All aspects of data storage, including architecture, implementation, and operation, must center on protecting your data in transit and at rest. This should be part of a multilayered security strategy that considers both current and new security threats. Your strategy should encrypt everywhere, provide for key management, control access, automatically update, and of course backup and triple replicate all data.
Encrypting data is a fundamental aspect of security. Data should be encrypted when it is stored on disk, when it is moved into a staging location for loading into storage, when it is placed within a database object, and when it’s cached. Query results must also be encrypted and end-to-end encryption should be the default.
Once you encrypt your data, you’ll decrypt it with an encryption key. In order to fully protect the data, you also need to protect the key that decodes your data. The best data storage platforms employ AES 256-bit encryption with a hierarchical key model rooted in a dedicated hardware security module. This method encrypts the encryption keys and instigates key rotation processes that limit the time during which any single key can be used. Data encryption and key management should be entirely transparent to the user but not interfere with performance.
For authentication, make sure your connections to the cloud provider leverage standard security technologies such as Transport Layer Security (TLS) 1.2 and IP whitelisting. Cloud object storage should also support the SAML 2.0 standard so you can leverage your existing password security requirements as well as existing user roles. Regardless, multifactor identification (MFA) should be required to prevent users from being able to log in with stolen credentials. With MFA, users are challenged with a secondary verification request, such as a one-time security code sent to a mobile phone.
Compliance and Attestations
Data breaches can cost millions of dollars to remedy and permanently damage relationships with customers. Industry-standard attestation reports verify that cloud vendors use appropriate security controls and features. For example, your cloud vendors need to demonstrate they adequately monitor and respond to threats and security incidents, and they have sufficient incident response procedures in place.
In addition to industry-standard technology certifications such as ISO/IEC 27001 and SOC 1/SOC 2 Type II, verify your cloud storage platform also complies with all applicable government and industry regulations. Depending on your business, this could include PCI, HIPAA/HITRUST, and FIPS certifications. Ask your providers to supply attestation reports to verify they adequately monitor and respond to threats and security incidents and have sufficient incident response procedures in place. Make sure they provide a copy of the entire report for each pertinent standard, not just the cover letters.
Isolate Your Data
Make sure that your data is isolated from all other data . Your cloud storage provider should isolate each customer’s data storage environment from every other customer’s storage environment, with independent directories encrypted using customer specific keys.
Automate Updates and Logging
Security updates should be applied automatically to all pertinent software components of your modern cloud data storage platform as soon as those updates are available. Your cloud storage provider should perform periodic security testing to proactively check for security flaws. In addition, the use of file integrity monitoring (FIM) tools can ensure that critical system files aren’t tampered with. All security events should be automatically logged in a tamper resistant security information and event management (SIEM) system.
To learn more about compliance and backup strategies visit our other posts in this series