Storage 101: Data Security and Privacy

No discussion about storage is complete without thinking about security of the data. In this article, Robert Sheldon explains what must be considered to protect data in today's world.

The series so far:

  1. Storage 101: Welcome to the Wonderful World of Storage
  2. Storage 101: The Language of Storage
  3. Storage 101: Understanding the Hard-Disk Drive 
  4. Storage 101: Understanding the NAND Flash Solid State Drive
  5. Storage 101: Data Center Storage Configurations
  6. Storage 101: Modern Storage Technologies
  7. Storage 101: Convergence and Composability 
  8. Storage 101: Cloud Storage
  9. Storage 101: Data Security and Privacy 
  10. Storage 101: The Future of Storage
  11. Storage 101: Monitoring storage metrics
  12. Storage 101: RAID

Most discussions around storage inevitably lead to the topics of data security and privacy. You cannot operate in today’s climate without careful attention to both. If data protection is not built into your storage infrastructure, you’re doing something wrong.

Data protection is an ongoing, organization-wide effort in which storage plays a key role. A secure storage infrastructure is essential to safeguarding sensitive information. Even so, it takes more than secure storage to guarantee the data’s safekeeping throughout its lifespan. For that, an organization needs a comprehensive data protection strategy that takes into account all aspects of data management, including how data is stored.

Securing Data and Protecting Privacy

For many organizations, their most important asset is their data, the bulk of which must be protected against unauthorized access. The data might include intellectual property, legal documents, passwords, encryption keys, personally identifiable information (PII), or a variety of other sensitive material.

An organization that handles sensitive data should have a comprehensive data protection strategy in place to contend with potential threats. Unfortunately, the exact meaning of data protection is not always clearcut and can vary depending on usage and circumstances. It might refer to securing data, safeguarding privacy, protecting storage systems, implementing disaster recovery (DR), or any combination of these.

According to the SNIA (formerly the Storage Networking Industry Association), data protection is the “assurance that data is not corrupted, is accessible for authorized purposes only, and is in compliance with applicable requirements.” In other words, data protection goes beyond just encrypting data or guaranteeing its availability. Data protection ensures that the data remains viable, is safeguarded against all unauthorized access at all times, and is controlled in a way that adheres to applicable compliance laws and regulations, e.g., local, provincial, and federal.

In this view of data protection, storage security is only part of a larger effort to keep sensitive data out of the wrong hands, while ensuring its accuracy and availability to authorized users. To this end, you’ll sometimes see storage security described in terms of confidentiality, integrity, and availability—or CIA—which go hand-in-hand with the larger goal of data protection.

A comprehensive data protection strategy ensures both data security and data privacy. Although the two are related, they’re not the same. Data security protects sensitive information from unauthorized access and from loss and corruption, whether intentional or accidental. Data privacy refers to the appropriate handling of PII and the rights of individuals to control and access their personal information.

With the increasing number of regulations that govern PII, organizations are under greater pressure than ever to protect confidential information and provide a full accounting of how it’s managed. Regulations can vary from region to region and differ significantly. Many organizations operate across multiple regions, making them subject to a mix of governing laws. The General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA), and California Consumer Privacy Act (CCPA) are only some of the regulations that organizations now face. Even if an organization operates in only one region, they can still be subject to a confusing mix of laws.

Despite the differences between regulations, however, they all have one thing in common: to implement strict security controls that ensure personal information cannot be compromised when under the organization’s control. Most also define other obligations, such as retention or auditing requirements, but data protection lies at the heart of each one, which is why data security and privacy are intrinsically linked.

The Cybersecurity Threat Landscape

Data is not only an asset. It’s a burden. A data breach can lead to lost revenue, stiff penalties, downtime, legal liabilities, loss of intellectual property, unexpected expenses, and a tarnished reputation from which a company might never recover. No organization is immune to the potential threats that await them, from both inside and outside their domains.

External threats can come from governments, organized crime, terrorists, cybercriminals, competitors, or everyday hackers looking for a bit of sport or profit. And threats can arrive in many forms, often implemented through social engineering strategies that attempt to introduce malware or ransomware or steal user credentials.

Figure 1. The challenges of data security (image by madartzgraphics)

Attackers might also go after an organization’s networks or systems directly, leveraging vulnerabilities to carry out SQL injections, denial-of-service attacks, or other nefarious acts in an attempt to steal data or bring down operations. Their reasons for attacking an organization can vary. They might want to damage the organization’s credibility, acquire sensitive information for competitive advantages, access government secrets, or make money by selling stolen data or locking up systems until a ransom is paid.

Many organizations and even people have fallen victim to cybercrime, ranging from individuals, household, and small municipalities to multinational corporations, including Twitter, Facebook, Yahoo, Equifax, eBay, LinkedIn, and Marriot International. And the threats don’t only come from external players. Organizations must also guard against internal threats, whether from disgruntled or greedy employees, malicious insiders, or careless staff falling victim to weak IT security policies. Data compromised as a result of internal behavior can be just as devastating as an external attack.

Many organizations are also turning to the cloud to store data and support their workloads. Although cloud platforms can often be more secure than an organization’s own environment, they also add storage and data complexity, while increasing data exposure. An organization must rely completely on the provider to ensure that data is being protected from internal and external threats. At the same time, the cloud raises compliance concerns, especially when spanning multiple regions.

Organizations must also contend with the increased risks that come with a remote workforce, whose numbers have grown dramatically with COVID-19. The more people working offsite, the more difficult it becomes to ensure that sensitive data is not being exposed when it is transferred or stored. A home worker might use an unsanctioned cloud service, mislay a peripheral device that contains business data, collaborate on a project through an unsecure platform, or engage in other risky behavior. Even under the best circumstances, few home offices can achieve the same level of physical security you get in a data center.

Implementing a Data Protection Strategy

To ensure data security and privacy, you need a comprehensive plan that specifies how data will be protected both at rest and in motion. As part of this process, you should develop policies that define where data can be stored, who can access it, and what levels of protection the data requires. The policies should also address such issues as when data is deleted, what happens when an employee is terminated, how to handle a data breach and any other issues related to data protection.

Another important part of the planning process is to conduct a thorough assessment of your current data environment to identify potential risks and the steps that must be taken to mitigate those risks. You need to know where sensitive data is located, how it’s being used, and who can access it. You should also look for issues such as whether sensitive data is being transmitted as cleartext, credentials are being sent in an unencrypted format, or users are accessing internal web services via insecure HTTP.

From this assessment, you’ll have a good sense of what data you have and where it’s located. You can then classify the data based on security and compliance requirements. This will help you determine what levels of access to assign to each data type, as reflected in your security policies. Public data, for example, requires far less security than data covered by HIPAA or the GDPR or data governed by national security laws.

If your organization is subject to multiple regulations, you might consider a protection-by-default approach for personal data, rather than trying to create too many data classifications. For example, one regulation might require that you protect user IP addresses, while another does not. It might be better to create a single category that covers both. Too many data categories, which can complicate data management, may lead to a greater risk for regulatory violations.

A simpler category structure can also make it easier to address other compliance-related issues, such as providing users with visibility into their PII or supporting their deletion requests. At the same time, you must still take into account issues such as data retention and disposal requirements, which might force you to create additional categories.

Another part of the planning process is to ensure that you have the tools you need to safeguard your systems and their data. For example, you might implement a data loss prevention (DLP) solution to help automatically discover, monitor, and protect sensitive data. You might benefit from an intrusion detection system (IDS) that identifies traffic anomalies and warns you if something doesn’t look right.

Essential tools for protecting your data include anti-malware, anti-ransomware, and anti-spyware, as well as protections such as firewalls and proxy servers. And, of course, you want to be sure you deploy the proper storage protections. For example, you might implement RAID and other redundancies to provide storage fault tolerance, which can help protect against intentional or unintentional data destruction.

There are plenty of other tools as well. Just remember that no one solution can address all your data protection requirements, and you’ll have to come up with just the right mix to meet your specific needs.

Protecting Data and Privacy

Data protection must take into account both physical and operational security. Physical security ensures that unauthorized individuals cannot access the physical structures where the data is housed or the equipment within those structures. It also protects against circumstances that could lead to data loss, such as power failures or natural disasters. To implement physical security, an organization might employ backup and restore protocols, CCTV monitoring, biometric readers, geofencing, backup generators, and numerous other protections.

Organizations must also protect the individual systems within their secure structures, such as servers or workstations. No one on the inside should be able to walk off with equipment or get at their internal workings unless they’re authorized to do so. IT teams must also take steps to protect portable devices that leave the premises, such as laptops, tablets, or cell phones. This typically means implementing a mobile device management strategy that supports such features as remote lock or remote wipe.

In addition to ensuring the physical security, organizations must implement operational protections, which provide the technical safeguards necessary to protect the data itself. This starts with using advanced algorithms to encrypt sensitive data both at rest and in motion. In addition, IT teams might consider such tools as tokenization or data masking for further protection. They should also have in place a system for securely storing and managing encryption keys.

Another important component of operational security is role-based access control, which determines who can and who cannot view or modify specific sets of data. Access should be based on the principle of least privilege, that is, individuals should be granted only the access they need to do their jobs—and no more. In conjunction with access control, IT should also implement such safeguards as multi-factor authentication or virtual private networks (VPNs), as appropriate, to further protect data access.

An effective data protection strategy also requires a comprehensive infrastructure for continuously monitoring sensitive data, issuing real-time alerts, and generating comprehensive reports on-demand. All data access and modifications should be logged, with an auditing system in place to determine who accessed what data and when that access took place.

Operational protections also include DR systems that ensure data can be made available in the event of data loss or corruption, no matter what the cause. At the same time, IT must be careful that their DR mechanisms, such as backups or replication, don’t violate applicable regulations. Also, they must ensure that PII can be accessed in a timely manner, if required by law, and that it adheres to retention and disposition rules.

The Ongoing Challenges of Data Protection

To implement effective data protections, an organization must take into account the entire data lifecycle, regardless of how the data is being used or where it resides—whether on a remote workstation, on a mobile device, in a data center, on a cloud platform, at a remote facility, or on a server in an office corner. Data protection must be a unified effort that moves beyond infrastructure boundaries to ensure that data is secure, and privacy is protected at all times and under all circumstances.

One of the most important tools that organizations have for protecting data is an effective training and education program that helps employees understand the risks involved with handling data and the steps they can take to minimize those risks. Everyone in an organization should have a clear understanding of that organization’s data usage policies and how best to protect sensitive data. All it takes is one careless act to create a data nightmare.

Data protection is an ongoing, all-encompassing process that extends from the backend storage systems to the smartphones that employees carry in their pockets. Storage security is an integral part of this process and can serve as your last line of defense against intrusion. That said, storage security cannot protect against all risks, just like a firewall alone can’t eliminate all network threats. Any place where data might reside or that provides a means for its access should be considered a potential risk and dealt with accordingly.