kras99 - stock.adobe.com
How can enterprises enhance object storage security?
Object storage is a popular method for storing data, so security is critical. Access is a big piece, extending across several of the eight security best practices here.
Data stored as objects can take many different forms and sizes, such as analytical data and video files, and volumes can run high -- think petabytes. As a result, object storage security is essential to protect data from hackers, ransomware, and other cyberattacks and risks.
Best practices for object storage security here include access control, backup, physical measures and testing. While some security capabilities are built directly into the storage devices, administrators must ensure multilevel protection of data.
Encryption
Encrypting data helps reduce the likelihood of unauthorized people and organizations accessing it. Code surrounding the object cannot be unlocked without the proper key. It's important to encrypt data at rest and in transit.
Access control
With the proper access controls, objects are protected from unauthorized users. Two-factor and multifactor authentication are among the most popular methods. The user must pass several checkpoints by entering data or responding to an inquiry with the correct answer. Another type, role-based authentication, requires the user to have a specific level of access granted based on the person's job title and responsibility.
Identity and access management user policies
Typically used in cloud environments, identity and access management (IAM) policies limit access to object storage by identifying who can use cloud resources. They assign users the least privileges they need for their work. Four different actions -- inspect, read, use and manage -- define what members of the user group can do.
Preauthenticated requests
In cloud environments, users without IAM credentials or with limited IAM privileges can initiate preauthenticated requests to permit access to objects for a limited time. Admins can grant this access to all objects in a bucket or specific objects in a bucket with a specific code.
Regular backup of objects
For every object, admins should create a copy and store it in an alternate secure location. The same is true when the object's contents change. The largest cloud vendors -- Amazon, Microsoft and Google -- have hundreds of data centers worldwide where they store object backups safely.
Disaster recovery procedures for object storage
Events such as commercial power outages, natural disasters, system failures and network outages could disrupt data storage resources, making it difficult to retrieve critical objects when needed. Typical DR strategies include data backups, backup power systems, redundant storage devices and mirroring of objects to alternate storage locations. Admins can integrate DR plans with storage cybersecurity plans. They should also have incident response procedures to quickly acknowledge an event and initiate steps to mitigate it.
Physical security measures
The storage devices for objects are likely in a physical building. In addition to protecting the data internally, object storage security extends to the building, which must have protection from vandalism, fire, flooding, loss of power and HVAC systems, physical damage and unauthorized access. Examine the four tiers for data centers as defined by the Uptime Institute.
Testing and auditing of security measures
A proactive approach to object storage security is essential. Regularly review and audit security operation logs to detect anomalies or unauthorized access. Conduct periodic audits on security policies and procedures. Perform scheduled and unscheduled tests of objects in storage to ensure they are accessible and have not been compromised. Periodically review storage security policies, plans and procedures.
Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.
