Storage Security Problems
When the European Union enacted the General Data Protection Regulation (GDPR) in 2016, it brought some of the stiffest enforcement measures yet around data security. British Airways was slapped with a £20 million fine in 2020 “for failing to protect the personal and financial details of more than 400,000 of its customers.” Marriott followed right behind with an £18.4 million fine for failing to protect up to 339 million guest records, including unencrypted passport information. In both cases, along with many others, the fined companies could have avoided the breaches and fines by implementing improved security measures.
These numbers may sound like outliers and, to be fair, they rank among the largest GDPR fines to date. So, let’s look at breach costs on a per-capita basis. According to the IBM/Ponemon “Cost of a Data Breach Report 2020,” the per-record cost of a breach containing personally identifiable information (PII) was $150. In the case of malicious attacks, that number jumped to $175. The migration to remote work was expected to increase these costs and incident response times. (Sure enough, IBM’s 2021 numbers came in roughly 10% higher than 2020.) Note that companies experiencing “mega breaches” involving more than 1 million records “continued to see costs that were many times the overall average.”
Ransomware also continues to dominate enterprise security headlines. Kaspersky Lab noted that ransomware exploits occurred at a rate of one every two minutes in early 2016. Cybersecurity Ventures predicts that by 2031, that rate will reach one every two seconds. Similarly, the annual cost of those exploits will explode from $20 billion in 2021 to $265 billion a decade hence. Even if such guesses are off by 2x or 3x, that still represents a terrible economic and social toll. The downstream impacts of people losing faith in a companies’ ability to protect personal data are very hard to estimate.
These are the problems. Now, let’s talk about solutions.
Storage Security Solutions
IT is no stranger to constructing multiple layers of defense around technology resources. This is how Quobyte approaches storage security. It begins by ensuring that only authorized users have access to the system. We do this via X.509 certificates. This is an industry standard for public key-based cryptographic certificates, based on proven technology that has been in the market for over 30 years. Today, X.509 is at the heart of applications such as document signing, government-issued electronic IDs, and encrypted web browsing protocols, including HTTPS and SSL/TLS.
X.509 provides us a decentralized, safe method for providing network multitenancy. With X.509 tokens linked to specific network entities, tenants within the same network resources can remain isolated. Cryptographic experts often live by the maxim “Don’t trust. Verify.” With X.509, network access verification is accomplished through unbreakable math. There is no need to trust anything.
The next security layer involves data access control. Once a user is in the network, only those with specific authorization should have access to a given file. We do this with access control lists (ACLs) at the file system level. HIPAA compliance does not mandate any given certification, but there are guidelines, including the need to tighten access, control restrictions, and audit that you have proper access control in place. This is why Quobyte created unified access control.
Usually, ACLs are enforced on all protocols, including on Windows, Linux, Mac, and object storage. If you have one file working under two operating systems, you need to manage two ACLs for the same file — and thus twice the work during an audit. With our unified access control, there’s only one audit needed per file, greatly easing management. At the same time, a change made on Linux, for example, will immediately apply under Windows, so there’s no more forgetting to update changes. You have a proper way to perform and audit access control
Note that NFS has no X.509 or ACL capabilities. NFS requires you to trust the network.
It would be naïve to assume that one can block all ransomware threats forever. The smarter mindset is to accept ransomware as a when, not an if. Offline backups are your best way to mitigate ransomware risk, but right behind that is having immutable snapshots and file immutability based on write one, read many rules. If you have data that needs to remain persistent in storage but there’s no reason to change it, have a platform like Quobyte that can make those files immutable. With this enabled, malicious tools can’t alter files with outside encryption, thus negating the threat of having that data locked and held for ransom.
Not least of all, Quobyte security employs end-to-end encryption. We encrypt data via our native client on the machine where data is produced or consumed, and so either encrypted or decrypted. Whenever data leaves the system to enter the network, it does so in encrypted form. Again, this alleviates any need to trust the network or its storage admins. End-to-end encryption cuts out many possible vectors for unauthorized data access or theft.
When NFS uses Kerberos, only the communication between client and server is encrypted; the data is decrypted on the server side and only may be encrypted while at rest. That’s too many potential security gaps across various platforms. For example, if I can gain access to your storage server appliance, I can read all your data. There is no file-level security to block me.
For the last two decades, enterprise storage has lacked fundamental security, and so people have tried to secure everything around it. Headlines show that this approach is increasingly insufficient for modern data needs. Fortunately, Quobyte shows that there is a better way. We call it Complete 360 Security, and it comes included with every Infrastructure version of our storage platform.