Best Practices for Setting Secure Configuration Baselines for your Storage & Backup Systems – Part1
About Continuity™
StorageGuard - by Continuity™ - is the ONLY Security Posture Management solution for Storage & Backups, helping to ensure these systems are securely configured, and compliant with industry & security standards.
Storage and backup systems are the backbone that support data integrity, availability, confidentiality, and recovery. However, these critical systems are often overlooked in security strategies, leaving them vulnerable to misconfigurations and cyber threats.
Establishing secure configuration baselines for storage and backup systems is essential to protect against unauthorized access, data breaches, and compliance violations.
A secure configuration baseline is a set of security settings that serve as a benchmark for configuring systems consistently and securely. It ensures that all systems adhere to an organization’s security policies and industry best practices.
For storage and backup systems, which handle sensitive data and maintain critical operations, a secure configuration baseline mitigates risks associated with misconfigurations, weak encryption protocols, and unauthorized changes.
Breached Storage and Backup Systems
Misconfigurations and weak cryptographic settings are among the most common vulnerabilities exploited by attackers. According to the Open Web Application Security Project (OWASP), security misconfigurations rank high in the OWASP Top Ten list of critical web application security risks. Similarly, the Verizon Data Breach Investigations Report (DBIR) consistently highlights how misconfigurations contribute to data breaches, emphasizing that even minor configuration errors can lead to significant security incidents.
Some of the recent examples involving storage and backup include the Russian cyberattack on Ukraine’s largest mobile phone provider, Kyivstar and the ransomware attack on UnitedHealth.
Alignment with Industry Standards and Regulations
So, it’s no surprise that several industry standards and regulatory frameworks emphasize the importance of secure configurations. For example –
| Source | Section | Requirement |
| NIST CSF Protect (PR) | PR.IP-1 | “A baseline configuration of information technology/industrial control systems is created and maintained.” |
| NIST SP 800-53 | CM-2: Baseline Configuration | Organizations are required to develop, document, and maintain a current baseline configuration of information systems. |
| NIST SP 800-53 | CM-7: Least Functionality | “The organization configures the information system to provide only essential capabilities and limits unnecessary functionality.” |
| NIST SP 800-53 | CM-6: Configuration Settings | “Establish … the most restrictive mode…. Identify and approve deviations … Monitor and control changes to the configuration settings” |
| CIS Controls | Safeguard 4.1 | “Establish and maintain a secure configuration process for all enterprise assets.” |
| Digital Operational Resilience Act (DORA): Regulatory Technical Standards | Article 11: ICT Systems, Protocols and Tools | “Financial entities shall ensure the performance of automated vulnerability scanning and assessments, and the implementation of a secure configuration baseline of all network components and hardening the network and network devices according to vendor instructions… Identification of secure configuration baseline for ICT assets that will minimise their exposure to cyber threats and measures to verify regularly that these baselines are those that are effectively deployed. The secure configuration baseline shall take into account leading practices and appropriate techniques referred to in standards, as defined in Article 2, point (1), of Regulation (EU) No 1025/2012.” |
| Digital Operational Resilience Act (DORA): Regulatory Technical Standards | Article 13: ICT Security Tools and Policies | “Secure configuration baselines, network hardening, and session termination after inactivity limit potential attack vectors.” |
| PCI DSS V4 | Requirement 2 | Develop configuration standards for all system components that address all known security vulnerabilities and are consistent with industry-accepted system hardening standards…. Implement secure configurations for all system components, addressing security vulnerabilities and considering industry best practices. |
| FFIEC | Configuration Management | Financial institutions must implement robust configuration management to ensure the security and integrity of systems |
Challenges in Securing Storage and Backup Systems
Despite the clear mandates from industry standards and regulations, organizations face challenges in implementing secure configurations for storage and backup systems:
- Complexity and Diversity: Storage and backup environments often consist of heterogeneous systems with varying architectures, non-standard operating systems, command sets and configurations.
- Insufficient Storage / Backup Security Expertise: Often security personnel are not well familiar with storage and backup architectures, whereas storage and backup administrators are not focused on security and hardening.
- Lack of Automation: Manual processes for establishing and maintaining baselines are time-consuming and prone to errors; developing home-grown scripts, keeping them operational and up to date, producing detailed finding reports and managing their lifecycle – equals to developing a product – that is, not a negligible one-time effort.
- Evolving Threat Landscape: Cyber threats targeting storage and backup systems are becoming more sophisticated, requiring continuous monitoring and updates to configurations.
So, what can be done?
Stay tuned for Part 2 where we’ll explain how to build a secure configuration baseline process – with StorageGuard.
Talk To An Expert
It’s time to automate the secure configuration of your storage & backup systems.