record year for natural disasters in the US, highlighting the need for business continuity and disaster recovery capabilities. This is driving demand for secure backup and other storage security technologies.

 

• DevSecOps Approaches — According to Forrester, 63 percent of organizations have already implemented DevOps, and another 27 percent are planning to do so. As DevOps grows, more companies are becoming interested in DevSecOps, which integrates security into the approach and spreads responsibility for security throughout the organization — including the data storage team.

 

Data Storage Systems

 

Data Storage Security Has Inherent Vulnerabilities In Storage Systems.

 

• Lack of Encryption — While some high-end NAS and SAN devices include automatic encryption, plenty of products on the market do not include these capabilities. That means organizations need to install separate software or an encryption appliance in order to make sure that their data is encrypted.

 

• Cloud Storage — A growing number of  enterprises are choosing to store some or all of their data in the cloud. Although some argue that cloud storage is more secure than on-premises storage, the cloud adds complexity to storage environments and often requires storage personnel to learn new tools and implement new procedures in order to ensure that data is adequately secured.

 

• Incomplete Data Destruction — When data is deleted from a hard drive or other storage media, it may leave behind traces that could allow unauthorized individuals to recover that information. It's up to storage administrators and managers to ensure that any data erased from storage is overwritten so that it cannot be recovered.

 

•  Lack of  Physical Security — Some organizations don't pay enough attention to the physical security of their storage devices. In some cases they fail to consider that an insider, like an employee or a member of a cleaning crew, might be able to access physical storage devices and extract data, bypassing all the carefully planned network-based security measure

 

Data Security Best Practices

 

Experts Recommend That Organizations Implement The Following Data Security Best Practices:

 

1. Data Storage Security Policies — Enterprises should have written policies specifying the appropriate levels of security for the different types of data that it has. Obviously, public data needs far less security than restricted or confidential data, and the organization needs to have security models, procedures and tools in place to apply appropriate protections. The policies should also include details on the security measures that should be deployed on the storage devices used by the organization.
2. Access Control — Role-based access control is a must-have for a secure data storage system, and in some cases, multi-factor authentication may be appropriate. Administrators should also be sure to change any default passwords on their storage devices and to enforce the use of strong passwords by users.
3. Encryption — Data should be encrypted both while in transit and at rest in the storage systems. Storage administrators also need to have a secure key management systems for tracking their encryption keys.
4. Data Loss Prevention — Many experts say that encryption alone is not enough to provide full data security. They recommend that organizations also deploy data loss prevention (DLP) solutions that can help find and stop any attacks in progress.
5. Strong Network Security — Storage systems don't exist in a vacuum; they should be surrounded by strong network security systems, such as firewalls, anti-malware protection, security gateways, intrusion detection systems and possibly advanced analytics and machine learning based security solutions. These measures should prevent most cyberattackers from ever gaining access to the storage devices.
6. Strong Endpoint Security — Similarly, organizations also need to make sure that they have appropriate security measures in place on the PCs, smartphones and other devices that will be accessing the stored data. These endpoints, particularly mobile devices, can otherwise be a weak point in an organization's cyberdefenses.
7. Redundancy — Redundant storage, including RAID technology, not only helps to improve availability and performance, in some cases, it can also help organizations mitigate security incidents.
8. Backup and Recovery — Some successful malware or ransomware attacks compromise corporate networks so completely that the only way to recover is to restore from backups. Storage managers need to make sure that their backup systems and processes are adequate for these type of events, as well as for disaster recovery purposes. In addition, they need to make sure that backup systems have the same level of data security in place as primary systems.

 

CYBER SECURITY AND DATA CENTER CONSOLIDATION.

 

Business leaders are laying out clear mandates for their IT departments as they navigate the current economy. IT infrastructure has to consolidate to save energy costs, and it has to host more applications, share resources across different departments, and become more secure.

 

Chief information officers (CIOs) translate these requirements into fewer data centers and consolidated server, networking, and storage resources that can host multiple applications shared by diverse departments. They want IT to operate as a service, like large public service providers.

 

Cyber security is more than a collection of virus protection programs. It’s an evolving system of processes, software, and techniques that defend your company from unauthorized data usage. Data breaches, and even a potential data leak, are bad for business and productivity. Customers lose faith in companies when they think their data isn’t secure, and network vulnerabilities can play havoc with your internal business systems.