With each data breach costing U.S. enterprises an average of $8.6 million, and ransomware attacks up nearly 140% in the U.S. this year alone, chief information officers (CIOs) are under tremendous pressure to keep data secure in order to maintain trust with customers and avoid financial loss.

It is critical CIOs ask the four following data storage security questions to ensure data is protected from threats and can’t be compromised.

  1. Can our data be made immutable?

The FBI has deemed ransomware the fastest growing malware threat, causing significant revenue loss, operational downtime, and reputational damage. Because ransomware encrypts data at the storage layer, backup data copies run the risk of being targeted in an attack. To avoid having to pay the ransom to decrypt data, organizations must ensure they have an immutable backup copy of data that can be restored in the event of an attack.

Magnetic tape storage allows backup copies to be physically removed and stored separately, therefore making the copy invulnerable to ransomware attacks. However, while an effective defense, tape storage is slow to recover and can take extensive time and resources to manage.

Object storage can also be leveraged to make data immutable without the drawbacks of tape. A feature known as “object lock” is supported in select object storage systems and uses write once read many (WORM) technology to make backup data copies immutable for a set timeframe. Once backup data is written, it cannot be changed or deleted until the time is up, meaning hackers can’t encrypt the data, and a clean copy is available for quick and easy restore if an attack occurs. Object lock works the same on-premises, in a private cloud, or in the public cloud.

  1. How are we protecting data at rest?

Data theft is increasingly common today. Hackers threaten to expose a company’s proprietary information unless a ransom is paid. To protect your data from theft, it’s essential that it be encrypted on the storage device. CIOs would be wise to deploy AES-256 encryption — the specification established by the U.S. National Institute of Standards and Technology (NIST) — using a system-generated encryption key (regular server-side encryption [SSE]) or a customer-provided and managed encryption key (SSE-C). This allows the upload and download requests to be securely submitted using HTTPS, and the system does not store a copy of the encryption key.

  1. How are we protecting in-flight data?

It’s common for data to be breached through “eavesdropping,” where hackers “listen” to data communications, looking for passwords or other information being transmitted in plaintext. CIOs must ensure data is secured both in transit and in their storage systems.  

Leveraging data encryption and secure transport protocols is the best defense against eavesdropping. CIOs should ensure their storage systems support these features:

  • SSE
  • Amazon Web Services Key Management Service (AWS KMS)
  • OASIS Key Management Interoperability Protocol (KMIP)
  • Transport Layer Security / Secure Socket Layer (TLS/SSL)
  1. Is our storage infrastructure fully compliant?

As CIOs know, storage systems must be compliant with industry regulations. CIOs should ensure their storage infrastructure has the following security certifications/validations to save time evaluating if an enterprise’s storage system meets industry requirements.

  • The Common Criteria for Information Technology Security Evaluation: This standard — better known simply as Common Criteria (CC) — is an internationally developed standard (ISO/IEC 15408) for computer security that attests to storage being tamper-proof.
  • Federal Information Processing Standard (FIPS): FIPS is a U.S. standard developed by NIST. It establishes a set of requirements for technology solutions and is used by U.S. government agencies when evaluating products and solutions.
  • SEC Rule 17a-4: This is a regulation issued by the U.S. Securities and Exchange Commission that specifies (among other things) requirements for a WORM classification of the storage system.

Because storage vendors must invest extensive time and resources to pass most third-party security validations, having these certifications in place is a good way to confirm the storage system is secure.  


Asking these four questions is the first step for CIOs to take in securing their data. By doing so, they can then take the recommended actions to ensure their data is protected in-flight and at rest, backed up with data immutability, and stored in systems that meet rigorous security certification requirements.