Cloud storage security best practices

Secure your data by using Ceph’s security features

How can I securely store data in a cloud storage system?

Data is like the crown jewels of any organisation, if lost or exposed there could be severe repercussions.  Failure to protect against system failure could lead to the loss of business data rendering a business non-functional and ultimately causing it’s failure.  Exposing sensitive data to unauthorised parties not only leads to reputational damage, but can also cause businesses to incur massive fines.

This blog takes a closer look at these risks and how you can mitigate them with Ceph’s security features. Let’s start with some of the most common ways in which data breaches can occur:

Physical theft / transport

The loss of storage related hardware, disks or entire storage systems could lead to the exposure of sensitive information.  This could happen during a traditional burglary situation, where an unauthorised party gains access to a data centre and removes hardware, or where a piece of hardware is intercepted during transit, for example when being returned to the manufacturer for repair or replacement.

Another type of physical compromise is via the theft of backup tapes, which can easily be mitigated with encryption, or tapeless backups that use inflight and at-rest encryption.

Corruption / Bitrot

Storage systems are made up of hardware, and sometimes hardware components can completely fail. In rarer cases, components like disk drives can introduce bit-level errors which cause corruption of the data that is being stored.

Most modern systems will also store checksums for slices or chunks of data that are stored, so that any corruption is discovered when the data is read. Some, such as Ceph, will proactively scrub the stored data, so that any potential corruption is detected and repaired from either other replicas or rebuilt from erasure coded chunks.

Network eavesdropping

When data is copied between systems, either on a local network, or across the internet, there is a possibility of eavesdropping, which means that the data could be intercepted by an unauthorised party during transmission. There are many components in a network path – network interface controllers (NICs), switches, routers, cables etc, and all of these can be compromised.  Detection of such a compromise is difficult or impossible, even with state of the art technologies.

Insecure storage system software

A software supply chain attack could cause the software running within a storage system to be compromised, giving an adversary another path to introduce malicious code. This is not limited to just the core storage software, but all of the components as well, disks, NICs, RAID controllers etc.  Keeping all of these software components uptodate is essential.

Malicious obfuscation and encryption

Ransomware attacks have become more and more common. They are a type of attack where a malicious party gains access to an organisation’s IT estate, and encrypts the contents of all storage devices, both local drives in servers, but also networked storage too.

Mitigate these risks with cloud storage security features

In a modern open source storage system such as Ceph, there are multiple ways for protecting against the risks outlined above.

Data at rest encryption

As data is written to disk, it is encrypted by the storage system, so that if a disk is stolen, lost, or returned to the manufacturer for replacement after failure, there is no chance of a leak of the data contained on the device.

Data in flight encryption

Using encryption for all flows of data across all networks means that no sensitive data can be intercepted.  The storage system can either store the data in its encrypted form, or re-encrypt and use at-rest-encryption to securely store it.

Access control

Ceph makes use of CephX and LDAP to enforce strict access control across all protocols, ensuring that only authorised users have access to the block devices, file shares or object buckets that an administrator has mapped or shared with specific users.

Snapshots and versioning

Point in time snapshots can provide a user with the ability to roll back to a known good state after corruption or malicious encryption is detected, allowing for a recovery path from such events.  Object storage also allows for full-object-versioning, which means that when a new version of an existing object is added to the system the older version is also retained and can be accessed if required.  This feature is particularly useful in heavily regulated environments where an audit trail is required.

Key rotation

Cryptographic keys are used to secure communication between different devices, but it is of utmost importance that these keys are periodically renewed so that if a key were to be compromised the window for its use and a successful breach is relatively short.

Learn more

Ceph provides multiple mechanisms to secure data stored within the cluster no matter the protocol used. Additionally, even when hardware components are removed from the cluster, the data remains protected thanks to strong encryption.  Internet facing APIs such a RADOS Gateway’s S3 endpoint can be configured to accept TLS connections only, and reject insecure HTTP.

FInd out more about Ceph here.

Additional resources

• What is Ceph?
• Blog : Cloud storage at the edge with MicroCeph
• Video : MicroCeph at Cephalocon 2023
• MicroCeph documentation
• White paper – A guide to software-defined storage for enterprises

Further Reading

Learn more about Canonical’s open source infrastructure solutions.