To meet this ever-evolving and unrelenting security challenge, organizations must be as proactive as they are innovative. All elements of an organization must work together. From the part-time intern to the CTO, from the firewalls to the networks – each part plays a critical role in the security posture of the organization. Data storage is no exception. In this post, we look at how IT teams can ensure that object storage in particular is optimized to increase security in organizations.
- Unstructured data in the context of object storage
- Cloud Object Storage: Flexibility and security are not mutually exclusive
- 1st option: authentication and access control
- Consent to the use of data for advertising purposes
- 2nd option: encryption
- 3rd possibility: immutability
- Ransomware attacks: the question is not ‘if’ but ‘when’
Unstructured data in the context of object storage
By far the largest part of the data volume generated today is unstructured. These are, for example, images, videos, websites, audio files or streaming data that do not follow the conventional data models and are difficult to store and manage in a classic, relational database. According to IDC, unstructured data will account for up to 80 percent of all data by 2025.
With the proliferation of unstructured data, object storage has become a cornerstone of today’s IT environments. Government agencies, financial services firms, hospitals, academic organizations, and research institutions make extensive use of object storage. In these industries, ransomware attacks are a very real threat.
Cloud Object Storage: Flexibility and security are not mutually exclusive
Traditional storage solutions were never designed for the massive amounts of data that businesses manage today. Against this backdrop, the public cloud has been embraced across the board. Flexibility and scalability make the public cloud attractive, but it also has its downsides. It does not provide users with complete control over their infrastructure, performance may be inadequate, security has gaps and vulnerabilities, and its economic benefits diminish as organizations expand and need to manage larger volumes of data, especially in the context of active data.
Modern businesses therefore need a secure, cost-effective solution that can grow with dynamic business requirements, scale, and provide data access for both existing and new cloud-native applications. Cloud Object Storage combines the simplicity, flexibility, and scalability of the public cloud with the security, performance, and control of an on-premises private cloud infrastructure.
When organizations fear their IT environment is being attacked, they can implement measures and processes to detect threats, protect their data, and recover data with minimal disruption in the event of an attack. In this context, IT teams must ensure that their object storage is optimized as a powerful layer of protection. There are three ways to do this:
1st option: authentication and access control
Authentication refers to tools that ensure that a user is really who they say they are. In an object storage solution, users must be validated when accessing storage to confirm that they are authorized. Best practice is for each user to first set up an account. Each user is assigned an access key and a secret key. The keys are used to securely authenticate the user with every S3 API interaction, such as creating or reading an object. AWS refers to this as Signature V4 authentication.
Authentication not only ensures that only authorized users have access, but is also required in scale-out solutions where multiple customers’ applications and data are consolidated (multi-tenancy models or AWS identity and access management systems). In these environments, object storage solutions can also ensure that tenant accounts and users remain disconnected and inaccessible to unauthorized users.
The next step is access control. Tailoring a user’s access to only what they need provides an important layer of protection. It’s also known as the principle of least access. Object storage solutions should be able to provide this capability along with granular control for administrators to allow or deny access to specific data. Some modern systems allow integration with services that can centralize the management of user identity access, such as Lightweight Directory Access Protocol (LDAP) or Microsoft Active Directory servers.
2nd option: encryption
The encryption consists of two main steps. The first step is to encrypt requests entering the system. Data and commands must be encrypted in transit to prevent lurking technologies or malicious actors from accessing them. This is usually achieved through a Secure Sockets Layer (SSL) security certificate. With SSL connections between the individual services, data and commands can only be read with a valid certificate.
The second step is encryption at rest. It is the moment when the data is saved. Should an attacker manage to gain access to the system, he cannot read or access the data directly, and consequently cannot derive any value from it.
A key decision when it comes to encryption is how to manage the key used to decrypt the data. Many companies use a Key Management Server (KMS) to keep the encryption keys safe and separate from the data.
3rd possibility: immutability
The immutability of data is an important principle in data protection. This thwarts attacks because the data cannot be altered or encrypted by ransomware. Object storage only provides the ability to create, read, or delete data. A change on the spot is not possible. This inherent immutability is fundamentally different from other forms of storage media, such as file systems, where data can be modified and updated.
Because data isn’t manipulated, most object storage solutions today allow versioning of object data via the Amazon S3 Bucket Versioning API, which provides an additional element of protection. Versioning saves the previous version of an object before writing a new version, allowing for the recovery of an object.
To further increase the immutability factor, some modern object storage systems provide object locking via the Amazon S3 Object Lock API. This assigns each data item a fixed retention period during which it cannot be modified, updated, or deleted. This feature is extremely powerful and has been validated for use in financial services and SEC compliance environments. The primary data object lock can provide a strong mechanism to prevent some of the common ransomware attacks that encrypt user data and provide an immutable backup copy of the data, allowing for reliable recovery in the event of an attack on the primary data.
Ransomware attacks: the question is not ‘if’ but ‘when’
The growth of ransomware attacks is exponential. Attacks are classified as inevitable. For this reason, smart companies implement best practices for early detection of an attack, protection and recovery of data in all areas of their company. For object storage solutions, best practices cover three areas:
- Authentication/access control protects data by controlling who can access it
- Encryption technologies make the company’s data worthless to criminals
- Immutability ensures that the data cannot be tampered with
Modern object storage is now clearly recognized as a powerful tool for ransomware protection and data recovery in mission-critical use cases.