Security Checklists for Evaluating Cloud Object Storage Vendors

Protecting data is a top priority for every organization. Compliance requirements, ransomware, and insider threats make data security essential for rapid recovery from outages and cyber attacks. Cloud object storage is well-suited for delivering data protection and cyber resilience because it stores data as discrete, policy-driven objects rather than fixed blocks or files, enabling granular access controls, immutability, and faster recovery. 

This article explores the following key requirements a cloud object storage vendor must provide for advanced data security, and includes practical checklists to guide your choice: 

• Cyber resilience 

• Advanced access controls 

• Ecosystem compatibility 

• Operational simplicity

Security differences between object storage and traditional storage 

Security considerations for object storage and traditional storage differ due to their distinct architectures and access models. Object storage platforms are typically accessed through internet-facing APIs, enabling scalable, distributed access to data. As with any internet-accessible service, proper configuration and access controls are essential to maintain security. 

Object storage solutions handle data management differently from traditional storage. For example, native file locking is not always part of the core architecture, though many providers offer features such as object immutability or versioning to protect against accidental deletion or overwrites. Additionally, object storage supports flexible, customizable metadata, enabling powerful indexing and automation. As with all sensitive data, metadata should be governed by appropriate access controls and security policies to prevent unauthorized exposure.  

Why cyber resilience is non-negotiable for cloud object storage 

Achieving cyber resilience in cloud object storage means defining and enforcing policies that enable the storage environment to recover quickly from cyber attacks or outages. Cyber resilience in cloud object storage, therefore, comprises several capabilities for attack prevention and response. 

These include robust backup and restore capabilities, as well as protections such as immutability that prevent malware and other threats from altering or destroying stored data. Compliance also requires cyber resilience, even if regulators use different terms. For example, the US Financial Industry Regulatory Authority (FINRA), which creates rules for stock market firms, demands brokerages to conduct Business Continuity Planning (Rule 4370), keep records for up to six years (Rule 4511), and ensure that third parties back up data. 

As a desired characteristic of a cloud object storage solution, cyber resilience should be considered non-negotiable. Without cyber resilience, your data is at risk of permanent loss.   

Which cloud storage providers offer strong cyber resilience and immutability features?  

The right solution will provide immutable storage and object locking, making it impossible to modify or delete data. Immutability and object lock mitigate the ransomware threat.  

Preventing an attack is also important for cyber resilience. Attaining this goal involves using Zero Trust architecture principles, along with other access control mechanisms and air gap capabilities. Traditional air gaps, where storage is not physically connected to the outside world, effectively no longer exist. Virtual air gaps, however, which use cryptography and immutability to create an impenetrable defense layer, offer the same protection.  

Wasabi offers virtual air gaps, along with Covert Copy, which creates invisible copies of data to hide it from attackers. Wasabi further enhances its cyber-resilience capabilities through data durability, which stores data across multiple, geographically distributed, redundant storage regions.  

The cyber resilience checklist:

The following questions will help you determine if a vendor meets advanced data security requirements.

• Does the vendor support Object Lock? — Object Lock renders data immutable through the capability of Write-Once-Read-Many (WORM). An object storage vendor should offer Object Lock, allowing data to be made immutable at the version level for specified periods of time. 

• Is Object Lock tamper-proof, even from admin accounts? — A control is only as good as the countermeasures that prevent it from being abused. An object storage vendor should provide tamper-proof Object Locks. Wasabi makes this happen with its Multi-User Authorization (MUA) feature, which requires multiple admins to approve designated changes, such as Object Lock settings.  

• Is immutability configurable by bucket and retention period? — Ideally, an object storage platform will offer an immutable backup where admins can configure buckets differently, for example, with different retention periods.  

• Does the provider support Zero Trust security principles? — Zero Trust data security protects cloud object storage by never implicitly trusting any user who requests access. Instead, Zero Trust applies the principle of least privilege by requiring validation of all access requests based on factors such as IP address and device location. This approach greatly reduces the likelihood of unauthorized access. Your cloud object storage vendor should integrate with your Zero Trust identity solution or support Zero Trust policies in your identity and access management (IAM) solution. 

• What protections exist against DDoS attacks? — Distributed Denial of Service (DDoS) attacks render storage systems unavailable by flooding them with requests. You likely have countermeasures in place to mitigate DDoS risk, but ideally, your cloud object storage solution must have built-in protections against such attacks. Leading cloud object storage providers protect against DDoS attacks using traffic throttling, intelligent routing, and multi-site failover.
   
  For example, the cloud object storage solution should be able to throttle or block traffic from suspicious IP addresses. Or the solution can switch to alternative sites if it detects a DDoS attack in progress. 

Key factor: Advanced access controls and role-based permissions

The question of who is authorized to access your cloud object storage is central to securing your data and ensuring compliance with a host of regulations. The easier it is for a malicious actor, including an insider, to gain access to the data, the greater your risk exposure will be. Strong access controls are therefore essential for defending cloud object storage.  

Whether or not you implement Zero Trust, it is a wise practice to enforce the principle of least privilege access. Your cloud object storage vendor should support this, either through onboard features or through integration with an IAM solution. Least privilege dictates that a user be granted the minimum access to data on the storage solution. This restriction reduces the risk of lateral movement and improper access to data.  

Other essential identity security features for a cloud object storage vendor include role-based access control (RBAC), multi-factor authentication (MFA), single sign-on (SSO), and federated identity support. 

• RBAC assigns access privileges by role, which simplifies administration and reduces the chance of access privilege errors, such as allowing a person who changes roles to access data from their previous role. 

• MFA is a useful control that cuts down on the risk that a malicious actor will gain access using stolen credentials.  

• SSO and federated identity require users to authenticate themselves against a central identity store. 

• API key management and rotation also help mitigate the risk of unauthorized access to your cloud object storage platform. If your organization is like most, you may have dozens, or even hundreds, of APIs connecting various elements of your IT estate, both internally and externally. It’s easy to lose track of keys, and malicious actors can exploit the situation to gain access. One big problem here is that such attacks can be hard to detect. They look like legitimate machine-to-machine interactions. By rotating and tracking API keys, the cloud object storage platform minimizes this risk. 

Many of these identity security controls live elsewhere in the IT estate, such as in IAM systems. Your cloud object storage solution may already have access controls in place, but it should also integrate with these systems and support their controls. Wasabi cloud object storage offers its own MFA, RBAC, and IAM functionality, as well as Multi-User Authorization, which requires multiple users to approve changes or deletions. It also integrates with leading solutions in each control area.  

The advanced access controls checklist: 

• Granular role-based permissions — How granular can you get with the storage platform’s RBACs? You should be able to control access privileges beyond just job role, for example, with employee-specific tasks, such as allowing salespeople to access only files related to their accounts. 

• MFA enforcement options — The cloud object storage solution should support whatever MFA standard your enterprise uses, such as apps like DUO or Google Authenticator. 

• Integration with enterprise IAM systems — The best identity security outcomes for cloud object storage occur when the storage platform integrates with your enterprise’s IAM system, such as Microsoft Entra ID.  

• Full audit trail visibility — Does the storage platform provide full visibility into access requests, sessions, and data transfers? This check is necessary for compliance in many cases and for forensic analysis of data breaches.   

• Policy-based access controls — The platform should allow for policy-based access controls, which determine access privileges according to dynamic policies. For example, users in a role can only access relevant areas of the storage platform if their devices are operating within a specified geography or time of day. 

Key factor: Ecosystem compatibility and long-term flexibility 

Storage is almost always one element in an interconnected ecosystem of applications and cloud platforms. For this reason, a cloud object storage vendor must offer broad compatibility and integration capabilities, as well as long-term flexibility to adapt to evolving architectures. Integration should extend from enterprise technology stacks to security toolsets, including threat detection, incident response, and monitoring tools.   

The ecosystem compatibility checklist: 

• Native integrations with leading backup vendors — A good cloud object storage platform will allow you to use your preferred backup vendor. It needs to work hand in glove with solutions like Veeam, Rubrik, and Commvault, enabling you to implement your optimal backup plan without storage-related obstacles. 

• Broad S3 API compatibility — Given that most enterprise applications are built to integrate with Amazon S3 storage, it makes sense for a cloud object storage vendor to use the S3 API. Wasabi does this, for example, enabling customers to connect any S3-compatible application to Wasabi. 

• Support for third-party security tooling — Chances are, your security operations (SecOps) team will field its own suite of security tools. The SecOps team will want those tools to work easily with a chosen cloud object storage platform. For example, the storage platform needs to support threat-signature monitoring of stored files. 

• Marketplace availability or alliance partnerships — A cloud object storage vendor’s partner ecosystem strength will suggest its degree of compatibility with third-party products. It is worthwhile to assess the vendor’s alliance partnerships or availability of integrations on its marketplace before selecting them as a cloud object storage solution. 

Key factor: operational simplicity, usability, and cost transparency 

It’s wise to consider a cloud object storage platform’s operational efficiency and total cost of ownership (TCO). TCO includes configuration overhead, ease of deployment and migration, and usability issues such as the quality of the user interface (UI). TCO also relates to the consistency and transparency of cloud storage pricing and ongoing costs. Predictable billing is a desirable quality for cloud cost optimization. 

Efficiency matters for security because complexity causes security risk. For example, an environment with many interconnections expands the attack surface. Attackers can more easily exploit insecure configurations than they can in simpler architectures. 

The operational simplicity, usability, and cost transparency checklist:

• How long does deployment take? — Lengthy deployments are a costly drain on resources.  

• Are pricing and egress fees transparent? — Some object storage vendors charge for data egress and API calls, which results in unpredictable storage costs. 

• Is the management interface intuitive? — The platform should be easy to use, with a modest learning curve. 

• Are security features easy to configure? — It should not be a major challenge to configure the platform for security. Difficult configurations can expose the platform to risk, as it’s easier to make mistakes and leave it vulnerable to threats. 

• Does the vendor offer hands-on support? — High-quality support matters in cloud object storage. Given the importance of storage for resiliency and business continuity, the vendor should provide rapid, hands-on support for any issues arising with its platform.  

Conclusion: Selecting a secure, cost-effective cloud object storage partner 

The marketplace offers you a wide choice of cloud object storage vendors. Among many selection criteria, cyber resilience and immutability stand out as the most important. Without them, your data is vulnerable to ransomware attacks and various types of outages. Wasabi offers an optimal mix of affordability and usability for cyber resiliency, including sophisticated access controls that limit risk exposure and immutability for storage and backups.