The topic of correct access and storage of sensitive data is always one of the central focuses on any cybersecurity meeting room table. Because data protection is such an overarching theme in 2021, the topics and sub-topics relating to how data is stored are of particular concern.
The world’s top cybersecurity firms, as well as government agencies, are more and more worried about a factor known as human error.
Statistically, human error can be correlated with over 90% of security incidents -which also points to improper data storage practices (sensitive or personal data practices.) You may have heard of cybersecurity jargon such as internal and external threats.
With that in mind, cybersecurity issues are separated into internal and external threats, and the majority of incidents occur due to human error which is classified as an internal threat (whereas an external threat is a direct attack by a hacker or group of hackers.)
Although, both types of threats can afflict the security of data. A combination of an internal threat like unaware (untrained or uneducated, or perhaps even malicious) employees coupled with cutting-edge cybercrime is a match made in hell that will surely destroy any organization out there.
The reason why keeping sensitive data offline is reiterated so much at cybersec conferences every year is that firstly, to put it as simply as possible, hackers cannot breach offline backups. Secondly, most of the world keeps its data online because this is the quickest and most streamlined way to do it. In theory, external threats should not be able to compromise any data that is truly offline.
At least, the integrity of this data logically should not be able to be hacked via any digital attack vector or attack surface -simply because there is no entry point between the malicious threat actor and the target data. Therefore, it is very difficult for data to be corrupted, stolen, or destroyed if it is stored offline. On the other hand, offline data can be compromised by other means if it is not truly offline. Therein lies the catch.
Without further ado, let’s take a look at what sensitive data is, what offline data storage is, and the consequences of a data breach, ending with cybersecurity tips relating to sensitive data hygiene. In the end, anyone reading this should have a much better understanding of how important having a true offline backup of sensitive data is.
Ultimately, the quality of the cybersecurity approach to data storage security can make or break any organization, put its employees in a rough position, and completely compromise the customer base, if it is not up to scratch. On a personal level, the average person (who uses the internet for daily chores or tasks) is also susceptible to sensitive data compromise if data storage hygiene is not where it should be.
What is Sensitive Data?
Sensitive data comprises corporate data, personal data, or any other type of confidential data that should securely be in the hands of those it belongs to. Today, most organizations, institutions, and companies around the world store their data online. Data that is stored online is always situated on a server, in a data center, or across remote computers. Data centers can range from; hyper-scale, edge, co-location, managed services, and finally cloud centers.
Today, the trend is a move away from traditional data center technology and onto more remote options. Data storage today is most commonly operated by a major cloud storage provider such as AWS (Amazon Web Services), Microsoft’s Azure, Google Cloud, IBM Cloud, and Cloud Linux.
These major providers also cater to thousands of third-party storage solution vendors out there that offer storage solutions to the masses and enterprises in general. Cloud storage is advantageous because it offers maximum instant availability, accessibility, collaborative options, and speed by contrast with traditional data centers. There are also a few types of cloud storage options such as private, public, and more recently hybrid options.
What is Offline Data Storage?
Offline data storage is a concept that few manage to follow correctly -especially cloud-storage vendors. The pure meaning of offline data storage is an asset (s) that cannot be accessed remotely in any shape or form, full stop. Keeping an offline backup of your data off-site as a regular citizen usually means offloading data to removable physical media such as CD, DVD, or most often a flash disk or external hard disk.
On the other hand, especially when referring to cloud storage vendors, giving over sensitive data to vendors always comes with caveats. A perfect example of this is that cloud storage vendors may promise fully offline, redundant backups to customers but get breached regardless of that fact.
The Consequences of a Data Breach
To put the concerns over offline data and entrusting data to others into perspective, security portal CSO underlined what can happen when a gray area exists concerning offline data with an incident that affected Code Spaces (cloud-based hosting brand); “It actively promoted itself as having full redundant backups in three different geographic different locations. It said it had offline backups of all customer data.
It did not. A hacker broke in, tried to get the company to pay a ransom, and threatened to delete all of Code Space’s data if the company did not pay or if it tried to get around the hack. The company fought back, but the hacker detected the maneuvers immediately and deleted most of the data, including the “offline” backups.” Since that incident, Code Space is no more.
How did this happen if the company guaranteed the data was offline? In the case of Code Space, the data was still reachable over a network via an AWS control panel (Amazon Web Services.) Because Code Spaces used VMs or Virtual Machines (instances) to offload data, instead of physically disconnected backups, the sensitive data was not truly offline (although these VM instances were technically switched off.)
As a result, services were not separated and a hacker was able to effectively wipe the company off the face of the Earth by deleting almost all of the data. The critical question is, can data that is theoretically considered offline be, in the event of necessity, restored remotely? According to CSO, if the answer is yes, that data is never fully offline and is vulnerable.
The consequences of insufficient data backup awareness have caused immeasurable damage (whether due to unreasonable dependence on VMs or not); cryptocurrency exchanges being hacked and hundreds of millions of personal credentials and account information being leaked to be later sold on the dark web. Famous data breaches such as Equifax, Facebook, Capital One, Yahoo, Marriott/Starwood, and many more are just a few examples of unsecured data.
Final Thoughts
Unreasonable reliance on major cloud providers like AWS (or any of the others) and virtual machine instances that are not truly offline and can be started up via a vulnerable control panel, can wreak havoc. Storing data offline on physical backups costs money and time to maintain which is why many avoid the protocol opting for more flimsy approaches. With sophisticated cybercrime at our doorstep, the only kryptonite is cutting off all possibilities of remote control via a network.
Albeit, it would be unfair to focus only on major cloud storage providers, though, because the majority of data breaches are caused by human error; giving away passwords and accounts, weak access control configuration, software vulnerabilities, and third-party entry points. Regardless of what it may be, today even local off-cloud storage (on the host computer) means insufficient protection of data.
Storing data purely offline is not without its hazards though, and regular backing up to a physical device is time consuming as well as the fact that it includes the initial purchase of offline physical storage. Physical devices can be lost, or stolen, or damaged. If you value your data, like most serious organizations like medical institutions, universities, banks, and others do store your data on a physical backup just like they do for the ultimate peace of mind -as tedious as it may be it is worth it.
Ask yourself, do you feel better walking your dog yourself or someone walking it for you? Do you feel better driving yourself or could you fully trust autonomous AI to do the job? The same goes for your data.