Protect Your Data Too, Plz

Security conversations often revolve around outwardly-facing edge technologies like firewalls and IDS. These help harden the shell against external threats, but internal threats are just as dangerous. Data is what attackers want, which is why it's just as important to be vigilant about security inside the perimeter.

In a standard security model, all of the time and attention is directed to the edge, and for good reason. Protecting against DDoS, zero-day attacks, ransomware and malware coming through email attachments and/or bad links are essential to good security. The trouble is, it is not enough. Eventually, an attack is going to succeed. And how much damage an organization sustains (if any) from that attack is going to be entirely dependent on how well the operating environment is protected inside of the protective edge.

Zero-Trust (and 100% verify)

The modern security model that describes this approach is known as "Zero Trust Architecture." If you want to do a deep-dive on the nitty-gritty of Zero Trust, there is of course a NIST publication on that, specifically this one: NIST SP 800-207: Zero Trust Architecture. (Note that at only 59 pages, page-count wise, this publication is actually not that bad from the usual NIST standards of verbosity.)

For our purposes, a simple paraphrase of the NIST definition will do: Zero Trust Architecture moves defensive strategiess from static, network-based perimeters to focus on users, assets, and resources. A Zero Trust model basically states that all users, programs, or devices will be treated as untrusted unless they are specifically granted access to specific resources.

It is equally important that systems are logging access- both successful and unsuccessful. This is a standard procedure when it comes to firewalls and Application Gateways, but often stops being a priority once the system design gets past the edge. As we will see, knowing what is going on inside your security perimeter is just as important as knowing what's going on at that perimeter- especially in the event of a post-mortem analysis after an attack.

Designing a storage environment for active security

Designing any environment using a stringent deny-first model such as Zero Trust is tough. It requires constant vigilance, and if the environment is at all dynamic, it can require constant updating of access rights. This is especially important when it comes to storage. Realistically, your data is what attackers are after. They are not trying to steal your firewall, or your load balancer. They are trying to steal your data. In order to best protect that data, you will need to know all of the things you look for when it comes to edge protection: where your data comes from, who accesses it (and why, and when), and where and how it is stored (and for how long). It helps to think of these things in terms of active vs. passive protection.

The easiest example to use when thinking about passive protection is backups. If you have an incident, your backups provide you with a way to recover. And it should be made clear- backups are still very important. In a worst case scenario, having a known good backup to recover from could be the difference between being down for a few days vs. going out of business entirely. Also, backups don't just protect you from attacks. They protect you from power outages, floods, etc... the force majeure types of events that knock buildings down. So make no mistake; backups are still essential. They just should not be considered the only thing that's needed.

Active protection takes steps that simple data protection and recovery don't. Active protection gives you intelligence about who is accessing (or trying to access) your data. If there is an attempt that is outside of the specific approved transactions list outlined by your security team and your storage team, active protection alerts you about it in real time. The goal of active protection is to stop an attack on your data as soon as possible, rather than simply recovering from backup hours (or days) after the attack has completed.

Active protection example - cross-country shopping spree

Active protection operates in the same way as a credit card company. The activities of anyone who uses a credit card are logged, resulting in defined usage paths and patterns. If a purchase falls in the defined usage pattern, that purchase will be allowed, and logged. If something happens that is far outside of a normal usage pattern, that activity will be stopped and you will have to contact your credit card company to assess and approve. Think about it like this: You usually shop on the east coast- say, King of Prussia, PA. If you buy several things at the mall there, your credit card company is going to allow those purchases to go through. If then, 10 minutes later, someone tries to buy an airline ticket at the counter at LAX, your credit card company is going to decline that purchase and contact you. This is far outside your normal processes (and, geographically, far away from where you just made known good purchases).

By paying attention to your activities in real time, the active protection stops the transaction pending further authorization. This makes recovery a lot easier than if the transactions went through cleanly and you only learned about them in total when you got your credit card bill weeks later.


Data is the common currency when it comes to IT attacks on organizations. Data is increasing tremendously, with some sources citing a 28% Year-Over-Year increase in enterprise data. And with Ransomware having it's 'best' year ever in 2021, bad actors attempts to exfiltrate data are only going to increase. While endpoint protections are essential, and backup solutions are invaluable, storage systems often lack the same attention from security teams (and architects). This is an opportunity to re-evaluate security policy, and put some much-needed attention on the systems that hold what matters most to an organization- its data.