As a chief information officer, it’s your job to ask tough questions. After all, your CEO depends on you to oversee the technological direction of your organization—and to do it while striking a delicate balance between managing costs and providing the technical capabilities your organization needs to achieve its objectives. But more importantly, your CEO depends on you to protect the company’s data.
This article does not attempt to address all the questions you should ask. It does, however, specify three important security questions you should ask about your data storage platform and why getting clear answers to each one matters.
- How do we protect data in-flight and data-at-rest?
- Can our data be made immutable or tamper-proof?
- Does our data storage architecture meet our compliance requirements?
QUESTION #1 – How are we protecting data in-flight and data-at-rest?
Data breaches worry senior executives. And they should. In the first six months of 2019, there was a 54% increase in the number of reported data breaches compared to 2018—a total of 3,813 disclosed breaches and 4.1 billion records exposed to unauthorized parties.
Experiencing a data breach is both embarrassing and costly. It’s an uncomfortable position to have to notify your customers that their information—data they entrusted to you—has been compromised. And, of course, there are the costs of remediation: finding out how the breach occurred, assessing the extent of the damage that was done, defending your organization against legal action, and putting in place new measures and solutions to prevent the same problem from happening again. These costs can be substantial. The average cost of a data breach in 2019 was $3.92 million.
In the case of Capital One’s breach in March 2019, the total costs were estimated to fall somewhere between $100 million and $150 million by the time it was all settled.
Global average total cost of a data breach Measured in US$ millions $4.10 $4.00 $3.90 $3.80 $3.70 $3.60 $3.50 $3.40 $3.30 $3.20 FY2014 FY2015 FY2016 FY2017 FY2018 FY2019 $3.50 $3.79 $4.00 $3.67 $3.86 $3.93
The fact is most organizations have complex information systems, a mixture of cloud-based solutions and on-premise legacy systems. To support the demands of digital business, data is stored in many different places—on smartphones and laptops, on database servers in geographically dispersed data centers (both private and in the cloud), and on edge devices. As a CIO, you don’t need to know all the technical details. Your staff is responsible for that. But it is important for you to understand how your organization’s data is being protected— both when it’s at rest and when it’s in transit.
QUESTION #2 Can our data be made immutable?
Although much can be done to defend against the risk of data breaches, there is no way to eliminate the risk fully. It’s a sobering thought. But it’s true. This is one reason using a defensive strategy alone is not enough to protect your organization. It’s just as important, if not more important, to have solutions in place that will allow business continuity and recovery in the event of a breach.
One such solution is data immutability. When data is made immutable, it cannot be changed. The data is locked, and no one can edit, modify, or corrupt the files. Why is this important? Two words: Ransomware Attacks. Ransomware attacks can shut down operations.
Cyber thieves recognize our dependence on digital systems and our inability to function without them. Ransomware is a type of malware attack that seeks to “lock-up” critical database files, encrypting them with a unique key, and preventing anyone from accessing the data without the key. Perpetrators of these attacks seek to shut down systems and force organizations to pay a fee to acquire the key, so they can get access to their data again and bring their systems back online.
Ransomware not only disrupts business but also calls into question the integrity of data. One way to defend against a ransomware attack is to ensure you have backup copies of your data in a safe place. That way, if critical files become inaccessible, you can restore them from backups and continue operations without paying a ransom. In addition, because you restored the data from a safe place, you have confidence that your data hasn’t been changed or modified. Writing files to tapes is the most common way to ensure data immutability.
Once data is copied, tapes are shipped offsite and locked in a vault. The media is offline and stored in a secure facility. Confidence in the data is high because no one can easily access the data or change it. But storing data on tape has its drawbacks. The physical media can wear out or lose its charge, causing data to be lost. Saving data to tape is slower than saving it to disk. Handling tapes can be cumbersome. And in use cases where fast access to data is a must-have, tapes cannot meet the requirements.
Another way to ensure data immutability is to utilize storage with WORM capability.
The primary benefit of WORM (write once, read many) is that once the data is written to media, it can no longer be changed.
S3 object lock is quickly becoming the defacto standard for implementing WORM in cloud data storage platforms. With S3 object lock, you can specify policies that “lock” data at the object level based on certain criteria specified at the time the object is created. When the criteria have been met (usually a time period has elapsed), the object can be unlocked again.
Being able to make your data immutable has several benefits.
First, it guards the sanctity of your data backups and enables you to restore data confidently if your organization was hit with ransomware or some other nefarious attack. Second, it provides an essential function in cases where digital evidence management—the process of tracking everything that happens to a file—is required. And third, data immutability prevents data from being changed or corrupted, which is vital to meet certain compliance and audit requirements.
QUESTION #3 Does our data storage architecture meet our compliance requirements?
As a CIO, you already know how important it is to make sure your systems are compliant with industry requirements. Overseeing compliance efforts, specifically those involving information systems and the handling of data, is a big part of your job.
GDPR: Requirements vary by industry. But some, such as GDPR, apply to every organization that collects personal data about consumers. And not every organization is fully prepared for it yet. GDPR, known as The General Data Protection Regulation, was adopted in Europe in 2016.
The regulation poses strict specifications on how the personal information of European Union (EU) citizens is to be handled and protected. It applies to any organization that collects data from EU citizens, and organizations that violate the policy can be fined. Fines can be high. For example, Google was found to be out of compliance with GDPR and fined $57 million.
SEC Rule 17 a-4: SEC Rule 17a-4 is a regulation issued by the U.S. Securities and Exchange Commission that specifies (amongst other things) requirements for a WORM classification of the storage system. It lays out rigorous requirements for the storage software code, testing, and processes that ensure that data stored in WORM storage systems cannot be deleted even by privileged users for the specified retention period.
The easiest way to create a WORM environment to support compliance is simply to purchase a storage system that is certified WORM compliant. Once data is on these drives, it is impossible to modify, move, or delete the content unless you physically destroy the drive itself. You can also utilize a software solution that enables a strict compliance mode, which will simulate the hardware level features of a WORM drive.
Protecting your data is a complex process. As digitization continues to grow, and today’s boundaries are stretched through advanced technology and artificial intelligence, the task will continue to be challenging. A comprehensive security program is essential to ensure your organization is protected. And strong data storage security is a fundamental component of an effective program. But strong data storage security doesn’t just happen. It takes focus and due diligence to make sure your organization is deploying the right security features and protections to meet ever-changing regulations and the constant risk of data breaches.