by Michael.Pirro, on Apr 18, 2018 2:06:06 PM
Flood, fire, natural disaster, malware, spyware, ransomware, hardware failure, theft, disgruntled employee and so on, there are a multitude of ways to lose critical data. But for the record, you can rest assured that the undisputed, heavyweight champion of data loss is, none other than “human error”, that’s right; you, me and everyone who uses a computer has potential to damage, delete or lose critical data. Therefore, it is paramount to keep backup copies of critical content for, not only disaster recovery purposes; but also for reasons such as, the need to comply with legal regulations. Nonetheless, the need to keep copies of data for an extended amount of time has inevitably created the need for a strategic long-term storage plan.
The need for long-term, off-site storage, begs the question, “what is the best method for storing my organization’s data off-site for an extended period?”. Many professionals are considering a cloud-based storage solution and, some may have already implemented it. But is the cloud alone - ready for prime time? Are you confident that your cloud-resident data is secure from malicious attacks, among other threats? It is of reasonable concern and just causes that we should be asking ourselves those very important questions.
With regards to cloud storage, do you know who is responsible updating, patching and administering the systems where your critical data resides? Do you know the vulnerabilities of the systems where they are storing your critical data? Should you be concerned? A recently reported breach provides an excellent example of why you should be concerned about your off-site storage strategy.
The article states that “The first of the vulnerabilities, designated in MITRE's Common Vulnerabilities and Exposures (CVE) list as CVE-2017-15548, allows an attacker to gain root access to the servers. This would potentially give someone direct access to backups on the server, allowing them to retrieve images of virtual machines, backed-up databases, and other data stored within the affected systems” (Muncaster). Security researcher Davi Ottenheimer, who exposed the breach, further states in a tweet “no password required for root access to backups. <facepalm> CVE-2017-15548, CVE-2017-15549, CVE-2017-15550...and ofc there are publicly available listeners for "backup and deduplication appliance". stop scanning for them” (Ottenheimer).
That is just one example of the many imminent dangers of storing data online for extended periods of time; not to mention, in the cloud. Now, I’m not saying that someone can’t compromise your tape storage by crawling through the ventilation system of the building and dropping in to the tape vault from the vent on the ceiling using a static line, to then gain access your cold, off-line, tape-stored data. But, the likeliness of something like that happening is slim.
Another consideration is the cost of storing data off-site. Not every company can afford to rent cloud space for data that may never need to be retrieved. Last time I checked, Storing 100 TB of infrequently access data costs anywhere from $1,250 to 3,000 per month for some enterprise cloud storage providers. Compared to off-site storage which could cost as little as $210 for 5 years (based on LTO8 Tape storage (tape cost $150 per tape and hold 12TB of data)). But that is a topic for another discussion.
All caution aside, cloud-based storage is here to stay and there are some clear advantages to storing your data in the cloud. For example, the cloud provides the ability to get your data on to nearline storage where it can be quickly accessed, moved, and deleted. The movement of data to and from the cloud can be a relatively automated process; which adds a convenience factor that is appealing to many I.T. Professionals. That said, the availability of data in the cloud also offers those very same conveniences to those who may gain unauthorized access to your critical data. Therefore, you may want to consider the following protective measures for your data:
Therefore, you may want to consider the following protective measures for your data:
- If you need to store data for a year or more, move that data to cold storage (tape in an off-site location) where it is not exposed to online threats. In addition to securing your data, this will provide you with a low-cost solution.
- If there is a legal requirement to keep critical data “easily accessible” for the first 2 years of its existence, consider WORM media or CAS (content addressable storage) as a near-line storage solution.
- Stay informed. Keep up with vulnerabilities and trends. Know what types of systems your data resides on and, how to protect those systems and, protect them.
By following these basic recommendations, you will make it difficult for hackers to compromise your data and minimize your exposure to data loss. Then you can have some piece of mind that you've done everything possible to secure your data.
Written by Michael Pirro.
Michael is an Enterprise Support Engineer serving NovaStor's DataCenter and xSP communities. The views expressed are his own. Learn more about NovaStor's network backup software.
References
- Gallagher, Sean. "EMC, VMware Security Bugs Throw Gasoline on Cloud Security Fire." Ars Technica. N.p., 10 Jan. 2018. Web.
- Muncaster, Phil. "VMware Issues Critical VDP Update." Infosecurity Magazine. N.p., 4 Jan. 2018. Web. 11 Jan. 2018.
- "Total Cost Analysis For Off-Site Storage." Spectra Logic | Data Storage Experts Delivering Reliable Tape, Disk, Object Storage Solutions for Archive, Backup, Cloud, and Vertical Workflow Applications. Spectra, Feb. 2017. Web. 15 Jan. 2018.
- "VMware Issues Critical VDP Update." Infosecurity Magazine. N.p., n.d. Web. 15 Jan. 2018.
