[BreachExchange] Data Storage Security: Best Practices for Security Teams

[Destry Winant]

https://www.esecurityplanet.com/cloud/data-storage-security.html

Data storage security involves protecting storage resources and the
data stored on them – both on-premises and in external data centers
and the cloud – from accidental or deliberate damage or destruction
and from unauthorized users and uses. It's an area that is of critical
importance to enterprises because the majority of data breaches are
ultimately caused by a failure in data storage security.

Well-designed data storage security is also mandated by various
compliance regulations such as PCI-DSS and the EU's General Data
Protection Regulation (GDPR), thus adding legal weight to storage
security demands. Increasingly, security companies are tailoring
security solutions to help companies comply with those regulations,
such as the growing market for GDPR solutions.

In general, good data storage security minimizes the risk of an
organization suffering data theft, unauthorized disclosure of data,
data tampering, accidental corruption or destruction, and seeks to
ensure accountability and authenticity of data as well as regulatory
and legal compliance.

Threats to data security

Before looking at how to implement data storage security, it is
important to understand the types of threats organizations face.

Threat agents can be divided into two categories: external and internal.

External threat agents include:

- Nation states
- Terrorists
- Hackers, cybercriminals, organized crime groups
- Competitors carrying out "industrial espionage"

Internal threat agents include:

- Malicious insiders
- Poorly trained or careless staff
- Disgruntled employees

Other threats include:

- Fire, flooding and other natural disasters
- Power outages

Data storage security principles

At the highest level, data storage security seeks to ensure "CIA" –
confidentiality, integrity, and availability.

- Confidentiality: Keeping data confidential by ensuring that it
cannot be accessed either over a network or locally by unauthorized
people is a key storage security principle for preventing data
breaches.
- Integrity: Data integrity in the context of data storage security
means ensuring that the data cannot be tampered with or changed.
- Availability: In the context of data storage security, availability
means minimizing the risk that storage resources are destroyed or made
inaccessible either deliberately – say during a DDoS attack – or
accidentally, due to a natural disaster, power failure, or mechanical
breakdown.

How to protect data storage assets

The relevant international standard for storage security is ISO/IEC
27040, which calls for the application of physical, technical and
administrative controls to protect storage systems and infrastructure
as well as the data stored within them. It notes that these controls
may be: preventive; detective; corrective; deterrent; recovery; or
compensatory in nature.

The bottom line, according to the Storage Networking Industry
Association (SNIA) is that ISO/IEC 27040 defines best practices that
ultimately set the minimum expectations for storage security.

Data storage security: Physical controls

Physical controls are designed to protect storage resources and the
data they contain from physical, as opposed to logical, access by
unauthorized or malicious persons.

These physical controls come in many forms but may include:

- Guards or other security personnel monitoring data centers and
storage resources to prevent unauthorized access
- CCTV monitoring with video retention
- Access controls such as biometric readers or smart card readers to
prevent unauthorized access, along with anti-tailgating/anti pass-back
turnstile gates that permit only one person to pass through after
authentication
- Internal environment monitoring using systems such as temperature
sensors and smoke detectors
- Alternative power sources such as a backup generator

Data storage security: Technical controls

Technical controls include many of the security procedures that are
familiar to IT security professionals such as network perimeter
security measures, intrusion detection and prevention systems,
firewalls, and anti-malware filtering.

In relation to data storage security in particular, the following
controls are recommended:

User authentication and access controls: SNIA recommends focusing much
of the data storage security effort on user authentication and access
controls to help provide secure access to authorized users while
keeping unauthorized users out. Many commercial user access and
control security systems are available to protect storage resources
and data, and best practices dictate taking the following precautions
in particular when using them:

- Changing all default credentials
- Avoiding the use of shared credentials, which make accountability
difficult or impossible
- Ensuring that users have the minimum privileges they need to carry
out their role
- Ensuring that user access rights are retired automatically as part
of the HR termination process when employees leave or are transferred
to a new role

Traffic profiling: One of the most useful controls that can be applied
to data storage security is the profiling of normal data access and
movement patterns so that anomalous or suspicious behavior can be
detected and flagged for closer investigation. This can be achieved
using user and entity behavior analytics (UEBA) software, which is
increasingly being incorporated into security information and event
management (SIEM) solutions.

Monitoring and reporting: SNIA recommends implementing effective
monitoring and reporting capabilities, including enabling application
as well as systems logs, to help detect and understand security
breaches and prevent similar ones in the future.

Protection of management interfaces: Many organizations set controls
to protect data storage resources and data from unauthorized access
while forgetting to secure the management systems themselves. This
could enable an attacker to set themselves up with access credentials
or elevate their privileges, enabling them to access data that they
should not.

This is by no means a comprehensive list of technical controls. Other
storage security measures that should be considered include:

- Strong encryption for data both at rest in storage systems and in
motion on the network. This needs to be applied with an effective key
management system.
- Endpoint protection for all PCs, laptops and other devices that can
access data to minimize the risk of malicious software being installed
that could compromise stored data.
- Special measures to protect databases that contain credit card
information and other valuable or commercially sensitive data.
Database security best practices include database hardening, the use
of database firewalls, database activity monitoring and other database
security tools.
- Effective lifecycle management for data and storage devices, which
ensures that data is securely deleted (including from the cloud) when
no longer required. This follows the principal that attackers cannot
compromise data that is no longer there. A procedure should also be in
place for the secure deletion or destruction of obsolete storage
media.

Storage Security: Administrative controls

Administrative controls come down to the three Ps: Policy, Planning,
and Procedures, all of which play an important role in data storage
security. In particular, security policies for data should include
where different types of data can be stored, who can access it, how it
should be encrypted, and when it should be deleted.

SNIA recommends considering:

Incorporating storage considerations into policies after identifying
the most sensitive and business-critical data categories and their
protection requirements
Integrating storage-specific policies with other policies where possible
Addressing data retention and protection
Addressing data destruction and media sanitization
Ensuring that all elements of storage infrastructure comply with policies

Compliance considerations for data storage security

Depending on the industries your organization operates in, and the
countries in which it does business, your company may be subject to
one or more regulations that have implications for storage security,
including PCI-DSS, Sarbanes Oxley, HIPAA, and GDPR, among others.

Penalties for failing to protect data under these regulations can be
severe – including heavy fines and custodial sentences – yet in some
cases they do not prescribe specific security measures.

For example, encryption is mentioned in GDPR, but its use is not
mandatory. But in the case of a serious breach, the fact that
encryption was not used would reflect badly on an organization, and
could even be used to establish that insufficient measures were in
place to comply with GDPR.

Other regulations are more specific. For example, PCI-DSS requires
that cardholder data be encrypted when transmitted across open public
networks.

The key thing to remember is that regulations are designed to help
ensure that security is effective. Attaining regulatory compliance
does not mean that an organization is secure, but it is very rare that
measures taken to ensure compliance would make an organization less
secure than they otherwise would be.