Wh i t e! PA PER! The!3DevastatingHolesExposing! …...WHITE!PAPER!•!The!3Devastating!Holes!Exposing!Your!High7value!Data!–!AndHow!ToCost!Effectively!Fix Dragon!Slayer!Consulting!•Winter!2015!

Marc Staimer, President & CDS Dragon Slayer Consulting

The 3 Devastating Holes Exposing Your High-‐Value Data

And How To Cost Effectively Fix

W h i t e P A P E R

WHITE PAPER • The 3 Devastating Holes Exposing Your High-‐value Data – And How To Cost Effectively Fix

Dragon Slayer Consulting • Winter 2015 2

The 3 Devastating Holes Exposing Your High-‐value Data – And How To Cost Effectively Fix Marc Staimer, President & CDS of Dragon Slayer Consulting

Introduction News reports and stories about cyber thefts, break-‐ins, and hacks used to be rare. Anyone seeing the news on the Internet, Facebook, TV, or print knows that is definitely no longer the case. The relentless growth of data exposures, hacks, and thefts is overwhelming. Just a cursory look at the most infamous incidents paints a very ugly picture:

• US Federal OPM • At least 22 M high security clearance records (possibly entire Federal employee database)

• Heartland Payment Systems • 130 M patient records

• Target Stores • 110 M customer records

• Sony Online Entertainment • 102 M user and customer records

• US National Archive & Records • 76 M records

• Anthem • 69 M patient records

• Epsilon • 60 M customer records

• Home Depot • 56 M customer records

• Evernote • 50 M customer records

• Living Social • 50 M customer records

• TJX Companies • 46 M customer records

There are dozens to hundreds of events that aren’t as large or newsworthy and just as damaging and disturbing. But as disturbing as these events and threats are, they are at least well understood, known, and preventable. It is the less well-‐known events that are the more disturbing threats. This paper examines the 3 most critical, damaging, and sadly, most infrequently acknowledged security issues and Imation’s solution to these problems:

1. The insider threat. 2. The emergence of “Shadow” or “Rogue” IT. 3. The inability for IT to identify, secure, make compliant, and protect high-‐value data.

Note: The term “high-‐value data” is used throughout this document. It is critical to be clear on what is meant when referring to high-‐value data. High-‐value data is by definition, an organization's critical files that must be safeguarded from tampering, theft, loss, and corruption. Any loss of high-‐value data is typically considered quite costly to the organization.



Table of Contents Introduction ................................................................................................................. 2

The Insider Threat ........................................................................................................ 4 What Exactly Is An Insider Threat ...................................................................................................... 4 What, Who, Where Data Stolen ......................................................................................................... 4 What Those Insider Thefts Are Costing1 ............................................................................................. 5

Rogue or Shadow IT ..................................................................................................... 5

The Inability For IT To Identify, Secure, Make Compliant, And Protect High-‐Value Data6

How Nexsan Solves and Fixes Those Devastating Problem Security Holes .................... 7 Lock and Key Storage Administration ................................................................................................. 7 Guaranteed File Integrity ................................................................................................................... 7 Highly Secured Files with Privacy ....................................................................................................... 8 Comprehensive Risk Mitigation ......................................................................................................... 8 Data Mobility Security ....................................................................................................................... 9

Affordably Closing Those Devastating Security Holes ................................................... 9

Final Thoughts ............................................................................................................. 9

For More Information .................................................................................................. 9



The Insider Threat Since “Insider Threats” don’t get the headlines, it’s important to place their threat in context with today’s cyber threat laundry list. Approximately 96% of all cyber breaches over the last 11 years fell into 9 categories per Verizon’s “Worldwide 2015 Data Breach Investigation Report.” These 9 categories listed in descending order from most to least numerous are:

• Miscellaneous Errors• CrimeWare• Insider Misuse• Physical Theft/Loss• Web App Attacks• Denial-‐of-‐Service (DOS)• Cyber-‐Espionage• POS Intrusions• Payment Card Skimmers

A breakdown of the reported events in calendar year 2014 makes clear that insider misuse was the third most numerous of the cyber threats. What exactly is insider misuse? Insider misuse is broadly defined as

users behaving badly, abusing privileges, goofing up, becoming infected, being stupid, and losing stuff. Approximately 40% behave badly primarily for monetary gain. The insider either sells the stolen high-‐value data or uses it to compete against their former employer. Others who misbehave primarily have good intentions of doing the right thing by making themselves more productive at their jobs. They implement non-‐approved IT workarounds that can and do have unintended and organizationally undesirable

consequences. More on this will be discussed later under the Shadow IT section. Who they are varies, but the vast majority are end users.

Insider threats come from those who deliberately steal intellectual property, commit fraud, commit sabotage, or are just plain incompetent. But the real problem with insider threats is that far too many incidents are not reported at all. The amount of unreported events is startling with as many as 72% of them being from insider theft, fraud, sabotage, and incompetence occurrences are underreported1. One key reason they’re not reported are because the incidents are handled internally to avoid bad publicity1. There is commonly a lack of prosecutorial evidence so no authorities are involved and no public announcements or proclamations are made. However, the disconcerting reason they’re unreported is that they’re mostly not discovered or exposed1.

1Source: Cert Software Engineering Institute



Based on 2013 compiled statistics (published in 20141) the majority of the thefts were information technology proprietary data at 35%. Coming in second was proprietary financial information at 13%. Approximately 70% of thefts occurred onsite inside the firewall; 62% were from current employees; 21% were former employees; and 17% were trusted partners. Statistics2 from 2014 showed that 50% of the perpetrators were the organization’s own employees. An additional 44% were trusted third party contractors with legitimate access, while 38% were authorized administrators.

Of the known insider thefts in 2013, approximately 48% were greater than or at least equal to $1 million, whereas more than 71% were greater than or minimally $100 thousand. The rest is unfortunately unknown at this time.

Rogue or Shadow IT When end users go outside of their organization to get IT services that is considered rogue or shadow IT. It occurs when employees and executives endeavor to make their lives easier and more productive. They become frustrated with internal IT processes, security, or limitations. That frustration leads them to develop their own workarounds. Those workarounds come from external outside services. Take the very common example of the end user wanting to work from home on their smartphone, table, or personal laptop. IT may not provide an easy or convenient way for that end user to do their work on their personal devices because they do not want to support them. The end user then takes matters into

their own hands by using a free public file sync and share such as Dropbox, or a web based email service (parks their files as attachments), or uploads their work directly from their desktop to their smartphone/tablet, even an unauthorized thumb drive. None of these processes are IT authorized. In all cases high-‐value organizational data is now beyond the firewall. Once it exists beyond the firewall it is no longer under control of IT or IT security, compliance, or data protection processes.

Another just as common example is IT limiting the size of an email attachment to 5MB to manage the load on the organizational email server. But 5MB today is very low. Even 10MB limits are low for multi-‐media presentations, video files, or large PowerPoint files. Frustrated end users will sign up for a free email service from Google, Microsoft, Yahoo, or their ISP to overcome these limitations. Once again high-‐value organizational data is outside of IT control and no longer subject to IT security, compliance, or data protection processes.

One additional example is departmental cloud application use and/or development. If the organization’s IT cannot deliver the applications a department requires in the timeframes it requires, it is a very simple thing for that department to find it from a managed service provider in the cloud. So if they need a quality CRM quickly and IT can’t deliver, they can contract with

SaleForce.com or others and have it in a matter of hours. If they need a database application, ERP, marketing lead tracking, and more, they have similar cloud choices. Even if they want to develop a custom application, they may be able to develop and deploy quicker from a cloud service provider than internally developed by IT. None of that high-‐value data

is under the control of the organization’s IT and is not subject to the IT security, compliance, or data protection processes. And never assume that just because data is created and/or stored in a cloud service provider that it is secure, compliant, or protected. Those are additional cost-‐based services that end users rarely think about.

2 Source: Vormetric



The Inability For IT To Identify, Secure, Make Compliant, And Protect High-‐Value Data This is perhaps the biggest objection most IT professionals have when told to solve the insider threat. How do they identify high-‐value data? If they can’t identify it, how can they ensure security, compliance, and data protection? Not being able to identify high-‐value data means it is quite difficult to secure it from:

• Changes• Malicious destruction• Accidental deletion• Degradation over time• Hardware failures• Software failures• Copying-‐theft• Unauthorized movement• Unauthorized sharing• Covering-‐up audit trails

Not being able to identify high-‐value data means it is rather complicated ensuring compliance against:

• Changes• Modifications• Metadata alterations• Deletions• Breaches• Degradations• Compromises

Failure to ensure compliance can result in significant fines and penalties ranging into the millions of dollars depending on the industry (healthcare -‐ HIPAA HITECH, financial services -‐ Basel II and III, publicly traded companies -‐ Sarbanes Oxley, etc.) Not being able to identify high-‐value data also means increasingly expensive data protection processes. High-‐value data must be protected against a variety of maladies including hardware failures (44% of the time3), human errors (32% of the time3), software corruption (14% of the time3), malware (7% of the time3), and disasters such as floods, hurricanes, monsoons, tsunamis, earthquakes, tornados, fire, etc. (3% of the time3). Failure to protect high-‐value data can and often does lead to organizational collapse far more grave than the compliance failure fines. And this is why failing to identify high-‐value data leads to data protection cost escalation. Instead of protecting just the high-‐value data, all of the data must be treated as high-‐value and protected as such. It does protect the high-‐value data; however, data recoveries become much more complicated and time consuming when a disaster strikes. Instead of recovering the high-‐value data first and meeting recovery time objectives for the most mission critical workloads, all of the data must be recovered. That extra non-‐high-‐value data extends RTOs ranging from additional hours to days to even weeks. Historical studies have revealed businesses that fail to recover the high-‐value data within 2 weeks frequently go out of business within 2 years4. Very few traditional storage systems or applications flag the high-‐value data. And the high-‐value data itself doesn’t identify itself as high-‐value. Without automated high-‐value data identification systems, identifying that high-‐value data becomes a laborious, tedious, time consuming, and ongoing

set of processes that no one likes or wants to do. In other words it does not get done becoming a silent waiting ticking time bomb. This is why Nexsan has come up with a cost effective fix to these problems.

3 Source: Protect Data 4 Source: Gartner



How Nexsan Solves and Fixes Those Devastating Problem Security Holes Doing business with thousands of organizations in over 100 countries worldwide has shown Nexsan that these are very serious issues that need resolution. Their exceptional portfolio has given them the essential tools necessary to fix the problems of insider threats, mobile security, and high-‐value data identification.

The basis of that solution is the “Secure Data Movement Architecture” or SDMA. SDMA identifies and protects highg value data from loss, leakage, destruction, or resurrection; manages it through policy based controls and security; safeguards that high-‐value data with a holistic approach; and empowers the end users while preventing them from behaving badly. It must start with highg value data identification. Nexsan provides a “free” downloadable tool (https://www.nexsan.com/data-discovery-tool-sign-up/) that enables easy identification and location of high-value data. But the rest of the answer comes from Nexsan's Assureon Secure Archive Storage system. Assureon is an intuitive easy to use secure archival storage system.

It utilizes a windows client that automatically moves and migrates data from Windows servers to Assureon leaving a stub or optionally the original file in place on the server so no manual intervention is required. It makes it quite simple to establish the archiving policies that automatically archive files and folders while being completely transparently to the users and applications. But pull is not the only way data is moved into Assureon. Assureon looks and feels like a standard CIFS or NFS mount point that empowers files to be pushed into Assureon. Scalability is not an issue as the Assureon can start small and scale into multiple petabytes incrementally. And single instancing (deduplication) eliminates stored duplicate files. Assureon protects high-‐value data against the other two seriously damaging vulnerabilities of the insider threat and rogue IT though the clever utilization of a series of unique capabilities including:

• Lock and key storage administration

• Guaranteed file integrity

• Data protection replication between Assureon systems and/or Assureon cloud service providers

• Highly secured files with privacy

• Comprehensive risk mitigation

• Data mobility security

Remember that approximately 38% of the insider thefts came from administrators with proper authority. The Assureon lock and key storage administration makes that significantly more difficult. It provides a 2-‐

stage authentication system that uses Imation’s exclusive IronKey technologies. It locks down storage administration to those that have both an assigned IronKey™ Secure Storage device and administrative

credentials. It’s easily deployed and administered while providing central authorization/de-‐authorization control. It unlocks storage administration for one to many systems; self-‐destructs after 10 incorrect password attempts; utilizes a secured Firefox web browser for storage administration; while also providing a storage administrator audit trail.



A unique ‘fingerprint” representing each file content is generated upon ingestion including a unique serial number and a timestamp. That fingerprint takes advantage of dual hashing with both a MD-‐5 and SHA1 unlike most fingerprinting technologies which utilize only a single hashing technique. Both techniques have flaws. But by using both in conjunction those flaws are eliminated or at least mitigated. That MD-‐5/SHA1 hash stays with the file throughout it’s life, validating the file’s integrity during ingestion, replication, as well as on-‐going integrity checks. Automated integrity checks compare both hashed copies. This file health/integrity validation preserves the original while making sure it’s available in the same state when it was given it’s ingestion fingerprint. Assureon regularly and automatically self-‐audits by monitoring files for fingerprint discrepancies every 90 days. It checks the health of each file looking for any changes to the file from tampering, corruption, bit rot, accidental deletion, or deliberate deletion. Any time a file no longer matches it’s fingerprint, Assureon self-‐heals by repairing and restoring it to its original state. Then it sends an email alert to the administrator. The entire process is automated with a complete audit trail. Note that Assureon audits are far more extensive, complete, and reliable than the more common check-‐sum audits utilized in most storage systems. This ensures the files are kept whole, chain of ownership intact, uncorrupted, unchanged, unaltered, undeleted, unaffected, and available when needed. It protects the data against users behaving badly by accidentally or maliciously deleting or altering files.

The Assureon Secure Storage Archive secures all files with individual file AES 256bit encryption. Files are encrypted whether stored at-‐rest or in-‐flight while replicating to another Assureon Secure Storage Archive system or an Assureon cloud service provider. The security and privacy goes far beyond encryption.

Before any user or application can access a file, set of files, unstructured data directory, they are authenticated via Active Directory or with digital certificates. From that point forward, there is an unalterable audit trail for each and every access of a file for the life of that file. The Assureon Secure Storage Archive logs every file access including who and when they accessed the file. These logs mean anyone who accessed a file can be identified. By also logging every failed access attempt at restricted files ensures that the unauthorized access attempts are noted, logged,

recorded, with notifications sent. This greatly diminishes the risk of insiders accessing, altering, or copying files that they have no business accessing, seeing, or using. The Assureon Secure Storage Archive goes further by providing multi-‐tenancy, separating data through the use of virtual archives per departments, divisions, users, and/or clients. This enables cloud service providers to share common infrastructure across multiple clientele with no co-‐mingling of files. Each tenant’s files are virtually and physically separated into their own “safe deposit box” with it’s own separate encryption within the Assureon vault. If the files can’t be seen they can’t be accessed or hacked once again thwarting the insider threat. With four levels of automated monitoring via policy based thresholds, node events, Assureon Client as well as self-‐healing file integrity, and availability audits, eliminates the “unknown” insider breach events.

As previously discussed, being regulatory compliant is no longer optional, it’s mandatory. Failure to do so is costly and potentially threatening to the very life of the corporation. And there is no shortage of regulations to keep in compliance (e.g., Federal Rules of Civil Procedure (FRCP), SOX, SEC-‐17, HIPAA HITECH, GLBA, Basel II/III, PCI DSS, CFR 28 and 29, and more.) The Assureon Secure Storage Archive meets these regulatory rules and more:



• Easy to set and manage policy based retention rules associated with unstructured datadirectories or file types.

• Unstructured data set retention timeframes can be extended when required or have flexibleretention periods that can be lengthened or shortened depending on requirements.

• Legal holds on any file or set of files that overrides original retention periods until that legal holdhas expired or been removed.

• Highly secure data deletion through encryption key destruction while wiping all copies of the file.

• Optional DoD drive wipes are also available on a per object or file granularity.These capabilities mitigate risk, ensure compliance, and simplify processes in doing so.

Data mobility is a fact of life. For users, it’s all about convenience; however, as previously discussed, unless that convenience is secure, it’s a security hole. Nexsan has two ways of providing that secure convenience. The 1st is via IronKey; the most secure USB drives available on the market today. IronKey are encrypted USB flash drives and external hard drives. The IronKey management platform enables administration and policing of all USB devices from a centralized command center. The 2nd is via third party independent software vendors. These are secure

file sync and share software providers that enable complete IT control. Files are stored on the Assureon Secure Storage Archive and can be remote-‐wiped from any of the platforms sharing the fi les or unstructured data. There are several ISVs that meet these requirements. For more information contact your Nexsan representative. Both these processes provide the convenience users demand while delivering the security so necessary to prevent users from behaving badly while closing the “rogue IT” security hole.

Affordably Closing Those Devastating Security Holes The cost per secured stored GB is significantly reduced when on the Assureon Secure Storage Archive versus primary storage. From native inline deduplication to the lower than RAID overhead of erasure coding, the amount of storage consumed is 20 to 60% less than it is on the primary storage. And the baseline cost per raw GB is also lower to begin with. Add to that the reduction in backup or replication storage for data protection which is no longer required for data moved to the Assureon Secure Storage Archive, and the savings is compelling.

Final Thoughts The three devastating holes exposing your high-‐value data are quite serious. Ignoring them is a disaster waiting to happen. Hope is not a strategy. The Nexsan Assureon Secure Storage Archive and solutions provide a simple way to fix these holes at a very affordable cost.

For More Information Contact Nexsan at: https://www.nexsan.com/products/secure-archive-storage/

Or https://www.nexsan.com/about-nexsan/contact-us/ Paper sponsored by Nexsan. About Dragon Slayer Consulting: Marc Staimer, as President of the 17s years old Dragon Slayer Consulting in Beaverton, OR, is well renown for his in depth and keen understanding of user problems, especially with storage, networking, applications, and virtualization. Marc has published thousands of technology articles and tips from the user perspective for internationally renown online trades including SearchStorage.com, SearchCloudStorage.com, SearchSolidStateStorage.com, SearchSMBStorage.com, SearchVirtualStorage.com, SearchStorageChannel.com, SearchModernInfrastructure.com, SearchVMware.com, SearchDataBackup.com, SearchDisasterRecovery.com, SearchDataCenter.com, SearchServerVirtualization.com, SearchVirtualDesktop.com, SearchNetworking.com, and Network Computing. Marc has additionally delivered hundreds of white papers, webinars, and seminars to many well known industry giants such as: Brocade, Cisco, DELL, EMC, Emulex (Avago), HDS, HP, LSI (Avago), Mellanox, NEC, NetApp, Oracle, QLogic, SanDisk; as well as smaller less well known vendors/startups



including: Asigra, Clustrix, Condusiv, DH2i, Diablo, FalconStor, Gridstore, Nexenta, Neuxpower, NetEx, Permabit, Qumulo, Tegile, Zetta, and many more. His speaking engagements are always well attended, often standing room only because of the pragmatic, immediately useful information provided. Marc can be reached at [email protected] (503)-‐579-‐3763, in Beaverton OR, 97007.

Documents

Wh i t e! PA PER! The!3DevastatingHolesExposing! …...WHITE!PAPER!•!The!3Devastating!Holes!Exposing!Your!High7value!Data!–!AndHow!ToCost!Effectively!Fix Dragon!Slayer!Consulting!•Winter!2015!