Paul Speciale of Scality
By 2031, it is projected that ransomware attacks will occur approximately every two seconds across the globe. At the same time, security breaches are also becoming more expensive. The average cost of a data breach is estimated to be $4.24 million (€4.14 million). And to make matters worse, attackers are now highly sophisticated, with new attack vectors emerging on a frequent basis, says Paul Speciale, chief marketing officer, Scality.
To face this evolving and relentless security challenge, organisations must be just as proactive and innovative. Every element of an organisation must work together. From the part-time intern to the CFO, the firewalls to the networking, each part has a critical role in the organisation’s security posture. Data storage is not exempt, and this article will explore how IT teams can ensure that their object storage, in particular, can be optimised to boost the security of today’s enterprises.
Unstructured data and object storage
By far, most of the volume of data generated today is unstructured. This refers to images, videos, webpages, audio files or other data that does not follow conventional data models and are difficult to store and manage in a traditional relational database. This type of data is expected to make up as much as 80% of all data by 2025, according to IDC.
As unstructured data proliferates, object storage has become a keystone of IT environments today. Government agencies, financial services, hospitals, biosciences organisations, among others widely deploy object storage, and these are industries where ransomware attacks are a very real threat.
Traditional storage solutions were simply not designed for the massive volumes of data that organisations manage today. This is one reason why public cloud has been broadly adopted. Its agility and scalability are appealing; however, it cannot provide users with complete control over their infrastructure, performance can be insufficient, security has gaps and vulnerabilities, and its economic benefits diminish as organisations expand and must manage greater volumes of data, especially for active data.
Modern organisations therefore need a secure, cost-effective solution that scales as business demands grow and evolve over time, that provides data access to legacy as well as new cloud-native applications. When done in the right way, cloud object storage combines the simplicity, agility, and scalability of the public cloud with the security, performance, and control of on-premises private cloud infrastructure.
By assuming that their IT environment will come under attack, organisations can implement measures and processes to detect threats, protect their data, and recover with minimal disruption in the event of a breach. IT teams must ensure that their object storage is optimised to avoid missing out on a powerful layer of protection. There are three ways to do this:
1. Authentication and access control
Authentication refers to tools that ensure a user really is who they claim to be. In an object storage solution, users must be validated when accessing the storage to confirm they have authorisation. Best practices involve each user first creating an account, with an access key/secret key pair assigned to each user. Keys are then used to securely authenticate the user in each S3 API interaction, such as for creating or reading an object. AWS refers to this as signature V4 authentication.
Authentication not only ensures that only authorised users can gain access, but is also necessary in scale-out solutions where a number of customers’ applications and data are consolidated, known as multi-tenancy models or AWS identity and access management (IAM) systems. In these environments, object storage solutions can also ensure that tenant accounts and users remain separated and inaccessible to unauthorised users.
The next step is access control. Limiting a user’s access to what they need, and nothing more, provides an important layer of protection. This is referred to as the principle of least privilege access. Object storage solutions should provide this capability along with granular control for administrators to allow or deny access to particular actions on data, such as the policies assigned to users and buckets in AWS IAM. Some modern systems enable integration with services that can centralise user identity access management, such as with LDAP (Lightweight Directory Access Protocol) or Microsoft Active Directory servers.
2. Encryption
There are two key elements to encryption. The first is in-flight, which refers to requests coming into the system. Data and commands must be encrypted while in transit to avoid lurking technologies or bad actors accessing them on the wire. This is typically achieved via a secure sockets layer (SSL) security certificate. With SSL connections between each different service, data and commands cannot be read without a valid certificate.
The second component is encryption at rest. This is when the data is stored. Should an attacker manage to access the system and reach the data, they will not be able to read or access it, or draw any value from it.
A critical decision when it comes to encryption is how to manage the key to decrypt the data. The storage solution should not hold the encrypted data as well as the encryption key; this violates the principle of encrypting data in the first place. Many organisations use a key management server (KMS) to securely hold on to the encryption keys separately from the data.
3. Immutability
Data immutability is an important term in data protection, meaning data cannot be altered. This thwarts attacks as the data cannot be modified or encrypted by ransomware. Object storage by design only provides the option to create, read, or delete data. It does not allow for modification in place. This natural immutability represents a fundamental distinction from other forms of storage media, for example file systems, which allow data to be changed and updated.
As data is not edited, most object storage solutions today enable versioning of object data, through the Amazon S3 Bucket Versioning API which offers an extra element of protection. Versioning means that the previous version of an object is saved before a new version is written, and thereby providing recovery to a previous version of an object.
Taking immutability even further, some modern object storage systems offer object locking via the Amazon S3 Object Lock API. This places a fixed retention period on each piece of data, during which it cannot be altered, updated, or deleted. This feature is extremely strong and has been validated for use in financial services and SEC compliance environments. Object locking on primary data can provide a strong mechanism for preventing some common ransomware attacks that encrypt user data, or by providing an immutable backup copy of data to enable reliable recovery in the event of an attack on the primary data.
So, it goes without saying that the exponential increase of ransomware attacks means they must be treated as inevitable and planned for accordingly. Smart organisations are implementing best practices for early detection, protection, and recovery from such attacks across all areas of their business. For object storage solutions, best practices encompass three areas: authentication/access control defends data by controlling who can access it; encryption technologies makes the organisation’s data worthless to criminals; while immutability ensures data cannot be tampered with. With strong access controls, encryption, natural data immutability, object versioning and object locking, modern object storage is a powerful tool for ransomware protection and recovery for mission-critical use cases.
The author is Paul Speciale, chief marketing officer, Scality
Follow us and Comment on Twitter @TheEE_io