Securing On-Prem Systems With a Data-First Approach

July 7, 2022  5 Min Read
By: Calamu

It may seem that cloud is king in modern business, but the truth is that many of us still rely on on-premises file servers to manage sensitive data. And as a seemingly endless stream of ransomware attacks permeate our news cycle, keeping the in-house Microsoft Windows File Server may even seem like the safest option. However, as hyper-targeted attacks increase in sophistication, even the on-premises servers are not immune to a breach. Companies that rely on Windows File Share and other on-premises data storage systems may want to consider a data-first security strategy for securing their sensitive files.



Common Threats to Windows File Server

Cyberattacks to on-premises systems are increasing. While business

es benefit from granular-level security control that the on-prem environment provides, the burden of system upkeep and management can leave them vulnerable. While SecOps and IT teams find efficiencies in the Common Vulnerabilities and Exposure (CVE) categorization to address known flaws, so, too, do threat actors. A clearly indexed catalog of known vulnerabilities is exactly the type of information ransomware groups are after to find exploits that gain access to the sensitive data stored in on-premises servers.1

In addition, backdoor vulnerabilities such as remote file inclusion (RFI) circumvent normal authentication procedures to access a system. The malicious code is written directly into an application that runs on the server making detection extremely difficult. Through the backdoor, perpetrators gain remote access within the application to file servers or databases and they can remotely control the system to issue commands or deploy malware.2


The Air-Gapped Fallacy

Air-gapped systems attempt to thwart cyber threats by removing all internet connectivity including local area networks to the server.  Beyond this, a true air-gapped environment disconnects all communication software including email clients, browsers, SSH and FTP. This means that all data transfer activity requires physical connectivity through external hardware or by temporarily attaching to the network. And herein lies the failure point. Air-gapped systems are still vulnerable to breach through USB installers, exploits on remote code executions, and trojans. Researchers are also seeing how electromagnetic signals can be used to breach air-gapped servers.3 And they are a prime target. Threat actors understand that only the most sensitive of information is housed in an air-gapped environment so gaining entry will most likely pay off big time. In a recent research report, ESET counted 17 malicious frameworks specifically designed to breach air-gapped networks.4


The Critical Security Flaw for On-Premises Data Storage

No matter how strict the security policies on an on-premises data storage environment, a critical security flaw exists: data remains in its complete state and thus readable and usable to threat actors should they be able to reach it. Instead of focusing security efforts toward the perimeter defenses, companies are now starting to look at protecting data from the inside-out, changing the data itself to ensure that even if a breach happens, the complete data set remains unreachable.  


The Data-First Security Layer - Introduce the Cloud to Create a Data Harbor

A data-first security approach for Windows File Server and other on-premises systems in many ways offer stricter data security than an air-gapped solution can provide while maintaining data accessibility for everyday business operations by ensuring the entire data set does not exist in a single location. Data-first security solutions, such as Calamu Protect, bridge the gap between cloud and on-premises. Users can continue to leverage their on-prem file server infrastructure, but utilize the cloud to create a virtual data harbor where files cannot be removed, altered, or improperly accessed.  This revolutionary technology is designed to work alongside existing Windows File Server and other on-premises environments to ensure data integrity by transforming how it is stored, so that even if the perimeter defenses get breached and malware reaches the data for exfiltration, the data remains protected. The data sets run through a process that compresses, encrypts, and breaks them down into fragments before scattering them across user-defined storage locations, making it virtually impossible to access the entire readable data set.  The technology that enables this process never takes possession of the data but instead works through the metadata, eliminating the threat of a third-party failure point.  

So, the data no longer exists to anyone but you and your authorized users, the rightful owners of the data. The resulting data harbor eliminates any single failure point be it NAS or a cloud storage location, even if misconfigured, and offers a safe way to scale over time as data volumes grow.  No single cloud provider and no single geographic region has enough of the fragments to reconstitute the file, even if the multitude of unique encryption keys were compromised - and the local server no longer holds sensitive information.  


Seamless Integration

Leveraging the revolutionary data processing capabilities of Calamu Protect for Windows File Server, users can seamlessly access and work with files in a virtual data harbor environment while ensuring the valuable content remains inaccessible to outsiders.  The Calamu Connector for Windows File Server automatically locates new data files and moves them to the data harbor.  This smart connector also identifies and manages updates through file versioning.  



1Security Magazine2Imperva | 3Sentinel One | 4ESET


See Calamu in Action.