Table of Contents
1. Summary
Data is a vital component of every important enterprise process. It must be protected from damage, loss, and unauthorized exposure, both accidental and malicious. Yet the threats to data proliferate with the increasing complexity of modern information systems. The threats of ransomware and industrial espionage are particularly salient to enterprises in the current environment. What was once perceived as low risk has become an existential threat to many organizations with substantial data holdings.
This report seeks to investigate these questions:
- How are vendors addressing the myriad challenges of ensuring data is kept private, secure, and undamaged?
- How are vendors making the security and integrity of data easier to achieve?
- What are data security infrastructure vendors doing to ease the burden on customers?
Vendors with a leading data storage security posture (DSSP) are aware of the systemic challenges of securing data in the modern enterprise and they understand that there is no single, universally correct way to secure and protect data. Instead, they provide a layered set of options that each seek to address part of the challenge while also working together to provide a whole that is greater than the sum of its parts.
For customers that face the greatest threats, a full suite of options is available. For others, the right balance of risk, cost, and complexity will involve a different set of choices. Leading vendors recognize and understand this reality, and provide options accordingly. They understand that your threat model is not my threat model. They assist customers in understanding their own situations and choosing wisely from the available options.
GigaOm Sonars for Data Storage Security Posture
Due to the variety of methods by which customers and vendors are seeking to solve this challenge, we have divided the DSSP landscape into three reports based on customer use cases:
- Primary storage systems: Solutions that focus on primary storage services, usually deployed as, or on, hardware appliances, such as storage arrays.
- Data protection systems: Solutions that focus on the backup and recovery of data.
- Data security infrastructure: An emerging category of solutions that have a broader focus than primary data services or backup and recovery. They blend techniques from primary storage and backup and recovery and introduce novel methods from other fields such as information security.
Figure 1 shows the vendors and DSSP systems covered in each report.
Figure 1. Vendors Included in Each GigaOm Sonar for DSSP
The evolving nature of data security is reshaping traditional market categories. Ransomware in particular has vendors in one category incorporating techniques that were once left to those in another. For example, backup and recovery systems sometimes act as primary storage for rapid recovery, and intrusion detection methods that were once left to the information security department are now being incorporated into storage products of all kinds.
This GigaOm Sonar provides prospective customers with an alternative way to evaluate DSSP solutions in the context of these broader market changes, equipping IT decision-makers with the information they need to select the best solution for their business and use case requirements.
ABOUT THE GIGAOM SONAR REPORT
This GigaOm report focuses on emerging technologies and market segments. It helps organizations of all sizes to understand a new technology, its strengths and its weaknesses, and how it can fit into the overall IT strategy. The report is organized into five sections:
Overview: An overview of the technology, its major benefits, and possible use cases, as well as an exploration of product implementations already available in the market.
Considerations for Adoption: An analysis of the potential risks and benefits of introducing products based on this technology in an enterprise IT scenario. We look at table stakes and key differentiating features, as well as considerations for how to integrate the new product into the existing environment.
GigaOm Sonar Chart: A graphical representation of the market and its most important players, focused on their value proposition and their roadmap for the future.
Vendor Insights: A breakdown of each vendor’s offering in the sector, scored across key characteristics for enterprise adoption.
Near-Term Roadmap: 12- to 18-month forecast of the future development of the technology, its ecosystem, and major players of this market segment.
2. Overview
Data security has become a board-level conversation topic in recent years as the escalation of threats, well-publicized damage from security breaches, and increased attention from legislators have encouraged a rethink about how data security is managed. Substantial investments in security have improved matters; breaches are now detected in days or weeks rather than months, as was the case three or four years ago.
However, enterprises are increasingly aware of their vulnerability and are looking for more holistic solutions, rather than continuing to layer on point solutions in a piecemeal fashion. Executive leadership is looking for an integrated approach by which security is considered as part of the process, not added on at the end. Security leaders are looking to work more closely with other parts of the business and improve coordination and communication.
Rather than viewing security as a separate activity divorced from applications and infrastructure, leading enterprises are embedding security into the fabric of the organization. By taking a strong security posture, they are better able to plan programs of work and identify the people, processes, and technology that are needed to deliver them.
One part of that process is to look at data storage systems with fresh eyes. Data is the asset that must be secured, and storage infrastructure is the place where data lives. It makes sense to examine the security posture of this data storage infrastructure and reassess the ways data is stored and managed.
By assessing the security posture of data storage infrastructure, data can be better protected at the source. Preventing damage to or loss of data in the first place reduces downtime and reliance on recovery systems to work effectively in a crisis. Avoiding issues in the first place also reduces the operational burden on an organization and the distraction of incident response activity. Confidence in recovery systems helps ensure any response is measured and controlled.
Alas, it is often more a question of when rather than if an incident will occur.
Senior executives are increasingly required to participate in regulatory oversight processes when data breaches occur, particularly when sensitive customer data is involved.
Ensuring that data storage infrastructure has a strong security posture provides peace of mind derived from knowing that when the inevitable happens, the enterprise will be ready and any disruption to normal operations will be minimal. Reputations can be enhanced, rather than damaged, when an organization can demonstrate it was not only well prepared but that its preparations worked in practice, not just in theory.
3. Considerations for Adoption
Robust data security infrastructure systems provide a strong foundation for an organization to build upon. By looking at investments in infrastructure through a security lens from the outset, enterprises can prevent incidents well before they occur, and avoid substantial and costly remediation of issues later on.
Before establishing a program to review your DSSP, you should conduct an assessment of data assets and risks. Evaluating vendors against the key characteristics listed below will be difficult without a solid understanding of what you are trying to protect and why. This exercise need not produce a fine-grained study with a detailed inventory of every data asset within the enterprise, but customers should be able to articulate the broad classes of data they store and manage. They should have an understanding of how data flows through the organization and the kinds of risks that the data can be exposed to.
With this baseline established, customers can then start to build a picture of what an organizational data storage security infrastructure might look like and the components it should contain. The key characteristics discussed below can assist with guiding this process.
Key Characteristics for Enterprise Adoption
Here we explore the key characteristics that may influence enterprise adoption of the technology, based on attributes or capabilities that may be offered by some vendors but not others. These criteria will be the basis on which organizations decide which solutions to adopt for their particular needs.
The key characteristics for evaluating the DSSP for data security infrastructure are:
- Access management
- Auditing and logging
- Data loss protection
- Encryption management
- Immutable copies
- Lifecycle management
- Regulatory framework support
- Supply chain management and assurance
- Threat detection and response
Access Management
Access to data and system management mechanisms should be granular and controlled by policy, rather than broad, static access control mechanisms. Policies should integrate with authentication mechanisms and role-based access control (RBAC) to provide a scalable approach to the way data is accessed and managed. Solutions will support at least one multifactor authentication (MFA) mechanism, preferably one that uses hardware tokens, passkeys, or similarly modern methods.
Robust solutions acknowledge that security controls must be maintained to stay effective, and overly complex systems can undermine security rather than enhance it. Solutions should strike a balance between fine-grained controls and repeatable, scalable processes.
Policies should be definable within the system itself, but storage systems should also integrate with external systems that ease the management burden for customers, such as dedicated policy management systems.
Auditing and Logging
While some form of logging or auditing mechanism is expected to be present and provides no competitive differentiation, robust solutions should provide more nuanced and sophisticated auditing and logging as well. Granular, high-quality auditing and logging helps to support early detection of threats as well as forensic investigation of incidents after they occur.
The main purpose of data protection systems is to make copies of data and use them to recover the data as needed, but doing so securely implies that access is provided only to appropriately authorized people and systems. Auditing and logging are vital tools for proving that access was indeed authorized, and that no unauthorized access occurred.
Data protection systems are not expected to provide a full range of tools for processing and analyzing audit logs, but should integrate with other tools designed for that purpose, preferably using well-established interfaces and data standards.
Data Loss Protection
Of course, data should not be lost in the first place. Data security infrastructure solutions should provide ways to protect against damage and loss before it becomes catastrophic, and ideally much earlier.
While ransomware is the major threat customers are concerned about, exfiltration of private or secret data can be just as much of a problem. Extortion and industrial espionage are motivating factors for some actors that seek to copy data from enterprise systems.
Solutions should provide mechanisms that detect and mitigate unauthorized attempts to copy data and exfiltrate it beyond the control of the enterprise.
Encryption Management
Solutions must support encryption algorithms that are widely believed to be secure against known attacks. Options should not be limited to outdated algorithms understood to be trivial to break, and a forward-looking approach that anticipates potential new threats is preferred.
Solutions should focus on the security of data, both in transit and at rest, as well as the management interfaces for the systems themselves.
Key management mechanisms should be robust against trivial attacks, and preferably against more sophisticated attacks as well. The security of encryption keys is of vital importance, and robust solutions will incorporate a variety of mechanisms for key security, such as integrating with external secrets stores, supporting secure enclave hardware, and incorporating key rotation mechanisms that minimize data exposure if a breach occurs.
Immutable Copies
Solutions are expected to provide copies of data that can be used to restore primary data if it is damaged. Such copies should be resistant to outside manipulation and ideally truly immutable, though this can prove difficult to achieve in practice.
While the threat of ransomware is often the most salient for customers, solutions should also guard against other ways data can be compromised. Protection against accidental or malicious damage by privileged insiders, or someone impersonating them, should be well managed.
Rapid recovery from immutable copies should be straightforward and integrate well into broader recovery efforts. In a time of crisis, operators and administrators need reliable, easy-to-use tools that can undo damage to important systems quickly and safely.
Lifecycle Management
Security is not a point-in-time objective; it is an ongoing process. Solutions should ensure that the security posture of a system is robust when it is first installed and improves over time, rather than degrades. Data should be kept secure as it moves onto a system, resides there, and moves to another system. Security should not be compromised when a system is modified or decommissioned, nor when it is integrated with other systems.
Customers need to be able to trust that their vendors will not introduce vulnerabilities into their environment as changes are made, and vendors should be able to demonstrate that they can be trusted. Customers should also be confident that if any issues do arise, they will be quickly detected and addressed.
Regulatory Framework Support
Solutions should align with widely recognized regulatory and assurance frameworks such as NIST, GDPR, HIPAA, PII-DSS, SOC 2, and ISO/IEC 27001. These frameworks provide common reference points that assist customers in understanding the security posture of the system and the maturity of the vendor’s security processes.
Solutions should focus more on the intent of these frameworks rather than taking a narrow “checkbox” approach. In some heavily regulated environments, a checklist of compliance items is often required, but the solution should not stop there. Vendors should be able to use these frameworks to explain their approach clearly, demonstrating to customers that their commitment to security is more than mere rhetoric.
Supply Chain Management and Assurance
Modern enterprise systems are built from a variety of hardware and software components acquired through complex supply chain relationships. Unauthorized manipulation of components could result in damage to data, system disruption, or unauthorized exposure of private data.
Solutions should provide mechanisms to assure customers and others that the equipment functions as expected and has not been manipulated by unauthorized parties. Solutions should be able to quickly detect issues and determine whether they indicate deliberate tampering or are just ordinary errors. Customers should be confident that such issues will not go unnoticed and can be quickly rectified should they occur.
Threat Detection and Response
Solutions should allow customers to detect threats early so that their response can be measured and planned rather than harried and rushed. Early warning of potential loss or damage allows the crisis to be averted. Detection of initial reconnaissance from an unauthorized actor allows careful and measured action to be taken to contain and/or identify the threat, potentially gathering important forensic evidence for further action later on.
Solutions should provide a range of built-in capabilities to detect potential threats and automatically respond where appropriate. They should also integrate with other specialized systems that can combine telemetry from the source system with other data feeds to get a more holistic view. Robust solutions should also respond to signals from these more specialized systems to take action based on threats detected elsewhere in the organization and ensure data is well protected.
Table 1 shows the key characteristics that can affect the adoption of data security storage posture products for data protection and how well each is implemented in the solutions assessed in this report.
Table 1. Key Characteristics Affecting Enterprise Adoption: Data Security Infrastructure
Key Characteristics |
|||||||||
|---|---|---|---|---|---|---|---|---|---|
| Access Management | Auditing & Logging | Data Loss Prevention | Encryption Management | Immutable Copies | Lifecycle Management | Regulatory Framework Support | SCM & Assurance | Threat Detection & Response | |
| Cohesity | |||||||||
| Commvault | |||||||||
| Continuity | |||||||||
| Dell Technologies | |||||||||
| Hitachi Vantara | |||||||||
| HPE | |||||||||
| IBM | |||||||||
| NetApp | |||||||||
| Nutanix | |||||||||
| Pure Storage | |||||||||
| RackTop | |||||||||
| Rubrik | |||||||||
| Veeam | |||||||||
|
Exceptional: Outstanding focus and execution |
|
Capable: Good but with room for improvement |
|
Limited: Lacking in execution and use cases |
|
Not applicable or absent |
4. GigaOm Sonar
The GigaOm Sonar provides a forward-looking analysis of vendor solutions in a nascent or emerging technology sector. It assesses each vendor on its architecture approach (Innovation), while determining where each solution sits in terms of enabling rapid time to value (Feature Play) versus delivering a complex and robust solution (Platform Play).
The GigaOm Sonar chart (Figure 2) plots the current position of each solution against these three criteria across a field of concentric semicircles, with solutions set closer to the center judged to be of higher overall value. The forward-looking progress of vendors is further depicted by arrows that show the expected direction of movement over a period of 12 to 18 months.
Figure 2. GigaOm Sonar for DSSP for Data Security Infrastructure
As you can see in the Sonar chart in Figure 2, the landscape for data security infrastructure is varied, with vendors occupying a broad range of positions, though there are specific trends worth noting.
A loose cluster of enterprise technology vendors on the Platform Play side is attempting to address a wide range of customer data security needs with solutions all from a single vendor. IBM and HPE are examples here, each with a broad portfolio of options all available under one roof.
Next come a number of major primary storage vendors that form an important core of data security infrastructure by virtue of being situated where data gets stored. This makes sense, and these storage vendors are working to expand their offerings to encompass a broader range of customer security challenges beyond the mere storage of data. This is happening both by partnering with nearby vendors and by incorporating features traditionally found in other fields, such as information security or backup and recovery.
Toward the center, we see vendors from a traditional backup and recovery background moving toward the primary storage vendors. Just as the storage vendors add backup and recovery features, backup and recovery vendors are adding storage features, particularly for rapid recovery or disaster recovery. Cohesity is particularly notable here because it uses its hyperconverged background to function increasingly as both primary and secondary storage while adding features from information security, such as active scanning.
On the Feature Play side we see a couple of new and innovative approaches from Continuity and RackTop. While the other vendors are adding features from adjacent sectors of the tech industry, these vendors have come at the challenge of data security from a fresh, new perspective that starts with security rather than adding it onto an existing set of options.
5. Vendor Insights
Cohesity
Cohesity has expanded from its roots in hyperconverged infrastructure and backup and recovery to add disaster recovery, file and object data services, and a set of security-focused products and services to provide a more complete set of options for customers. Cohesity’s Helios control plane and unified SaaS management UI provides a centralized mechanism for managing the hybrid-cloud Cohesity Data Cloud platform. Cohesity SmartFiles provides file and object services on distributed, scale-out infrastructure across physical sites and in the cloud using Cohesity’s SpanFS distributed file system. It supports AES-256, FIPS-compliant encryption of data in flight and at rest and immutable copies with SnapLock.
Cohesity DataProtect provides data protection for a range of workloads, including physical systems, SQL databases, VMs, Kubernetes, cloud database services such as AWS RDS, SalesForce, Microsoft 365, and more. DataProtect also integrates with systems from other primary storage vendors, such as HPE, NetApp, Pure Storage, and IBM. Long-term archival is supported in public cloud S3-compatible devices and on tape via QStar archive manager. Rapid recovery of data is possible at the file, volume, and VM level, and instant volume mounts reduce downtime if an incident occurs.
Cohesity added secure vault capabilities with its FortKnox SaaS offering, which builds on the core functions of Helios to add isolation features to reduce the risk of ransomware. FortKnox includes a key management service (KMS) or customers can provide their own Key Management Interoperability Protocol (KMIP)-compatible KMS.
Cohesity augments its other offerings with DataHawk, a threat detection system that monitors systems against known threats and performs pattern-based data classification to identify sensitive or regulated data. Ingested backup data can be scanned using Yara rules with a built-in Qualys system OEM’d by Cohesity. Similarly, Cohesity uses an integrated system from BigID to perform machine-learning-based data classification.
Cohesity supports robust RBAC and MFA is enabled by default. Quorum-controlled operations with an n-of-m authorization design for sensitive operations protects against a rogue administrator attempting to delete or exfiltrate data. Cohesity integrates well with commonly used SIEM, SOAR, and ITSM products such as Microsoft Sentinel, Palo Alto Networks Cortex XSOAR, Cisco SecureX, CrowdStrike, and ServiceNow SOAR.
Administration of a fleet of systems is managed centrally via the Helios SaaS-delivered operations console for ease of management at scale. Cohesity recently added a Security Center dashboard for administrators to monitor and manage the settings and security posture of the platform.
Strengths: Cohesity’s strength in hybrid cloud and unstructured data management is used to good effect by adding security features appropriate to customer use cases. Helios is a good base for Cohesity to deliver a common platform.
Challenges: Cohesity best suits large, distributed enterprises and the initial investment can seem daunting to smaller organizations. The security posture is solid and while some advanced capabilities such as hardware token support are lacking, others, such as its n-of-m quorum authorization controls, demonstrate Cohesity’s commitment to security.
Commvault
Commvault has a broad range of capabilities that combine to provide a strong security posture. Backup and recovery of data is at the core of Commvault’s heritage, but its capabilities have kept pace with modern threats. Commvault provides a range of methods to protect data from damage at the source, during transit, and in backup repositories, including against unauthorized access and exfiltration of data.
Of particular interest is Commvault ThreatWise, which provides a tripwire/canary system of decoys. These decoy systems closely mimic real assets and protect data in two key ways. First, they provide high-quality early warning signals of potential threats because legitimate actors would not interact with these decoys. Second, if malicious access is gained, the damage is to decoy data and assets, not real ones, and customers have more time to initiate an incident response or activate automated defenses.
Commvault provides a multilayered approach to access management, with policy-based access controls and MFA. Commvault supports multiple identity providers via LDAPS, SAML, and OpenID, as well as the most recent authentication techniques for MFA, such as FIDO2 hardware keys, PKI-based access cards, Windows Hello, and Apple Touch ID. Data encryption keys can be stored in a broad range of third-party key management systems, including public cloud KMSes, HashiCorp Vault, IBM SKLM, Thales CipherTrust Manager, and several others.
Commvault has features for managed data destruction that account for legal hold and eDiscovery requirements, ensuring that data that should not be destroyed remains available, but data that should be disposed of is deleted in a controlled fashion. Multiperson authorization can be enabled to guard against unauthorized data destruction by privileged insiders. Compliance locks prevent unwanted or accidental expiration of data.
Commvault provides immutable copy features itself and also supports a wide range of storage partner immutability features such as AWS S3, NetApp SnapLock, Data Domain retention locks, Dell Technologies Isilon/PowerScale SmartLock, and many others.
Commvault has a rich, granular audit logging system that writes to an immutable ledger with customizable retention periods. Audit events can be exported to SIEM and SOAR tools commonly used by enterprises, such as Splunk. Events and alerts can be sent via syslog or webhook. Commvault also provides its own workflow engine for configuring automated event responses, which can be embedded within an alert.
Strengths: While Commvault provides a rich set of modern security features on its own, it integrates with a large ecosystem of technologies, making it an excellent choice for enterprises with heterogeneous technology stacks.
Challenges: Commvault is strongest on Windows systems. Some features are not available on other platforms, such as live file activity monitoring, though monitoring is available during the backup process and a Linux honeypot capability exists. Commvault continues to invest in ease-of-use improvements to what is an inherently complex set of capabilities.
Continuity
Continuity StorageGuard is software that audits customer storage and backup assets for vulnerabilities and security misconfigurations. While plenty of tools exist for other infrastructure types, such as networks and servers, storage devices have historically been overlooked as infrastructure that needs to be checked in this way.
Devices are scanned for known risks, such as MITRE CVE-listed vulnerabilities, as well as vendor security alerts. StorageGuard provides a <48-hour SLA for updates to its database of known risks rated critical or high in the CVSS rating system, and within 10 business days for other ratings.
Reporting is straightforward, and customers can align reports with their preferred frameworks such as NIST, ISO/IEC, and PCI-DSS to keep audit reports focused on the customer’s defined risk profiles. StorageGuard also supports defining security policies that map to vendor security best practices, providing another lens with which to view the environment.
StorageGuard supports a wide range of storage and backup infrastructure, including Dell Technologies PowerMax and PowerScale, Hitachi VSP, Pure Storage, Infinidat, Commvault, Rubrik, and IBM FlashSystem. For the heterogeneous environments common to enterprises, StorageGuard provides a common platform for managing risk to storage systems in a holistic manner.
StorageGuard tracks changes to monitored device configurations with periodic scans, providing an off-device audit trail. StorageGuard also logs events on its own system, such as login attempts, settings changes, API calls, and so forth.
Access control to StorageGuard itself is policy-based and it supports MFA via Microsoft Azure/AD MFA. Roles can be defined with fine-grained permissions for each feature if customers desire. StorageGuard integrates with external password safes such as CyberArk and Cloakware, and with privilege management tools such as PowerBroker, CA, and native sudo.
Strengths: Continuity’s StorageGuard is an important tool for managing a risk area that is often overlooked by customers. Ensuring the devices that store and provide access to data are well configured and maintained is a vital part of achieving a robust data security posture.
Challenges: StorageGuard’s features can overlap with tools provided by storage vendors themselves and customers will need to be educated about the gap in their security posture that StorageGuard addresses. Clear communications and partnering well with systems integrators, channel partners and the storage vendors themselves will assist here.
Dell Technologies
Dell Technologies has a robust security posture particularly well suited to high-end enterprises. Like most storage vendors, Dell Technologies aligns with the NIST cybersecurity framework to organize and communicate its security approach.
The company uses its Dell Secure Development Lifecycle for developing its products, working to move security thinking earlier in the process. It maintains a Product Security Incident Response Team (PSIRT) for coordinating its response and disclosure for all product vulnerabilities, not limited to those within the storage portfolio.
On Dell PowerMax arrays, SnapVX snapshots can be set as “secure” to prevent deletion while making them immutable for a defined time period, which can be extended if needed, though not reduced. PowerMax cyber vault supports remote secondary copies with up to 16 storage groups and two to eight vault copies per storage group secured with retention locks.
Dell integrates its products with CloudIQ, a cloud-based application that provides security features. For example, CloudIQ monitors defined system configurations and proactively notifies customers of issues and suggests remediation steps. CloudIQ’s auditing is based on NIST 800-52 R5 standards and Dell best practices, and can report on Dell and VMware security risks to a customer’s fleet of systems.
Dell provides data-at-rest encryption, and systems have an embedded KMS and also integrate with external KMSes using the OASIS KMIP.
Dell systems have robust RBACs with fine-grained privilege settings. MFA is supported using Dell’s SecureID system. Audit logs are tamper-proof and stored on-device.
Dell systems incorporate a hardware root-of-trust to provide cryptographic assurance of BIOS and BMC firmware. Dell uses Intel Boot Guard technology to verify the cryptographic signature of boot images and the chain of modules used during system startup. Secure Boot and Measured Boot processes are also supported.
Strengths: Dell Technologies has excellent supply chain security management features for high assurance of devices and updates.
Challenges: Dell Technologies products integrate best with other Dell products and customers with a more varied set of vendors may find integration more challenging, though support for open standards is improving.
Druva
Druva provides a SaaS-first platform for data protection with integrated backup and recovery, cybersecurity, and data governance features based on AWS cloud services.
Data is backed up to Druva’s cloud systems over industry-standard encrypted TLS and then encrypted with AES-256 using unique-per-customer keys. Customer keys are controlled by the customer within their account and Druva claims an external key management system is not required. Redundant copies of data are stored across multiple S3 services in an AWS S3 region. Druva performs periodic integrity checks on customer data with simulated full restores. If a file tests as unrecoverable, it is scheduled for full backup on the next backup.
Legal hold and eDiscovery are supported, with customer-configurable retention periods and dataset filters. Immutable copies are held outside of custodians’ device control to prevent tampering or deletion. Druva also provides a rich API for third-party legal discovery systems such as Exterro.
If a recovery is needed, Druva can guard against reinfection by filtering the restore for known or customer-defined indicators of compromise (IOCs). A curated recovery mechanism helps customers locate the best possible recovery point across multiple snapshots of the estate. Backups can be quarantined at the snapshot, device, and virtual-machine level from the Druva console, or via third-party integrations.
Druva supports RBAC with MFA and supports enterprise single-sign-on services, such as Okta, Ping Identity, and Microsoft ADFS for both administrators and users. Traditional Active Directory and LDAP authentication is also possible if required.
Druva supports real-time audit logging of events for both administrators and users, and audit logs can be stored based on customer requirements. Audit logs can be downloaded for external analysis in CSV or HTML format.
Anomaly detection is supported for endpoint, file, NAS, VMware, and Microsoft 365 workloads, and Druva provides prepackaged integrations with third-party SIEM/SOAR systems such as Splunk, Palo Alto Networks, and Trellix Helix (FireEye). Druva also provides a built-in dashboard with real-time security posture assessments.
Druva has achieved a range of government and privacy certifications, including FedRAMP, FIPS, and SOC 2 type II. It provides a data resiliency guarantee of up to $10 million for qualifying customers.
Strengths: Druva has a strong security posture that builds on AWS’ capabilities as the leading public cloud provider. It provides an integrated experience well suited to cloud-first organizations.
Challenges: The cloud focus of Druva can limit its appeal to organizations with hybrid cloud or edge data requirements. Druva lacks features such as support for external key management systems that some enterprise customers require.
Hitachi Vantara
Hitachi Virtual Storage Platform provides a secure multitenancy storage system with fine-grained control over access to resources, including parity groups, host group IDs, iSCSI target IDS, and logical devices. Hitachi Vantara offers multiple data replication and copy data management options for business continuity and disaster recovery.
Hitachi Vantara partners with Hitachi Systems Security (HSS) to provide a proactive data exfiltration protection managed service. HSS offers customized, fully managed security services that include 24/7 monitoring of customer systems and specialized professional services.
Hitachi Ops Center has an AIOps feature that monitors systems for unusual activity. Dynamic threshold alerts reduce the number of false positives that can plague systems that rely on statically defined thresholds. Hitachi Vantara claims the ability to recover from ransomware within four hours using Ops Center automated management capabilities, and, for more advanced ransomware protection, detection, and automated recovery for VMware environments, Ops Center also includes Protector and CyberVR.
The Hitachi Data Retention Utility (part of the Hitachi Storage Virtualization Operating System, or SVOS, used on the VSP) can provide immutable data copies of any data storage volume, with customer-defined retention periods. Immutable snapshots and clones are orchestrated by Hitachi Ops Center for local or remote backups. Ops Center can also move protected copies of data to physically separated or minimally connected systems, and also supports copying data to Hitachi Content Platform object storage and Amazon S3.
Hitachi Ops Center supports MFA via Microsoft ADFS and OIDC integration. RBAC is robust and a granular set of roles are provided by default. Customers can further refine access using virtual partition manager software for multitenancy. Customers can achieve clear separation of duties and restrict privileged administrators from accessing functions that are not part of their role. Hitachi VSP supports integrated and external key management with KMIP-compliant key managers.
Hitachi Vantara’s Modern Storage Assurance service manages system upgrades and secure recycling of storage systems without customer intervention, disruption, or downtime.
Strengths: Hitachi Vantara is able to provide strong security systems and services for critical customer data. Customers with specialized needs will benefit from Hitachi’s wealth of expertise.
Challenges: Hitachi Vantara systems have a somewhat limited ability to interoperate with a heterogeneous environment and may require dedicated resources to manage. Support for a broader ecosystem will enhance Hitachi Vantara’s customer appeal.
HPE
HPE provides a comprehensive set of data security capabilities across its portfolio of products, both traditional HPE product lines and the HPE GreenLake umbrella brand. It has made significant progress in building an integrated security approach across the organization.
HPE Primera primary storage systems support both full volume copies and snapshots, and the Remote Copy feature can replicate data to remote systems. Snapshots can be read-write or read-only, and the volume virtual lock feature provides tamper-proof storage volumes and volume copies with configurable retention periods that guard against deletion even by highly privileged administrators. HPE Nimble Storage provides similar functionality aimed at more midrange workloads.
HPE Recovery Manager Central works with HPE StoreOnce appliances to provide a backup target device for on-premises deployments that can rapidly move data from HPE Primera and HPE Nimble Storage devices. With the StoreOnce CloudBank Storage feature, StoreOnce devices can pass backup data to 18 object storage systems including AWS S3, Azure Blob storage, and Scality.
HPE GreenLake for backup and recovery supports VMware VMs and Amazon EBS volumes and EC2 instances. It supports immutable copies and dual authorization of sensitive operations, and integrates with HPE Alletra, HPE Primera, and HPE Nimble Storage Gen 5 devices managed by the HPE GreenLake portal. Disaster recovery is provided via HPE’s Zerto acquisition, which adds high-end continuous data protection and replication for VMs.
HPE’s trusted supply chain initiative is now available worldwide, and HPE has made good progress in developing software “bill of materials” processes. Hardware fingerprints (HPE calls it a silicon root of trust) help prevent malicious corruption of firmware, and HPE employs third-party penetration testing and analysis to align with NIST 800-53 cybersecurity controls.
Strengths: HPE’s broad portfolio provides good options for every customer security need and can be assembled to provide a strong security posture. HPE’s ecosystem of partnerships provides plenty of options for further enhancements that integrate well with HPE’s products.
Challenges: HPE is a little later in embedding security into its entire process than some competitors and assessing the security posture of the various components can be a challenge. The GreenLake brand can sometimes obscure the purpose of specific products.
IBM
IBM has been investing in data security for many years and offers a comprehensive set of options for the enterprise.
IBM Storage FlashSystem provides a robust range of data protection features, including snapshots, Safeguarded Copy for immutable data copies, and Cyber Vault for continuous data protection. FlashSystem can also provide a high-speed data backup target that integrates with IBM Spectrum Sentinel to scan backups for early threat detection. Cyber Vault can also provide an isolated testing environment to ensure the data to be restored is clean.
IBM Storage Ceph provides a range of security options and runs with authentication and authorization enabled by default. The Ceph Object Gateway supports LDAP and AD authentication as well as OpenStack Keystone.
IBM Guardium has been helping customers with data regulatory compliance for many years since its acquisition by IBM in 2009. The original data activity monitoring features integrate well with IBM primary storage systems, and have been expanded over time to include cloud data sources such as AWS Kinesis, Snowflake, and SAP.
Guardium Data Encryption is a central platform for managing data encryption across a customer’s environment. It integrates with data storage systems to provide granular encryption at file, database, and application levels, as well as tokenization and data masking capabilities. Guardium Data Encryption provides its own key management facilities and integrates with external KMSes.
Guardium Key Lifecycle Manager offers a centralized approach to policy-based key management across a customer’s estate. It integrates with other KMSes via KMIP, IPP, and REST protocols to provide policy-based controls for encryption keys independently of the underlying datastores. It provides a robust set of RBACs and helps to exclude untrusted devices and actors from the environment.
IBM Security Discover and Classify is a relatively new product. Announced in 2022, it uses automated models to detect and classify both structured and unstructured data so that customers can better understand where their most sensitive data is and where it is moving.
Strengths: IBM has a long history of helping customers securely manage highly sensitive data and offers plenty of options for adopting a strong data security posture. If one option seems unsuitable, there is likely another one available.
Challenges: IBM’s large portfolio can be challenging to navigate and products can seem disconnected from the holistic security posture customers are seeking to achieve. There are encouraging signs of a recent change in emphasis that should improve how IBM communicates its capabilities and how customers can incorporate them into their environment.
NetApp
NetApp has a comprehensive security posture that manages the security of its systems and customer data throughout its lifecycle.
Data can be protected using immutable snapshots, which can be copied to remote systems via SnapVault and SnapMirror. The Multi-Admin Verification feature adds a quorum-based process requiring two or more approvals to guard against accidental or malicious deletion. Snapshots can also be stored in immutable SnapLock volumes that can’t be deleted by privileged administrators or even NetApp support.
NetApp supports robust role-based authentication controls and policy-based access management. Data access can be managed using Microsoft Active Directory, LDAP, and NIS, and Dynamic Access Control (DAC) is supported. Additional access control is available using native Storage-Level Access Guard, or by using the FPolicy API to integrate with third-party tools.
The ONTAP FPolicy API supports user behavioral and entity analytics either with NetApp’s Cloud Insights product or with third-party software. Cloud Insights monitors for unusual account activity and data access patterns in real time, including mass data deletion, modification, or reads that might indicate exfiltration attempts. Cloud Insights can alert on such anomalous behavior and can also respond to take an immediate snapshot to protect against further damage, while also automatically removing data access privileges at the storage layer.
NetApp ONTAP supports standard AES-256, FIPS 140-2 data encryption for data-at-rest encryption, at both the software volume level and at the hardware drive level. Both hardware and software encryption methods can use an internal KMS, or external KMSes from KMIP vendors, or cloud options such as Amazon AWS KMS, Azure Key Vault, or Google Cloud Key Management.
NetApp recently added YubiKey hardware token MFA support for FIDO2-based SSH access to its systems. Cisco Duo is supported for MFA to the System Manager GUI and Duo support for CLI access is planned.
Strengths: NetApp has a robust and well-established security posture for its systems and integrates well with other systems. NetApp storage has achieved the US National Security Agency (NSA) Commercial Solutions for Classifieds (CSfC) certification and is validated for storing secret and top secret classified data.
Challenges: Some of NetApp’s security features were developed relatively early, so they can prove somewhat complex to use in practice. NetApp is addressing this challenge with its BlueXP control plane SaaS, which has recently been introduced.
Nutanix
Nutanix’s heritage as a hyperconverged infrastructure vendor provides a solid base for offering data security infrastructure.
Nutanix provides a hybrid cloud solution for deploying data and applications on-premises or in the cloud on a single, common platform. Customers can purchase traditional hyperconverged infrastructure for on-site deployment, or use Nutanix Cloud Clusters (NC2) as an abstraction layer on top of cloud infrastructure to provide the same Nutanix experience everywhere. Nutanix also provides several cloud-based SaaS options, such as DRaaS for specific use cases.
Nutanix supports snapshots of VMs and volume groups and integrates with host OSs and databases for data consistency. Recovery can be granular at the file level and rapid recovery from snapshot of sets of VMs or volumes is supported. The cloud connect feature supports sending backup data to AWS or Azure. Nutanix Metro and NearSync provide reliable disaster recovery for major site failure scenarios, and application recovery orchestration with recovery plans is well integrated with the platform. The Nutanix Mine backup target supports immutable copies with configurable retention periods.
Nutanix Security Central is a SaaS-based security monitoring and reporting offering that provides automated anomaly detection, network microsegmentation recommendations, and compliance reporting with support for standard frameworks such as NIST, HIPAA, GDPR, and PCI-DSS. Nutanix Security Central integrates with popular enterprise tools such as Splunk and ServiceNow and provides a webhook API for custom integrations.
Nutanix has implemented a security configuration management automation (SCMA) framework to periodically audit services against security policy for variances. Inconsistencies are logged and can be automatically reverted to baseline. Systems can also be configured to run the advanced intrusion detection environment (AIDE) tool periodically.
Nutanix supports RBAC and authentication via Active Directory and LDAP. Encryption at rest is supported for both self-encrypting drives and software-only encryption, though data is decrypted when replicated to another cluster. Software-only encryption keys can be managed with Nutanix Native Key Manager either locally or remotely, or with an external KMS.
Strengths: Nutanix provides good options for mid-market and smaller organizations that want to unify on a single platform and augment it with third-party security products.
Challenges: Nutanix lacks some of the security features of other data infrastructure vendors and its ecosystem of integrations is more limited.
Pure Storage
Pure Storage has embedded a comprehensive security program it refers to as DevSecOps across its business. This program, which aligns with the NIST security framework, is helping Pure to adopt a secure posture in all of its activities, not merely the security features in its products.
This helps Pure to not only deliver more secure systems but also to keep them secure and improve them over time. Pure has comprehensive security controls in place for its supply chain, both for component sourcing and for product distribution to customers. Customers are able to validate that the systems they acquire are what was expected, including both hardware and software changes.
Its Pure1 SaaS service is an important repository of sensitive information about customer systems. Customers are able to leverage Pure1 to assist with their own security efforts, such as via the self-service upgrade capability for FlashArray. Pure1 is also used to proactively monitor customer systems and identify potential issues early.
Pure’s primary storage products have a range of security features that protect customer data, such as robust RBAC, MFA, strong encryption and key management mechanisms, robust separation of concerns structures, and integrations with other products such as Active Directory, LDAP, and CyberArk.
SafeMode is particularly noteworthy; when engaged, SafeMode ensures that even highly privileged administrators are unable to destroy data, and multiple people are required to authorize sensitive operations.
Pure’s products provide comprehensive audit logging and integrate with external systems such as SIEMs and SOARs for holistic security management, and Pure supports the OpenMetrics standard for telemetry. Pure1 provides some heuristic-based anomaly detection, but Pure recommends working with partners such as Delphix, IndexEngines, or DeepInstinct for signature-based malware detection or other more advanced techniques.
Strengths: Pure Storage has invested in a comprehensive security program that improves the products customers use and its internal processes for building them. Pure can credibly demonstrate a leading security posture.
Challenges: Secure fleet management and orchestration add complexity, particularly as Pure expands its product range. Some security features or processes, such as self-service upgrades, are available only on a subset of products today, though Pure plans to roll them out more broadly.
RackTop
RackTop’s BrickStor SP file storage software was designed with security front of mind. Available preinstalled on x86-based appliances, virtual appliances, or as software only, BrickStor provides a high-security system for managing file data.
BrickStor SP has a number of advanced security features that are particularly noteworthy. The system employs an active defense approach that dynamically monitors activity on the system to detect potential threats in real time. If a potential threat is detected, data can be quickly quarantined, access privileges can be immediately revoked, or other actions taken based on user-definable policy.
While immutable copy features are becoming commonplace, the BrickStor SP can mark individual files as immutable, which is distinct from the more common dataset snapshot approach. The BrickStor Vault feature provides a cryptographically signed manifest for attestation and chain of custody. Access to data in a vault is controlled by a “data owner,” rendering sensitive data inaccessible even to highly privileged storage administrators.
BrickStor SP uses AES-256 for at-rest encryption on a per-dataset/volume basis, and supports per-dataset key-rotation policies via its built-in KMS. Data remains encrypted when replicated to remote secondary devices. When installed on compatible physical devices, BrickStor SP also supports FIPS AES256 Level 2 validated drives for a second layer of at-rest encryption.
The built-in KMS provides advanced features such as key verification, key rotation schedules, and encryption audit reporting that are usually only found in external KMSes. BrickStor also supports external key management if customers prefer.
BrickSP also provides a forced re-authentication feature. Customers can define policies that require users to reauthenticate themselves when they wish to perform high-trust activities, or if user behavior falls outside of what is expected. This more dynamic and context-sensitive approach to system and access is where the industry is heading as more vendors truly embrace the intent of zero trust.
RackTop has comprehensive on-system tools for investigation, compliance reporting, and incident remediation. It also provides an open integration API via webhooks for customers who prefer to use centralized tools for holistic security management.
Strengths: RackTop’s security-first approach gives it an advantage over vendors who have come to security later in their development. BrickStor SP provides multiple advanced security features that are not available on other systems.
Challenges: RackTop lacks the broad ecosystem of some other enterprise vendors, and will benefit from planned investments in automation tooling with systems like ServiceNow and Ansible. BrickStor SP is limited to two-node high availability, but the company is moving to support N-way orchestration. The lack of comprehensive block and object storage protocol support also limits RackTop’s appeal, though iSCSI is supported and S3 protocol support is on the roadmap.
Rubrik
Rubrik’s heritage as a scale-out hyperconverged backup and recovery product has provided it with a good foundation on which to build a security posture.
Rubrik supports scheduled backups to and continuous data protection of on-site appliances, and can archive data to S3 compatible object stores, both cloud and on-site, NFS volumes, or tape. Data can also be replicated to alternate recovery locations. Rubrik stores data in a separate system not accessible to primary systems via regular storage protocols to guard against ransomware. A range of data sources are supported, including physical servers, VMware, Nutanix, and Hyper-V VMs, SQL and NoSQL databases including Oracle, DB2, and SAP HANA, AWS and Azure native workloads, Kubernetes, and Microsoft 365.
Data is encrypted in motion and at rest, and Rubrik supports both hardware and software FIPS 140-2-compliant encryption. Inter-node communication is encrypted by default. Encryption keys can be managed natively, or via external KMIP-compatible key management systems.
Rubrik provides RBAC and MFA for all user logins, and integrates with Active Directory. It also adds TOTP MFA for local logins to guard against compromised Active Directory credentials. Two-to-sign authorization is supported for high-impact operations such as expiring backups early to guard against insider threats. Resetting clusters requires a support case to be raised with Rubrik to guard against malicious resets. User activity is logged and Rubrik provides centralized audit reporting, as well as integrations with leading SIEM and SOAR tools.
Rubrik’s Callisto metadata layer and Cerebro data management layer support features for data discovery and classification to assist with locating sensitive data and potential risks. Prebuilt classification templates are available to align with regulations such as GDPR, HIPAA, CCPA, and PCI-DSS. Monitoring can also provide early warning of suspected ransomware or similar threats to data integrity. Rubrik can detect the initial point and scope of a malware infection to assist with recovery.
Strengths: Rubrik’s metadata and data management features combine with its SaaS ease of use to provide a solid foundation of data protection, rapid recovery, and data search capabilities.
Challenges: Rubrik’s security posture is tightly coupled to its heritage in backup and recovery. It will need to be augmented with other tools and systems to provide a truly holistic customer solution.
Veeam
Veeam has expanded from its heritage as a virtual-machine-focused data protection solution to become a comprehensive data security and protection system.
Veeam can protect data from a wide range of sources, including VMs, physical servers, databases, unstructured file datastores, public cloud systems, Kubernetes, and SaaS systems, such as Microsoft 365, Teams, and Salesforce. Data copies can be stored on a range of target devices, with encryption both in-flight and at rest, though data is decrypted and re-encrypted during cloud offload. Veeam was a pioneer in the instant recovery of VMs, a capability that has been extended to cover multiple workloads. It provides rapid and granular data recovery as well as disaster recovery orchestration capabilities.
Veeam supports immutable data copies with configurable retention durations and supports RBAC and MFA to secure access to data. The Veeam Cloud Connect with Insider Protection offering is particularly noteworthy for giving customers a choice of service provider to act as a neutral third party-repository for their data, while they still enjoy Veeam’s protection from compromised administrator credentials.
Veeam ONE is able to monitor for threat signals, such as high data transfer rates and redirected restores (indicating potential data exfiltration), spikes in CPU and disk activity (potential ransomware), and to guard against the modification of immutable copy retention periods. The new Clean DR feature scans for ransomware during recovery for added peace of mind.
Veeam Best Practices Analyzer helps customers to assess their own systems for potential misconfiguration, and Veeam Intelligent Diagnostics alerts customers to known vulnerabilities that should be addressed through patching.
Veeam has a large ecosystem of partners and integrates well with primary storage snapshots and replication. Plugins are available to integrate ServiceNow with Veeam ONE and Veeam Backup and Recovery for SIEM workflows familiar to enterprise security teams.
Strengths: Veeam’s modular approach supports organizations of every scale, from SMB and mid-market through to the enterprise. Veeam integrates well with a broad ecosystem of products.
Challenges: Some security features are available only for a subset of supported workloads, such as ransomware alerts. Customers will need to invest time to understand the portfolio of options to ensure it meets their needs. The lack of support for external key management systems is a gap that Veeam plans to address in its next version.
6. Near-Term Roadmap
The current scope and scale of security threats combined with the increased focus from regulators and customers on keeping data secure is pushing vendors to elevate security to a primary concern. Where previously the focus may have been on features or performance, keeping data secure is now paramount. Some customers are willing to compromise on performance or features in order to ensure their data remains private and secure.
This orientation creates an opportunity for vendors that look at data storage from a security perspective first, rather than as an afterthought. Security-focused data infrastructure should enjoy a period of customer enthusiasm. There are rich margins on offer for vendors that can successfully provide competitive features with a top-grade security posture.
However, there is also pressure from customers who expect secure systems as a matter of course. Indeed, no one sets out specifically to buy an insecure system, so this will act to push margins down over the longer term. Regulators are starting to expect vendors to take more responsibility for the security of the products they sell, and there is no reason to expect regulator diligence to diminish in the near term.
There is a related push from customers and regulators alike for improved privacy. Security of data will increasingly refer not only to keeping data safe from damage, loss, or lack of access (as from traditional ransomware) but also to preventing unauthorized access to data, where “unauthorized” takes on quite a broad meaning. We expect to see rapid improvements in access control, authentication, and audit and assurance so that data custodians can clearly prove they have been trustworthy fiduciaries of the data they hold in trust.
7. Analyst’s Take
Data security infrastructure is a new way to think about how data is stored and managed in the enterprise. It combines features that are familiar to primary storage and backup and recovery practitioners, but adds techniques that were once the domain of the security team. This amalgamation of techniques reflects the modern approach of building security into systems from the outset, rather than bolting it on later, if at all.
There is a clear need for increased security in every part of the enterprise, and viewing infrastructure through a security lens helps to focus our attention on areas that might otherwise be overlooked. However, it’s unclear whether this blending of techniques will result in a single, unified approach to data security or if security will simply become part of systems that continue to sit in traditional market categories like primary storage or backup and recovery.
There are some vendors, such as RackTop, Continuity, and Cyera, that would prefer this new category to become more important. For many customers, it may prove the most useful way to think about how they store, manage, and protect their data. Others may feel more comfortable with traditional categories most of the time, and use a security lens as an occasional aid for focusing their attention as needs dictate.
Taking a deliberate approach to assessing the data security posture of vendors is valuable for all customers, whether they prefer traditional market categories or not. Even if you don’t feel the need to build or acquire data security infrastructure per se, data security will always be important. Turning one’s attention to the specifics of the challenge, free from distraction, will always be a worthwhile exercise.
8. Report Methodology
A GigaOm Sonar report analyzes emerging technology trends and sectors, providing decision-makers with the information they need to build forward-looking—and rewarding—IT strategies. Sonar reports provide analysis of the risks posed by the adoption of products that are not yet fully validated by the market or available from established players.
In exploring bleeding edge technology and addressing market segments still lacking clear categorization, Sonar reports aim to eliminate hype, educate on technology, and equip readers with insight that allows them to navigate different product implementations. The analysis highlights core technologies, use cases, and differentiating features, rather than drawing feature comparisons. This approach is taken mostly because the overlap among solutions in nascent technology sectors can be minimal. In fact, product implementations based on the same core technology tend to take unique approaches and focus on narrow use cases.
The Sonar report defines the basic features that users should expect from products that satisfactorily implement an emerging technology, while taking note of characteristics that will have a role in building differentiating value over time.
In this regard, readers will find similarities with the GigaOm Key Criteria and Radar reports. Sonar reports, however, are specifically designed to provide an early assessment of recently introduced technologies and market segments. The evaluation of the emerging technology is based on:
- Core technology: Table stakes
- Differentiating features: Potential value and key criteria
Over the years, depending on technology maturation and user adoption, a particular emerging technology may either remain niche or evolve to become mainstream (see Figure 3). GigaOm Sonar reports intercept new technology trends before they become mainstream and provide insight to help readers understand their value for potential early adoption and the highest ROI.
Figure 3. Evolution of Technology
9. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
10. Copyright
© Knowingly, Inc. 2023 "GigaOm Sonar Report for Data Storage Security Posture (DSSP) for Data Security Infrastructure" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.