Storage & Data Protection Trends & Innovations To Watch in 2025
2024-9-5 23:40:1 Author: securityboulevard.com(查看原文) 阅读量:8 收藏

It’s all about the data

One thing is clear. The “business value” of data continues to grow, making it an organization’s primary piece of intellectual property. And from a cyber risk perspective, attacks on data are the most prominent threat to organizations.  

Regulators, cyber insurance firms, and auditors are paying much closer attention to the integrity, resilience, and recoverability of organization data – as well as the IT systems that store this data.   

So, what does this mean for the security of enterprise storage & backup systems? 

Ransomware has pushed data protection and recovery back onto the IT and corporate agenda. Throughout 2024, ransomware groups have been actively targeting enterprise storage and backup systems, to prevent recovery. 

Claroty

In a survey we ran throughout May-August 2024, we compiled feedback from Storage, Backup and IT Infrastructure leaders in Fortune 500 enterprises. You can access the full report here

The purpose of this survey was to understand their plans and priorities for managing configuration of storage & backup environments, deploying new cyber recovery capabilities, as well as navigating audit compliance requirements. 

Key Findings 

The top 4 configuration areas Storage teams are looking to improve are:
  1. 65% – Detect hardware or software reaching end-of-support
  2. 53% – Detect deviation from ransomware protection best practices and vendor’s hardening guidelines
  3. 53% – On-demand configuration compliance evidence reporting
  4. 44% – Benchmark your security posture score against industry peers
The top 4 security & recoverability areas Storage teams are looking to improve are:
  1. 77% – Backup and restore of system configuration
  2. 63% – Data classification at the storage volume, pool or backup policy level
  3. 58% – Detect devices exposed to security advisories and alerts
  4. 42% – Detect immutability and isolation misconfigurations
The standards that are internally mandated for Storage, Data Protection and Backup Systems include:
  1. 49% – NIST 800-53
  2. 44% – PCI DSS
  3. 33% – CIS
  4. 30% – ISO/IEC 27000 series

Configuration 

Detect hardware or software reaching end-of-support 
By proactively detecting and addressing end-of-support systems, you can ensure continuous security posture and data protection – while improving system reliability. 

Detect deviation from ransomware protection best practices and vendor’s hardening guidelines 
Key strategies include implementing immutable backups, secure snapshots, anomaly detection, user behavior analysis, multi-factor authentication (MFA), two-person integrity controls, and secure time synchronization.  

On-demand configuration compliance evidence reporting 
Manual evidence gathering is hugely time-consuming. By automating these tasks, organizations can operate at scale, efficiently manage diverse systems, and reduce dependence on individual team members, ultimately improving accuracy and consistency in compliance efforts. 

Benchmark your security posture score against industry peers 
Survey participants are keen on benchmarking their security posture against industry peers, probably because it provides a clear understanding of where they stand in terms of security maturity.  

Security & Recoverability 

Backup and restore of system configuration 
In conjunction with data backup, it is crucial to also regularly backup device and system configurations. System configuration includes settings, policies, and operational parameters, and are critical to the proper functioning and performance of storage and backup infrastructure.  

Data classification at the storage volume, pool or backup policy level 
By categorizing data based on its sensitivity—such as personally identifiable information (PII), protected health information (PHI), or social security numbers—organizations can apply appropriate access controls, encryption, and monitoring measures tailored to the level of risk associated with each data type.  

Detect devices exposed to security advisories and alerts 
In recent months, multiple vulnerabilities in storage and backup solutions have been discovered and actively exploited. These include CVE-2022-26500 and CVE-2022-26501 within Veeam Backup & Replication, which allow remote, unauthenticated attackers to execute arbitrary code. And CVE-2021-27876 within Veritas Backup Exec, which allows unauthorized file access through the Backup Exec Agent. 

It’s only a matter of time until even more vulnerabilities are actively exploited by bad actors, putting petabytes of production data at risk, as well as backup copies. Here are some recent news headlines: 

Detect immutability and isolation misconfigurations 
Here’s a list of do’s & don’ts for your immutable backups:  

Do’s  Don’ts 
Configure the immutability retention period  Use secure time synchronization  Enable two-person rule on immutability related settings  Consider enabling anomaly detection  Secure underlying hardware components such as iDRAC, IPMI, BMC, iLO, etc.  Enable local user MFA  Limit number of sessions  Account Login Threshold  Restrict administrative access  Create Security Officer  Disable inactive users  Harden your backup catalog / repository    Many vendor solutions offer multiple flavors of immutable backup – some are softer than others. Weaker immutability mode enable users to alter, disable or remove the immutability option altogether – that of course defeats the purpose of immutability – you want to avoid these modes.  Don’t use the same credentials to manage both primary storage and backup systems  Don’t enable unrestricted remote access   Don’t enable unsecure protocols such as FTP, Telnet or plaintext HTTP  Don’t use unrestricted or vulnerable file shares  Do not allow untrusted hosts to join the Backup domain  Don’t use default passwords  

Industry & Security Standards 

At the beginning of 2024, ISO released ISO/IEC 27040:2024, which provides recommendations for the security of storage & backup systems. 

NIST SP 800-209 – Security Guidelines for Storage Infrastructure is one of the most authoritative guidelines in the industry. It includes a comprehensive set of recommendations for the secure deployment, configuration, and operation of storage & data protection systems. 

The latest regulation to enter the scene in Europe is the Digital Operational Resilience Act (Regulation (EU) 2022/2554) – also known as DORA. The framework requires financial institutions to have a robust and resilient storage and backup system in place, to protect their data from unauthorized access, loss, or corruption.  

PCI DSS 

The Payment Card Industry Data Security Standard (PCI DSS) provides comprehensive requirements for protecting cardholder data, which includes guidelines related to storage and backup systems, like  

regularly scanning and testing storage systems for vulnerabilities and implementing multi-factor authentication for access to storage systems 

CIS 

The CIS (Center for Internet Security) Controls emphasizes several key aspects in securing storage and backup systems, like ensuring backups are encrypted and stored securely, with controls to prevent unauthorized access. 

The post Storage & Data Protection Trends & Innovations To Watch in 2025 appeared first on Continuity™.

*** This is a Security Bloggers Network syndicated blog from Continuity™ authored by Doron Youngerwood. Read the original post at: https://www.continuitysoftware.com/blog/storage-data-protection-trends-innovations-to-watch-in-2025/


文章来源: https://securityboulevard.com/2024/09/storage-data-protection-trends-innovations-to-watch-in-2025/
如有侵权请联系:admin#unsafe.sh