Home
Events
Topics
Discussions
Cooperation
Experts
Ebooks
About Us
Content Release
Topical Article Post Article in User Magazine
English
中文
English
  • Home
  • Topics
  • Details of topic articles
    • thoughts on the future evolution of storage data security
    OceanClub  2025-03-21 18:10   published in China

    Wen Zhang Dacheng | Data storage security technical expert of a large IT company

    in recent years, with the continuous mining of data value, data attacks have occurred frequently. Under this trend, the storage industry has regarded data security as a key direction for building core capabilities. At present, market feedback shows that the blackmail virus protection scheme on the storage side is gradually accepted by users. As a compliance solution, the storage encryption solution is increasingly recognized by users for its advantages of free business transformation and high performance. Immutable snapshots and backup copies are used to ensure that key data can be recovered, it is more regarded as the housekeeping ability of storage. In the current industry security protection system, although network and host security still occupy the core position, the importance of storage security solutions is increasingly prominent, it has become an indispensable part of the overall network security defense system.

    So, where should the future storage data security go? How to give full play to the inherent advantages of storage technology and inject more vitality and efficiency into users' data security solutions under the background of increasingly prominent data value? With these questions in mind, the author sorts out some fragmented thoughts in the work into simple essays, hoping to communicate with you.

     

    According to reports from security companies such as splunk and checkpoint, data attacks have become the mainstream of network attacks in recent years with the continuous mining of data value. In 2022, the number of attacks on each organization per week increased by 38% year on year. A large number of attacks are aimed at data. 79% of enterprises have been attacked by ransomware within two years, and 35% have affected data and business. Judging from the increasing trend of attack cases year by year, the security solutions built on the network and host side are inferior to the increasing number of complex attacks.

    Under this trend, the potential of storage data security has been continuously explored, such as: the on-disk encryption solution to protect data confidentiality, ransomware detection and recovery technology to protect data availability and integrity, and WORM, security snapshots, disaster recovery, and archiving technologies. Disk encryption can solve the problem of data leakage after the storage media is stolen. The anti-ransomware solution determines whether data is being encrypted in large quantities based on abnormal changes in statistical characteristics (such as entropy changes and re-deletion compression ratio). Compared with network and host-side security solutions, storage systems have unique advantages in protecting disk data.

    However, some users have questioned the value of the storage security solution during communication. For example, some users think that storage is often deployed deep in the network, and its security capability only acts on the last link of the killer chain, the so-called "last line of defense". Data in storage is attacked, which means that the attacker has penetrated deep into the network and obtained execution permissions on key nodes (such as servers or business systems). According to the killer chain theory, blocking attacks at the front of the killer chain will bring more obvious benefits. Because the closer the attack is blocked, the attacker has the least intrusion to the system. However, the closer the attack is, the deeper the attack penetrates into the user's network system, the more damage it has, and the more loss it has.

    Users' questions are based on the traditional deep defense system, which is correct in history. On the other hand, this has also led to the practice of emphasizing network protection and neglecting data protection in the industry in history. This is just like a family that only uses security doors to carry out security transformation of doors, however, the treasures at home were not protected and placed on the table, allowing thieves who intruded into the room to easily obtain all the treasures. However, as data becomes the core asset and production factor, our safety design concept is quietly changing. A key feature of data security is to ensure that data is protected by security policies that match its value throughout its lifecycle from the perspective of data lifecycle. Due to the easy modification and replication of data, insufficient security protection at any link in the data lifecycle may lead to loss of data assets. Therefore, as a "container" for data storage, the value of storage for data security needs to be reevaluated. According to the zero trust theory, attacks may come from network boundaries or within organizations. Currently, some storage vendors begin to apply security solutions previously used only on high-security systems to storage devices, for example, Vault mode (this mode requires that changes to key storage configurations must be confirmed by multiple administrators at the same time). This also reflects that the industry is re-examining the positioning of storage and strengthening the role of storage in data security.

    To sum up, future data security will pay more attention to the protection of the entire data lifecycle and strengthen the security measures of storage devices to better protect users' data assets and ensure data security and integrity.

    The following are some of my thoughts on the future direction of storage data security:

    direction 1: expand the storage security solution

    provides data attack detection and protection from the front end of the killer chain. The security capabilities of the host and the network are combined to protect the data before it is actually destroyed. In order to achieve this goal, there are two feasible ideas:

    idea 1: it is more deeply integrated into the user security defense system to build a security analysis capability that integrates network storage and computing. It integrates and analyzes security information derived from networks, hosts, and storage, and conducts linkage.

    Storage reports the detection results on the storage side to the security threat detection system for analysis. At the same time, when the security threat detection system detects potential attacks on the network side or the host side, it can also notify the storage to protect critical data through snapshots, backups, and other methods in advance, or disconnect the network connection between the backup system and the production system to prevent the backup system from being invaded. Currently, North American storage manufacturers have built a security capability ecosystem integrating network storage and computing, combining storage-side security solutions with network-side and host-side security solutions, provides a wider range of network security threat detection and DLP (data leakage prevention) security solutions.

    Idea 2: deploy a stored private client on the host to extend the storage's attack detection capability to the host side. After the private client collects the information on the host side (such as the process's access behavior to Data), it sends the data to the storage to establish the behavior baseline of the process, combined with data feature change detection on storage, a more refined security monitoring mechanism is constructed.

    When potential attack risks are detected on the host side, storage can be handled in advance. For example, data can be protected through secure snapshots, I/O-level CDP, and other non-sensitive methods, notify the administrator of troubleshooting. In fact, some manufacturers have already begun to explore this aspect. For example, in a storage backup solution, you often need to deploy an agent on the host side to perform backup operations. Furthermore, some backup vendors reuse this Backup agent to monitor the security status of the host, and even deploy bait files on the host side to strengthen the detection of attacks on the host.

    Direction 2: continue to explore the endogenous Security potential of stored data

    currently, the storage protection solution focuses on ensuring data integrity and availability. Once attacked, users can quickly restore data access by relying on backup and archiving mechanisms to minimize losses caused by attacks. However, the existing solutions are relatively weak in protecting data confidentiality. Although storage disk encryption can effectively prevent data leakage caused by media loss, in current data attack scenarios, data leakage or damage is more caused by the network, host operating system (OS) and the breakthrough of business access control. Once an attacker is authorized, he can extract data from the storage system as a legitimate identity.

    To solve this problem, the author has the following two ideas:

    idea 1: build an independent authentication mechanism that does not depend on the host ACL. Specifically, you can consider building an ABAC (Attribute-Based Access Control) mechanism in storage, which can be combined with data access time window, server remote authentication results, and even network packet loss rate, message latency and other information to comprehensively determine whether access to data is allowed. Further, if we combine the host-side deployment of the client agent, we can implement more fine-grained access control, such as providing more fine-grained access control for sensitive data, or bind the access to a specific directory to the application.

    Idea 2: a better attack detection solution. Currently, storage has built an anti-ransomware detection scheme, and a complete set of anti-ransomware storage schemes including response and recovery are built around the detection capability. In the future, we can consider expanding this attack detection capability to a wider range of attack types, including mining data features that can predict attacks in storage and expanding detection algorithms, to analyze the behavior of the internal ghost. At the same time, combined with the previously mentioned idea of expanding the border of the direction-storage security solution, the attack behaviors on the host and network side are analyzed in more dimensions, especially the detection of data theft.

    Direction 3: improve the storage system security solution and improve the anti-attack capability of the data security solution itself

    currently, the main attack modes faced by storage systems mainly focus on attacking hosts and servers. Once attackers obtain the permissions of these devices, they can use legitimate read and write operations to destroy the stored data. However, with the continuous improvement of storage security protection technology, attackers will find it difficult to destroy data as easily as before after breaking down hosts and servers in the future.

    To meet this challenge, attackers may adopt more complex policies. For example, after successfully invading hosts or servers, they will further penetrate the storage system, attempts are made to destroy the security protection mechanism of the storage itself, thus clearing the obstacles for subsequent data destruction.

    In response to this prediction, we should re-examine the security design concept of the storage system itself, that is, the security protection mechanism for Gao'an data can still play a role in the case of certain damage to the storage system (such as attackers obtaining privileged accounts of the storage system). This type of high-security protection mechanism often needs to combine hardware features, which will have an unnegligible impact on read and write performance. Therefore, it is unrealistic to fully cover all data and provide full high-security protection. We need to design a data classification and hierarchical protection scheme based on the storage security architecture and system architecture. The most ideal situation is to protect the data in the system in different categories according to data classification and security risks, so as to provide anti-attack capability for high-value data and services.

    Another way to improve the anti-attack of storage itself is to make a fuss on the disk. It can be assumed that when the storage software is broken and the attacker obtains all the permissions, the data is secure as long as the disk refuses to perform malicious operations. Some manufacturers in the industry have launched anti-ransomware, which is an attempt in this direction.

    The above is only some personal thoughts, and I will continue to share with you in the future.

    Replies(
    Sort By   
    Time
    OceanClub

    Articles

    0

    Followers

    198

    Following

    2
    Recommended
    Reply
    Reply
    Post
    Post title
    Industry classification
    Scene classification
    Post source
    Send Language Version
    You can switch languages and verify the correctness of the translation in your personal center.
    Contribute
    Name
    Nickname
    Phone
    Email
    Article title
    Industry
    Field

    Submission successful

    We sincerely appreciate your fantastic submission! Our editorial team is working diligently on the review process—please stay tuned.

    Should there be any revision suggestions, we'll promptly reach out to discuss them with you!

    Contribute
    Article title
    Article category
    Send Language Version
    You can switch languages and verify the correctness of the translation in your personal center.