References

Introduction

Based on the previous content and research topics, it is essential to first understand that the main purpose of this article is to organize:

  • [x] What are the relevant threats and risks of data storage?
  • [ ] How to prevent these threats and risks with a zero-trust approach?

To be able to organize the relevant threats and risks of storage security, I have compiled the relevant security standards for Cloud Storage published by NIST, NIST SP 800-209. This document outlines:

  • The evolution of storage technology landscape, current security threats, and the resulting risks.
  • It primarily provides a comprehensive set of security recommendations to address threats, covering…
    • Common security management areas of Information Technology (IT) infrastructure: such as physical security, identity authentication and authorization, change management, configuration control, and incident response and recovery.
    • Security management areas specific to storage infrastructure: such as storage infrastructure, data protection, isolation, recovery assurance, and encryption.

I will only organize data that I find useful or available, and I will include some personal observations or statements. Therefore, this article is for reference only, and the correct content should be primarily referenced from NIST SP800-209.

Key Summary

Below is my key summary for this chapter, if you want to quickly understand, you can read this section.

Mapping Threats and Risks - Summary of Chapter 3

Threat
Possible Risks Threat Level
Backdoors and Unpatched Vulnerabilities - Different risks depending on the type of vulnerability.
- Risks apply depending on whether credentials are stolen or leaked.
High
Privilege Escalation - Risks depend on whether administrator or user credentials are stolen or leaked. High
Human Error and Intentional Configuration Mistakes - Different risks based on the type and scope of human or configuration errors.
- If it is a misconfiguration, all risks in section 3.2 may occur.
High
Physical Theft of Media - Different risks depending on the scope of theft.
- Risks include data disclosure and exposure, data destruction, backup compromise, and data unavailability and service disruption due to theft.
Medium
Insecure Images, Software, and Firmware - Different risks based on the type and scope of impacts.
- If it is an insecure configuration, all risks in section 3.2 may occur.
High
Malware and Ransomware Infection - Malware can lead to privilege elevation, credentials being stolen or leaked, and other threats.
- Depending on where malware appears, such as in application systems or management systems, it can affect the occurrence of all risks in section 3.2.
High
Cryptographic Compromise - May lead to data disclosure and exposure in (a) static data, (b) data in transit, and Š data in user/administrator sessions. Medium
Credentials Stolen or Leaked 1. Application System: Risks may include data disclosure and exposure, unauthorized data changes and additions, data destruction, etc.
2. Administrative System: Risks include backup compromise, ransomware attack, data unavailability and service disruption, tampering with storage-related logs and audit data, and insecure storage configuration parameters.
High

2.11 Storage and Data Management

As mentioned earlier, the following content primarily focuses on other aspects of storage and data management, rather than directly addressing “information security” control measures. Therefore, we will only provide a brief overview of the content briefly mentioned in NIST SP 800-209.

My thoughts: What is significant in the above is “data protection.” The three aspects mentioned can be explored in the context of information assurance/security. Consider the integration of “data classification” and “data protection.” For example, using data classification for access control in data protection.

Storage Resource Configuration and Resource Management
  • Content: This section mainly explains key points to consider in the lifecycle of storage resource configuration or management. It covers areas such as managing and controlling “physical devices,” coordinating changes across multiple “assets,” performance management and optimization, asset management, and event management.
  • Thoughts: Not the main focus of the paper.
Data Classification or Categorization
  • It mentions referencing data regulations like PII, PCI-DSS, HIPAA, etc., to classify data more granularly and apply different protections to different types of data.
  • It can be categorized into several main types:
    • Sensitivity (e.g., sensitive vs. non-sensitive).
    • Frequency (e.g., frequently accessed vs. infrequently accessed).
    • Environment (e.g., production environment vs. development environment vs. test environment vs. demo environment).
Data Sanitization
  • It explains the need to use appropriate data sanitization methods based on the type and specifics of the data.
  • It mentions that data sanitization can primarily be divided into the following categories:
    • Clean: For example, overwriting existing data.
    • Purge: For example, using strong magnetic fields for demagnetization in magnetic media or using cryptographic erasure for encrypted data.
    • Destruct: For example, physically destroying media, such as burning or shredding.
Data Retention
  • It explains that in certain situations, specific data may need to be retained for a short-term, medium-term (i.e., less than 10 years), or long-term duration.
  • Data retention is typically achieved by backing up data copies to some medium. This might be done to fulfill operational, legal, regulatory, or statutory requirements.
Data Protection
  • It is a comprehensive term referring to all activities that ensure data is accessible, available, undamaged, and usable for all authorized purposes and meets acceptable performance levels.
  • These activities must comply with regulatory requirements, including privacy protection, and involve all physical, managerial, and technical means to ensure data is not accidentally or unauthorizedly disclosed, modified, or destroyed.
  • Data protection involves various lifecycle stages, including:
    • (Storage) Static data on endpoints - data stored on servers or client devices.
    • (In transit) Data in transit - data transferred between storage devices, client to server, or server to server.
    • (In use) Data in use - data being viewed, modified, or synchronized between devices.
    • (Out of secure boundaries) Data outside secure boundaries - data during downloads, physical media transport, etc.
  • Data protection can be divided into three aspects:
    1. Storage: Mainly discussing protection related to “storage” itself, such as backup, recovery, replication, immutability, continuous data protection, snapshots, etc.
    2. Privacy: Mainly discussing the “privacy of data” itself, but this varies by region, and it’s not discussed here.
    3. Information assurance/security: Mainly technical control measures, each of which requires a dedicated section to discuss its details, so it’s not discussed here.
Data Reduction
  • There are two common methods of data reduction, and these methods can be used in combination.
    • Data Deduplication: Data deduplication attempts to replace multiple data copies with references pointing to a shared copy. It’s like having the same file, so you don’t need to copy multiple identical data.
    • Data Compression: Data is encoded using known algorithms to generate a data representation that takes up less storage space than the unencoded representation.

3. Threats, Risks, and Attack Surfaces Related to Storage Infrastructure

Threat - The cause of potential unwanted events that may harm systems or organizations.

Chapter three primarily provides background information about “security threats,” “risks,” and “attack surfaces” (methods that may be used) related to storage system infrastructure.

3.1 Threats

Nine threats that Storage Infrastructure may encounter are primarily discussed:

3.3.1 Credential Theft or Compromise
  • The most common and easily exploited is the theft of login credentials.
  • The text mentions that effective credential theft involves “directly obtaining the user’s password, rather than guessing,” so relying solely on password length and complexity is often insufficient to protect the system from attacks. For example, the following scenarios do not depend on password complexity:
    • Modern ransomware often collects passwords from the data it captures.
    • Keylogging is also a form of credential theft unaffected by password complexity, where malicious software can virtually monitor user-entered passwords[23].
3.3.2 Cracking Encryption
  • Encryption key generation uses “randomness” to create keys. However, various vulnerabilities exist, from “weak encryption algorithms” and “weak key generators” to “server-side vulnerabilities,” key leakage, fundamental design flaws or vulnerabilities, and backdoors, etc. [24].
  • In simple terms, it’s essential to use strong encryption methods and protect encryption keys properly. Actively changing encryption keys can be a strategy to prevent key cracking or insufficient strength. In key generation, key strength, quality, and entropy play vital roles, and keys should not be reused.
3.3.3 Infection of Malware and Ransomware
  • The text mentions that attacks on “storage management systems” are often easier than attacks on the “storage devices” themselves.
  • Therefore, malware may cause harm when installed on storage management hosts, such as stealing credentials, privilege escalation, data corruption, loss or alteration, and compromising future backups, among others.
3.3.4 Backdoors and Unpatched Vulnerabilities
  • Backdoors are typically software mechanisms or features intentionally created by suppliers, individual contributors (in rare cases, possibly state or malicious actors), often considered reasonable by the authors (e.g., for support, debugging, national security, etc.).
  • Since backdoors have the potential for harm, they are not documented in official documents, and only a limited set of people are aware of their existence. However, over time, the existence of backdoors may be deliberately or inadvertently disclosed or discovered by the public.
3.3.5 Privilege Escalation
  • Privilege escalation exploits software vulnerabilities, design or deployment flaws, or configuration errors to gain access rights to protected resources in applications or user contexts.
  • Privilege escalation is highly associated with backdoor vulnerabilities. Privilege escalation comes in two forms:
    1. Vertical privilege escalation (privilege elevation): Low-privilege users or applications accessing the functionality or content of high-privilege users or applications.
    2. Horizontal privilege escalation: Ordinary users accessing functionality or content reserved for other ordinary users.
  • Impact on databases:
    • In storage systems, this threat may lead to various risks, including data corruption, data alteration, data loss, etc.
    • For example, an attacker may use escalated privileges to enter the storage system, delete volumes, and modify access configurations.
    • This type of attack may also jeopardize data backup copies (e.g., synchronous/asynchronous replicas, snapshots) or the generation of future backups.
    • Privilege escalation can occur at various levels, such as storage components (e.g., storage arrays, hosts, or clients), network devices, or management systems.
3.3.6 Human Error and Deliberate Misconfiguration
  • Even with security controls in place, users may make technically supported storage configuration changes that still pose unacceptable risks.
  • Possible human errors include:
    • Typographical errors.
    • Lack of understanding or familiarity with internal security standards and vendor best practices.
    • Communication errors between individuals or teams.
    • Errors related to storage infrastructure guidance or automation:
      • Direct errors, such as defects in scripts and configuration files.
      • Indirect errors, such as unnoticed software dependencies.
    • Mapping restricted object storage pools to public networks, stopping replication or backup for maintenance but failing to re-enable them afterward.
3.3.7 Physical Theft of Storage Media
  • All data is ultimately stored on one or more physical media, making them vulnerable to theft.
  • These media, whether online or offline, may be removed from their designated (fixed) locations or stolen during physical transportation processes, such as archiving media used for backups during transport, or during storage device shipment as part of a data center migration project.
3.3.8 Network Eavesdropping
  • Data may be intercepted when transmitted.
  • Transmission can involve many components: network cards (wired or wireless), transmission cables (power or optical), relays, switches, routers, etc. Any of these components may be compromised, and many forms of compromise are difficult or impossible to detect using state-of-the-art tools and methods.
  • Possible actions related to data include:
    • Some transmission compromises may involve data interception (also known as passive eavesdropping).
    • It may also involve the insertion, deletion, or modification of data, metadata, or control traffic during transmission.
3.3.9 Insecure Images
  • Adversaries may attempt to interfere with the software distribution, updates, or installation processes of storage devices to introduce incorrect, outdated, or maliciously modified code (e.g., binary files, images, firmware, drivers, etc.).
  • The software update process may rely on complex delivery chains: each link in the chain may become a target for introducing tampered software.
    • Publishers (e.g., vendors, third parties, open-source communities): Publishers may be penetrated to infect source code repositories, gain access to registered software or device access, and release modified, signed binary files on download sites or update servers.
    • Delivery methods (e.g., transmission or download, transportation of installation media, file copying by vendor staff).
    • Locally retained copies of organizations (e.g., proxy servers, internal file servers), etc.
  • Affected storage components include: disk drives, tape drives and libraries, network cards and controllers (e.g., HBA, network interface cards or NIC, FCoE adapters, etc.), switches and other network devices, storage enclosures and arrays, storage operating systems, storage components of client operating systems, and more.

3.2 Risk

This chapter describes the definition of security risks. The difference compared to 3.1 Threat can be summarized as follows:

Threat: It represents the potential locations for attacks or possible causes of Risk that have not yet resulted in harm to users or the organization (Risk).

Risk: It is the degree of threat to an entity (which could be an organization, system, or information). These risks mainly encompass the aspects of confidentiality, integrity, and availability that they might affect. This can impact an organization’s mission, reputation, assets, and other related interests.

For example, Threats include factors like “weak passwords” and “human configuration errors” (Threat) that can result in “data leakage” (Risk).

Security risk is defined as the degree of threat to an entity (which could be an organization, system, or information) from potential situations or events (impact x probability). These risks mainly cover the aspects of confidentiality, integrity, and availability that they might affect. This can impact an organization’s mission, reputation, assets, and other related interests.

Some relevant security risks are as follows:

Data Breach and Data Exposure
  • Data Breach refers to incidents involving sensitive and protected information being copied, transmitted, accessed, intentionally exposed to the public, or used by unauthorized individuals or entities. The impact of data breaches can range from inconvenience to users to exposing sensitive or confidential data, resulting in irreversible damage to an organization’s reputation and operational health.
  • Data breaches can be caused by two main sources:
    • External sources, such as hackers or cybercriminals.
    • Internal personnel, such as malicious insiders or disgruntled employees.
  • Possible root causes include some of the Threats mentioned earlier:
    • Weak encryption (or no encryption) during storage or transmission.
    • Software vulnerabilities.
    • Loss of removable media.
    • Theft of media.
    • Incorrect or overly permissive access controls.
    • Incorrect or incomplete data sanitization practices (including object deletion, retirement, or media reuse).
    • Sending information to the wrong recipients.
    • Uploading data in an incorrect manner (e.g., uploading protected data to public data repositories).
Unauthorized Data Alteration and Addition
  • Attackers gain access to data storage infrastructure in a way that allows them to modify data in a manner that affects future application transactions or other uses of the data.
  • Unauthorized data alteration and addition can come from external or internal sources and may be done in a covert or easily detectable manner.
  • This risk can be achieved using a “salami attack” method, where attackers steal small amounts of data or funds from a large number of transactions over an extended period.
  • The impact of data alteration and addition can range from financial losses to permanent damage to reputation and trust.
Data Corruption
  • Data Corruption refers to data that is damaged or altered unexpectedly during writing, reading, storage, transmission, or processing. It results in unexpected outcomes (exceptions) when objects containing the corrupted data are accessed in the system or related applications.
  • Typically, when Data Corruption occurs, it leads to unexpected outcomes when objects containing the data are accessed in the system or related applications. These outcomes can range from minor data loss to system crashes.
  • Specific scenarios include:
    • If a file is corrupted, users may not be able to open it, or it may open with some or all of its data rendered unreadable.
    • Some types of malicious software may intentionally corrupt or destroy files by overwriting their contents with invalid or garbage code or by securely erasing their content in a security-conscious way.
Compromising Backups
  • Data backups are essential, including retaining copies of data, snapshots, etc. Backups allow us to recover these assets in case of data corruption or loss.
  • There are several considerations for backups:
    • Data Consistency: Backups must be “correctly generated” and have appropriate “retention frequencies” and “update frequencies.”
    • Backup Security: The storage of backups must also be secure to prevent unauthorized access.
  • Failure modes for backups include:
    • Lack of consideration for consistency or integrity of write order during backups, which can lead to incorrect configurations.
    • Insufficient retention periods or infrequent backup updates, which may result in the inability to recover certain old or new data.
  • Attack strategies:
    • Disruption of the Backup Process: When existing backups cannot be compromised, another viable attack strategy is to disrupt the backup process itself, gradually “poisoning” future backups. By the time the only available backups are too outdated, it becomes impossible to fully recover data.
    • Targeting Backup Copies of Specific Systems or Applications: For example, operating system images, software packages, firmware, source code repositories, etc. This way, when attempting to respond to an infection by rebuilding individual components or entire environments, at least some malicious code is reintroduced into the environment, allowing the attacker to quickly regain control of the system or cause more damage.
Malicious Data Obfuscation and Encryption
  • Reversible data obfuscation and/or encryption makes data “unavailable” to users or organizations unless restored using keys held exclusively by attackers.
  • This type of risk is commonly used in ransomware attacks, where victims’ data is encrypted, and a ransom is demanded to regain access to the data.
  • Recent developments have expanded from targeting data or files on user devices or enterprise servers to other storage components such as NAS and backup devices.
  • Impact: These attacks are typically designed to be identified, and they often come with threats and ransom demands. The impact of data obfuscation and encryption can range from financial losses to permanent damage to reputation and trust.
Data Unavailability and Denial of Service
  • Data customers are unable to access some or all of their data. While such damage may be reversible (e.g., by restoring altered or deleted configurations), it can result in prolonged downtime and service interruptions.
  • Risks of data unavailability interruptions may be caused by:
    • Damage to “communication paths” or “access configurations,” intentionally or unintentionally.
    • Physical damage, such as interruptions in communication paths.
    • Logical damage:
      • Endpoint configuration errors of network components.
      • Modification or deletion of access control (SAN) settings by attackers.
      • Suspension of exports in NFS (Network File System) preventing clients from accessing their data.
Tampering of Storage-Related Log and Audit Data
  • It refers to attackers deleting or modifying log data (e.g., timestamps) to prevent effective audit trails, cover up attacks (real-time or post-event), or provide false information to investigators.
  • Attack behaviors:
    • Disabling Logging Systems: Attackers may attempt to temporarily or permanently disable the logging function of the target system, making their activities untraceable and their attacks less likely to be discovered and traced.
    • Filling All Available Space with Bogus Information: Attackers may write a large amount of false log information to fill the available log space, making it difficult to correctly record and store real log data, confusing investigators and tracking.
    • Redirecting Log Data to Rogue Log Servers: Attackers may use social engineering or deceptive means against clients or users to have them send valuable log data to rogue or fake log servers controlled by the attackers, making it easier for the attackers to gain control of sensitive information.
  • Impact: The goal of these actions is to disrupt, confuse, and conceal attack activities to protect the attacker’s identity and hinder security personnel from tracking and investigating the attack event.
Compromising Storage OS or Binaries
  • Attacks on storage software, including the operating system, firmware, images of storage devices, etc., resulting in adverse consequences that provide attackers with means for remote access, reading, copying, altering, or destroying data and its copies, changing security settings, exposing data, altering storage infrastructure behavior, etc.
  • Possible outcomes:
    • Changes in storage behavior can be used to introduce various potential and difficult-to-detect attacks.
    • Presentation of incorrect data to storage clients (even if stored data is intact).
    • Provision of incorrect statuses to storage clients, such as false reporting of the presence or state of snapshots and security settings.

3.3 Attack Surface

The attack surface is defined as “the sum of the different points (the ‘attack vectors’) where an unauthorized user (the ‘attacker’) can try to enter data into or extract data from an environment” [31].

This section will list common digital and physical attack surfaces related to storage infrastructure.

Physical Access
  • Physical access protection is the last line of defense. Once an intruder gains access to the storage infrastructure, they may ultimately attempt data theft, copying, or corruption, or even modify access configurations for remote access.
  • Targets include infiltrating physical devices: intrusion into data centers, peripheral areas, communication infrastructure (cabling), transportation of physical objects (hosts, disks, etc.).
  • There are two methods for physical access:
    1. “Explicit access”: Attackers pretend to be legitimate personnel to enter protected physical devices.
    2. “Tailgating”: Attackers pose as legitimate visitors and follow them to gain physical access to protected devices.
Access to Storage Operating System
  • The primary objective of this attack is to infiltrate storage devices through the operating system.
  • Possible threats:
    • Operating systems all have security vulnerabilities, so regular updates with security patches are essential.
    • Operating systems may be affected by improper configurations, allowing attackers various methods of access, including local login processes (SSH, rshell, telnet), remote login via TCP/IP, and exploiting system vulnerabilities.
  • In the case of “Hyper-Converged Infrastructure (HCI),” the attack surface may be larger as it involves multiple host operating systems.
Access to Management Hosts
  • Most storage components are primarily managed or configured through “commercial operating system hosts.”
  • Attackers may infiltrate management hosts in the following ways:
    1. Through malicious software: Infiltrating management hosts.
    2. Exploiting vulnerabilities in the operating system: Carrying out attacks.
  • Possible attack behaviors include compromising executables, reading cached data, installing eavesdropping devices to read memory data, installing malicious software, and obtaining configuration information.
  • Risks associated with infiltrating management hosts can lead to data corruption, data loss, tampering with backups, altering logs, and audits, making the damage potentially limitless.
Management APIs
  • Storage infrastructure components typically expose “management interfaces” such as “user interfaces (UIs),” “APIs,” or related management protocols to manage the associated devices.
  • For example, management interfaces may include access protocols (SOAP), REST APIs, etc., interacting with external network services for key management, authentication, and authorization.
  • These management interfaces can introduce various attack surfaces, including:
    1. Accessing storage devices through management interfaces (APIs) without infiltrating management software.
    2. Performing in-band access through data links (e.g., fiber channels), impersonating clients to send management commands.
Storage Clients
  • Storage clients are typically “computing components” or “applications installed on computing components” that use storage protocols to “read” resources.
  • Attackers may employ various attack methods by infiltrating clients, including:
    1. Sending management commands to storage devices through clients.
    2. Compromising clients used for creating backups, potentially harming future backups.
Storage Network
  • Attackers primarily gain access through infiltrating network components (including host adapters, switches, cables, extenders) and attacks on data transmission paths, leading to possible attack behaviors:
    1. Data: Copying, viewing, redirecting, or stealing.
    2. Configuration data: Reading user credentials, encryption keys, etc.
    3. Network components: Disrupting network components, modifying valid payloads, damaging or altering and adding data.
    4. Performing Man-in-the-Middle attacks (MITM): Sniffing data, bypassing encryption and authentication mechanisms.
Compute Environment of Key Individuals
  • Some “key users” have “management rights” over the “storage infrastructure,” such as remote connections to storage management hosts.
  • The “computing environment of key users” (e.g., laptops, desktops, home networks) may be exploited as a foothold to gain access to the storage infrastructure, causing damage.
  • For example, installing malicious software on a key user’s device, which then installs keyloggers to intercept login credentials.
Electrical Network and other Utilities
  • The “storage infrastructure” is connected to the electrical network, making it a potential attack surface. Possible attacks include:
    • Sudden power surges, lightning: Causing damage, including erasing data on electromagnetic disks.
    • Through malicious software (e.g., PowerHammer): Exfiltrating data by modulating the power consumption (CPU workload) of infected machines or altering current flow to steal sensitive information like passwords and encryption keys.
    • Line-level attacks: Intercepting data by eavesdropping on the power cables of infected computers.
    • Non-Intrusive data theft: Collecting information by measuring signals emitted on power cables and decoding them into binary form.
  • Other utilities, security, and environmental control systems may introduce risks such as system risks (e.g., overheating, floods, explosions), data leakage risks (e.g., stealing video surveillance to intercept password input or capturing content from screens, panels, indicator lights), and attempts to hijack the internal communication capabilities of environmental systems (e.g., WiFi, Bluetooth) to evade air gap isolation and network controls.

Consolidation 01: Organizing Threats and Physical Attacks (Reference OWASP)

Before creating a threat model, we need to organize the attack techniques used in threats more clearly to facilitate the creation of the threat model.

There is a close relationship between API security and databases. The OWASP Top 10 is a list of the most common web application security risks published by the Open Web Application Security Project (OWASP), and in the 2023 version, the top ten API security risks have been included, reflecting the importance of API security in modern applications.

In addition, NIST SP 800-209 provides guidelines on database security, especially in Section 4.6, which mentions access control recommendations related to network infrastructure and protocols. This is because databases involve the storage, management, and access of data, while network infrastructure and protocols are essential components that support data transmission and access. Therefore, here we will refer to OWASP Top 10 2021, OWASP Top 10 2023 for reference and then map the threats that databases may pose to what is mentioned in NIST SP800-209 Section 3.2.

1. Credential Theft or Compromise

Primary Defense Measures:

  • Use secure encryption protocols such as TLS 1.2, TLS 1.3
  • Use iterated hashing algorithms like Argon2, scrypt, bcrypt, or PBKDF2 with salt to store passwords securely
  • Implement corresponding control measures based on processing, storage, and transmission behavior
  • Disable caching for responses containing sensitive data
Reference Source Related Threats Description
NIST SP 800-209 Security Recommendations
NIST SP 800-209 3.3.1 Credential Theft or Compromise NIST SP 800-209 indicates that effective credential theft is mostly “direct acquisition of the user’s password, rather than guessing,” so relying solely on password length and complexity is usually insufficient to protect the system from attacks. - Chapter 4.9 Encryption
- Chapter 4.3 Authentication and Data Access Control
OWASP 2023 API2:2023 Broken Authentication Improper implementation of authentication mechanisms can allow attackers to compromise or abuse authentication tokens, temporarily or permanently impersonating other users. Compromising user/client identification capabilities can harm the overall security of the API. - Chapter 4.9 Encryption
- Chapter 4.3 Authentication and Data Access Control

2. Cracking Encryption

Primary Defense Measures:

  • Using strong encryption methods is essential
  • Safeguard encryption keys properly
  • Regularly change encryption keys as a strategy to prevent them from being cracked or weak
  • Key strength, quality, and entropy play important roles in key generation, and keys should not be reused
Reference Source Related Threats Description
NIST SP 800-209 Security Recommendations
NIST SP 800-209 3.3.2 Cracking Encryption Vulnerabilities such as weak encryption algorithms, weak key generators, or server-side vulnerabilities can lead to cracking encryption. - Chapter 4.9 Encryption
- Requirement: EN-SS-R9 - Encryption Key Management Requirements
- Requirement: EN-SS-R6 - Static Encryption of Sensitive Data
OWASP 2021 A02:2021 Cryptographic Failures This category typically results from the use of weaker encryption algorithms or weak key generators in cryptographic algorithms, leading to the exposure of sensitive data or compromise of systems. - Chapter 4.9 Encryption
- Requirement: EN-SS-R9 - Encryption Key Management Requirements
- Requirement: EN-SS-R6 - Static Encryption of Sensitive Data

3. Infection of Malware and Ransomware

Primary Defense Measures:

  • Disaster recovery copies of critical data should be scanned with various anti-malware scanning tools to detect known vulnerabilities and anomalies.
  • For sensitive data, regular use of antivirus tools to scan at least one subset of past copies to identify infected copies.
Reference Source Related Threats Description
NIST SP 800-209 Security Recommendations
NIST SP 800-209 3.3.3 Infection of Malware and Ransomware Attacks often target “storage management systems” rather than the “storage devices” themselves. Therefore, malware may cause harm by being installed on the storage management host, such as stealing credentials, elevating privileges, data corruption, loss, or alteration, and disrupting future backups. - Requirement AC-SS-R33 - Use of Anti-Malware Scanning Tools
- Requirement RA-SS-R11 - Network Security Measures for Data Copies
- Requirement: DP-SS-R3.c Requirements for Backup-Related Standard Operating Procedures

4. Backdoors and Unpatched Vulnerabilities

Primary Defense Measures:

  • Features like call home or remote access are often used to collect telemetry and diagnostic data for manufacturer analysis and technical issue resolution, as well as for automatic software updates. However, these features can also be targeted by hackers, so they should be disabled if not needed, or limited and controlled if necessary.
  • Ensure the storage software versions are up to date
  • Install critical security updates and patches
  • Develop mitigation plans for cases where patches cannot be obtained
Reference Source Related Threats Description
NIST SP 800-209 Security Recommendations
NIST SP 800-209 3.3.4 Backdoors and Unpatched Vulnerabilities Backdoors are usually software mechanisms or features intentionally created by suppliers, individual contributors (in rare cases, it may be state or malicious actors), and are not documented in official documentation due to the potential harm they pose. However, over time, the existence of backdoors may be intentionally or unintentionally disclosed or discovered by the public. - Requirement: NC-SS-R10 Disable Unused Storage Area Network (SAN) Ports
- Chapter 4.6 Network Configuration Guidelines
- Requirement: AA-SS-R11 Disable or Limit Call Home or Remote Access
- Requirement: CM-SS-R8 Software Updates and Patches

5. Privilege Escalation

Primary Defense Measures:

  • Except for public resources, default to deny access
  • Establish access control mechanisms and apply them consistently
  • Log access control failures and set alerts (e.g., repeated login failures)
  • Implement traffic limits for API access to reduce damage from automated attacks
  • Invalidate identity-based cookies upon logout or timeout
  • Use the shortest access time for JWTs; if JWTs are used for extended periods, it is recommended to follow OAuth standards to invalidate them
Reference Source Related Threats Description
NIST SP 800-209 Security Recommendations
NIST SP 800-209 3.3.5 Privilege Escalation Exploiting software vulnerabilities, design or deployment flaws, or configuration errors to gain unauthorized access to protected resources of applications or users. - Chapter 4.3 Identity and Data Access Control
- Requirement: AC-SS-R26 Default Partition Permissions
OWASP 2023 API3:2023 - Broken Object Property Level Authorization Missing or improper authorization validation at the object property level leading to information leakage or unauthorized tampering. Same as above
OWASP 2023 API5:2023 - Broken Function Level Authorization Complex access control policies involving different levels, configurations, and roles without clear separation between management and regular functions, allowing attackers to send API requests to endpoints they should not access, leading to authorization vulnerabilities. Same as above
OWASP 2021 A01:2021 Broken Access Control Control measures failing resulting in unauthorized information disclosure, modification, corruption, or execution of business functions beyond the original permissions. Same as above
OWASP 2021 A07:2021 Identification and Authentication Failures Previously known as Broken Authentication, common flaws in account login/logout design mechanisms, with standardized frameworks helping to reduce the likelihood of such risks. Same as above

6. Human Error and Deliberate Misconfiguration

Main Defensive Measures:

  • Automated processes for deploying and verifying various security settings in the environment.
  • Consistent configurations across development and operational environments with different credentials.
  • Minimization and localization of server functionality.
  • Conduct security reviews and changes based on relevant updates (Refer to A06:2021 Dangerous or Outdated Components).
  • Use security headers.
  • Organizations should be able to recover data when production data is damaged or lost by replicating or backing up data copies, ensuring sufficient isolation between data assets and their recovery copies.
  • Ensure successful recovery in case of business disruptions, disaster recovery events, or security breaches.
  • Maintain a comprehensive and real-time configuration management list, manage changes, and ensure configurations consistently align with the organization’s security baselines and current industry best practices, while safeguarding against known risks.
Reference Source Related Threats Description
NIST SP 800-209 Security Recommendations
NIST SP 800-209 3.3.6 Human Error and Deliberate Misconfiguration Unacceptable risks caused by technical support users making storage configuration changes. - Chapter 4.7 Isolation
- Chapter 4.8 Recovery Assurance
- Chapter 4.11 Configuration Management
OWASP 2023 API4:2023 - Unrestricted Resource Consumption APIs are often designed to return data for queries, requiring resources such as network bandwidth, CPU, memory, and storage. Other resources like email/SMS/phone or biometric authentication are integrated through APIs provided by service providers and billed on a per-request basis. Successful attackers may exploit this risk, leading to denial of service or increased operational costs. Same as above
OWASP 2023 API8:2023 - Security Misconfiguration APIs and supporting systems often involve complex configurations, designed to make APIs more flexible and customizable. Software and DevOps engineers may overlook these configurations or not follow security best practices in configuration, opening doors to attacks. Same as above
OWASP 2021 A05:2021 Security Misconfiguration Unnecessary features, services, ports, or security risks opened in a production environment, including XML External Entity (XXE) attacks. Same as above
OWASP 2021 A08:2021 Software and Data Integrity Failures Insecure Continuous Integration/Continuous Deployment (CI/CD) processes, using automatic updates lacking sufficient integrity verification. Same as above

7. Physical Theft of Storage Media

Main Defensive Measures:

  • Backup of network-attacked recovery should be stored offline, separate from production data.
  • This ensures that even if attackers gain physical access to production locations or successfully infiltrate physical locations, they cannot access or damage network-attacked recovery backups.
  • Physical security is a fundamental element of ensuring the security of any information technology infrastructure. Often, “physical security of storage infrastructure” requirements should be the same as “other infrastructure elements” (such as facility security, monitoring, transportation, etc.).
    • Relevant standards for infrastructure elements include NIST SP 800-53, Rev5, NIST SP 800-171.
    • For media disposal and destruction, you can refer to ISO 27040, NIST SP 800-88 for further discussion.
Reference Source Related Threats Description
NIST SP 800-209 Security Recommendations
NIST SP 800-209 3.3.7 Physical Theft of Storage Media All data ultimately resides on one or more physical media that are susceptible to theft. Whether online or offline, they may be removed from their designated (fixed) locations or stolen during physical transport, such as archiving media used for backups or transporting storage devices as part of a data center migration project. Chapter 4.1 Physical Storage Security

8. Network Eavesdropping

Main Defensive Measures:

  • You can refer to NIST SP 800-209 Chapter 4.6 Network Configuration Guidance, which mainly covers network infrastructure (such as switches, ports, HBA and NIC configurations, zoning guidelines, etc.) and protocols.
Reference Source Related Threats Description
NIST SP 800-209 Security Recommendations
NIST SP 800-209 3.3.8 Network Eavesdropping Data may be intercepted during transmission. Transmission can cover many components: network cards (wired or wireless), transmission cables (carrying power or light), relays, switches, routers, etc. Any of these components may be compromised, involving the insertion, deletion, or modification of data during transmission, metadata, or control flow. Chapter 4.6 Network Configuration Guidance

9. Insecure Images, Software and Firmware

While NIST SP 800-209 provides fewer specific security recommendations for applications, data leaks often occur due to insecure applications. However, it discusses less about securing the interaction between applications (AP) and data.

Security recommendations related to applications in the standard mainly include:

  • Requirement 4.2.1 Data Backup, Recovery, and Storage
    • Emphasizes data integrity at the application and business process levels in terms of data backup, recovery, and storage.
    • Strictly requires application availability during restoration.
  • Requirement NC-SS-R3 - Use a mixed method for zoning
    • Involves host-based partitioning mechanisms to control what resources or storage data an application on the host can access and view.
  • Requirement RA-SS-R9 - Separation of data and application recovery
    • Advocates isolating data from applications during data recovery to avoid restoring compromised code or software.
  • Chapter 4.3 Identity and Data Access Control
    • Recommends limiting privileged access for applications to reduce the risk of attacks on storage systems.

In the context of insecure images, software, and firmware, the following recommendations apply:

  • Requirement AC-SS-R33 - Use anti-malware scanning tools
  • Requirement RA-SS-R11 - Network security measures for data copies
  • Requirement DP-SS-R3.c includes requirements for backup-related standard operating procedures
Threat Source Related Threats Description
NIST SP 800-209 Security Recommendations
Applications (Client-side) API1:2023 - Broken Object Level Authorization APIs often handle object identification publicly, creating a broad attack surface related to object access control. OWASP suggests designing object authorization in every feature to prevent unauthorized information disclosure, data tampering, or destruction. - Requirement 4.2.1 Data Backup, Recovery, and Storage
- Requirement NC-SS-R3 - Use a mixed method for zoning
- Requirement RA-SS-R9 - Separation of data and application recovery
- Chapter 4.3 Identity and Data Access Control
Applications (Client-side) API6:2023 - Unrestricted Access to Sensitive Business Flows Threats due to application flow issues may affect APIs because of excessive automation. Same as above
Applications (Client-side) API7:2023 - Server Side Request Forgery When APIs fetch remote resources without verifying the URI provided by unauthenticated users, server-side request forgery (SSRF) flaws can occur. This allows attackers to send crafted requests to unexpected destinations, even behind firewalls or VPNs. Same as above
Applications (Client-side) API9:2023 - Improper Inventory Management APIs often expose more endpoints than traditional web applications, making accurate and up-to-date documentation critical. Proper management of hosts and API versions is also essential to reduce maintenance issues such as deprecated API versions and exposed testing endpoints. Same as above
Applications (Client-side) A03:2021 Injection Includes XSS attacks, SQL injection, and command injection. Same as above
Applications (Client-side) A04:2021 Insecure Design Security issues resulting from incomplete system and feature design. Same as above
Applications (Client-side) A10:2021 SSRF When web servers fetch remote resources without verifying the URL provided by users, SSRF attacks can occur, even with firewall, VPN, or other network ACL protections in place. The severity of SSRF attacks increases with cloud services and their complex structures. Same as above
Images, Software, and Firmware 3.3.9 Insecure Images, Software and Firmware Refers to attempts to disrupt the software distribution, updates, or installation process of storage devices to introduce incorrect, outdated, or maliciously modified code. Every aspect of the software update process may be a target for introducing tampered software, including publishers (e.g., vendors, third parties, open-source communities), delivery methods (e.g., transmission or download, transportation of installation media, file copying by vendor employees), and individual organization-maintained local copies (e.g., proxy servers, internal file servers). - Requirement AC-SS-R33 - Use anti-malware scanning tools
- Requirement RA-SS-R11 - Network security measures for data copies
- Requirement DP-SS-R3.c includes requirements for backup-related standard operating procedures
Third-party Packages API10:2023 Unsafe Consumption of APIs Developers often trust data from third-party APIs more, leading to weaker security standards for third-party APIs. Attackers tend to prioritize attacking third-party services rather than directly attempting to compromise the target API. Same as above
Third-party Packages A06:2021 Vulnerable and Outdated Components Using components (operating systems, software, packages, libraries, frameworks) with known vulnerabilities in system development. Same as above
Third-party Packages A08:2021 Software and Data Integrity Failures Focuses on deserialization attacks and trust issues with third-party packages, libraries, modules, etc., including failure to protect software and data integrity, insecure deserialization, and the use of untrusted sources for packages, libraries, modules, etc. Same as above

10. Security Logging and Monitoring Failures

While NIST SP 800-209 does not list specific threats related to security logging, OWASP Top 10 2021 (A09) mentions threats related to security logging and monitoring failures. Chapter 4.4 (AL) of NIST SP 800-209 also emphasizes the importance of security logging and monitoring and provides related recommendations. Therefore, this section adds a threat aspect for security logging and monitoring.

Related Threats Description Defensive Measures
AA09:2021 Security Logging and Monitoring Failures Such failures can directly impact visibility, event alerts, and forensics. Chapter 4.4 (AL) Audit Logs

Consolidated Threat Model 02: Design Threat Model

The following threat model is a compilation of common threats referencing NIST SP 800-209 and OWASP Top 10. The environment briefly describes threats that the data infrastructure may face, including system boundaries, data transmission, backup monitoring, and more. Based on these threats, refer to the relevant threat descriptions and security recommendations in Consolidated Threat Model 01.