A practical framework for solving the infosec – infrastructure battle over enterprise storage security

It’s high time we talk about the avoidable organizational risks that occur when teams that share business goals aren’t aligned with each other. We’re talking about cases when teams from different departments assume that the other is taking responsibility over a certain matter, when in fact no one is. 

One specific case in point is the lack of clarity between infosec and infrastructure teams regarding ownership over the security of enterprise storage & backup systems.

When there’s no clear owner, each team passes the responsibility to the other; the end result is insecure storage & backup infrastructure that leaves an organization’s most valuable asset–its core data–unprotected. 

With the frequency of cyberattacks at an all-time high, and the growing sophistication of ransomware attacks, enterprises can no longer afford to let this issue fall between the cracks; the matter of ownership over storage and backup system security must be addressed. 

A quick review of the media coverage of a few recent attacks illustrates just a few of the risks caused by unclear ownership over data storage system security:

• Colonial Pipeline: The ransomware attack on one of the US’ largest pipeline operators highlights the fact that standard IT disaster recovery measures aren’t enough. Even though the backup files were eventually enough to restore their network, the enterprise still ended up paying a $4.4M ransom. The problem is that backup files restore the network to a point where the attackers still have access to them; if the vulnerabilities that created the breach aren’t addressed, attackers can penetrate the network whenever they choose. It’s just like when you try to fix a flooded basement: it’s not just a matter of pumping out the water; you also need to fix the leaky pipes.

• JBS Foods: Cybercriminals behind a string of high-profile ransomware attacks, including one extorting $11 million from JBS Foods, have ported their malware code to the Linux operating system. The unusual move is an attempt to target network attached storage (NAS) devices that run on the Linux operating system (OS). REvil is also targeting NAS devices as another storage platform with the potential to highly impact the affected companies.

• Mercato: Another case that demonstrates the risks that arise when data is stored insecurely through managed cloud service providers. Grocery startup Mercato exposed private information on tens of thousands of its customers when it left one of its cloud storage buckets, hosted on Amazon, completely accessible and unprotected. 

Siloed organizations offer a convenient gateway to attackers

Data is the lifeblood of pretty much all modern organizations, and most create huge amounts of it on a daily basis. This data enables companies to smoothly conduct their business and to achieve greater efficiencies by discovering the operational insights it holds within. Data has become a strategic asset for every organization, a crown jewel that must be secured and protected. 

With cyber threats now frequently coming from both within and outside of the organization, implementing robust storage security measures that empower easy access for authorized users while keeping unauthorized users out is a must. 

Standard storage solutions like immutable storage and data encryption aren’t enough. Enterprises that continue to rely on them as their last line of defense put themselves at risk. 

To truly keep their data  safe, organizations need a well-planned strategy:

• Keep multiple copies of data, in multiple locations
• Protect your copies from deletion or alteration (e.g., using immutable storage, MFA delete)
• Thoroughly Isolate actual data from its copies: different admin roles, different credentials, different physical or logical networks, etc.
• Thoroughly audit your storage and backup configuration – monitor and investigate configuration changes
• Define security baselines for your storage and backup systems, review your current deployment to diligently close gaps, and frequently validate that no deviations occur
• Make sure your vulnerability management process fully includes all storage and backup devices (e.g., storage arrays and their OS, storage networks, storage and backup management consoles, storage firmware and drivers, etc.)
• Define clear ownership of each process
• Make sure your incident response plan covers scenarios such as: recovery from ransomware, recovery from destruction of an entire storage array, recovery from attacks that destroy key domain services, encryption key management systems, etc.
• Test recovery frequently

Note that even when backup copies are available, organizations are still potentially at risk because of the extended time required to restore the data they need to get their operations up and running. 

Most data protection solutions are optimized for data ingestion and space-efficiency to support fast backup speeds. This made-for-backup architecture hinders fast recovery as data reconstruction is widely dispersed, and inherently time-consuming process – full restores can easily be 3-5 orders of magnitude [DP1] slower than incremental backups.

Read our State of Storage Security report to learn more. 

InfoSec and IT Infrastructure teams share the same interests when it comes to securing the organization’s storage & backup systems

Let’s start by looking at things from the perspective of InfoSec teams, responsible for ensuring that critical business data cannot be modified, disrupted, deleted or accessed by unauthorized users. The definition of their role mandates that they can effectively: 

• Assess the security of their data storage.
• Discover and minimize the storage & backup attack surface.
• Manage and prioritize storage & backup security risks.
• Ensure data recoverability in the event of a cyberattack.

Many of the organizations we partner with put their IT Infrastructure team – specifically their storage & backup managers – in charge of securing their data storage & backup systems. 

Very similar to the InfoSec team, IT Infrastructure teams are occupied with the same storage security issues. They too must know how to:

• Identify and resolve storage security issues.
• Ensure alignment with security configuration standards/policies.
• Keep track of storage configuration changes.
• Automate validation and enforcement of storage security best-practices.

The root of the InfoSec/Infrastructure conflict

Nearly every organization today has separate  security and infrastructure teams. Both teams manage ongoing routine and operational functions and  share the same interests – to keep systems and operations running smoothly to support business growth. They just take different approaches to achieving these goals. 

The fact that the two groups tend to report to different stakeholders can also create political problems; while infrastructure teams report to the CIO, security teams are supervised by the CISO, who in many cases (but not all), is accountable to both the CIO and, due to compliance issues, the CFO. 

This division of authority means that inter-office politics can often influence the way problems are resolved between the two departments.

Another cause of this conflict is security teams’ oversight responsibilities mandated by regulations such as Sarbanes-Oxley and PCI. These dictate that proper cybersecurity measures be part of any significant IT changes. 

However, when timely response is required to solve critical network issues, Infrastructure teams will often give in to the pressure and resolve issues without infosec team change approval or risk verification. 

Where there’s a will, there’s a way

Organizational silos are a necessary evil that create tension and lack of alignment between teams, resulting in less secure organizations. Recent interviews that we conducted with CISOs from around the world generated some interesting insights that are relevant to this discussion:

• Tunde Oni-Daniel, VP Cyber Technology at OneMain Financial: The onset of Covid-19 is forcing previously siloed teams to work in a closer way. Organizations must force teams to practice collaboration, to make it muscle memory so that they know who to talk to when it’s required.

• Ian Thornton-Trump, CISO at Cyjax: Insufficient budgets for training has created knowledge deficiencies within the organization. Attackers often know more about an organization’s networks than internal staff. Siloes make this issue even more acute, and attackers will exploit this to their advantage. 

• Kristen Sanders, CISO at Water Authority: Teams currently see security as an obstacle to completing their tasks. This situation cannot continue and the perspective on security teams must change to a positive one that sees them as service providers that enable operational teams to do their job in a secure manner. 

• Glen Hymers, Head of Data Privacy & Compliance at UK Cabinet Office: Siloed security and IT storage teams must align to deliver high levels of security. Good CISOs and IT teams are already implementing shift left, security by design procedures and there’s no way to get that done if there’s no real collaboration with the security team. But security teams must understand their role is to facilitate, not abort, the business strategy and do everything they can to support initiatives. 

Communication is paramount to ensuring high levels of security. This is particularly true for large-scale, globally distributed organizations. 

In our experience, those enterprises that were able to act in unison were better at applying new security procedures. This can only be achieved when communication regarding security practices is aligned across both infosec and infrastructure teams. 

That’s the way to ensure that security best-practices are universally put in place so that the enterprise and its valuable data remain secure. 

Those enterprises that were most successful at generating a long-lasting, robust security posture drove home the feeling of shared responsibility and integrated the people, processes and technology required to keep business risks down to a minimum. 

At the end of the day, siloes between infosec and infrastructure teams can only be brought down in a culture that advocates such measures. 

Security teams must be made more aware of storage & backup capabilities, protocols and the attack surface. 

At the same time, the storage & backup managers need to rethink their take on security. To understand that security doesn’t have to complicate storage management (although it probably will) and that security and performance are no longer incompatible. 

Responsibility should be clearly set. Collaboration is highly valuable, of course: teams should share knowledge (storage and backup teams need to learn much more about security, and infosec teams need to learn much more about storage technology); teams should seek advice from each other; teams should review internal and external audit results and work together to continually improve.

One way to kickstart this process would be for both teams to jointly conduct a one-time  assessment of their organizations’ storage & backup security, to identify any blind spots. 

Before We Go

Organizations must keep in mind that shared responsibility might easily turn into no responsibility. Of course, teams should collaborate – but the responsibilities should be defined very crisply. For example: InfoSec is responsible to define DETAILED standards and expectations (IT can and should consult and support). IT is responsible for implementing – reporting on progress, and identifying gaps.

Inspection of gaps should be closely supervised by Infosec. It may also be necessary to engage external auditors to help both teams improve.