Using a Data Harbor to Reduce Risk in AWS FSx Environments

December 21, 2022  6 Min Read
By: David Tansey and Amelia Foss

For companies migrating their data to the cloud, Amazon’s FSx platform is a popular option. It is chock full of features that can support a variety of use cases and provide companies with access to data across the entire organization. It is also highly cost-efficient, giving customers a predictable cost structure versus on-premises servers. In addition, the FSx platform provides the ability to scale seamlessly, even for customers in a hybrid environment.

Yet while the benefits of cloud file shares are many, the risk of moving data to the cloud remains high as ransomware and other cyber attacks grow in sophistication and exploit common attack vectors. Cyberstorage, an emerging technology that fuses high-performance data security with accessible storage offers a new approach to processing data in the cloud. Hooking into an organization’s existing infrastructure, a cyberstorage layer hardens the file share environment and increases resiliency by transforming how data is stored. A cyberstorage solution works alongside AWS FSx to automatically protect sensitive files in order to reduce risk and further secure data against theft, exfiltration and evolving ransomware attacks.


How secure is my data today in AWS FSx or similar cloud share environments? 

While Amazon’s FSx platform provides options for failover zones accounting for durability of the data, preventing data from theft and exfiltration remains a top security concern for companies migrating to the cloud. Scalability and accessibility - the two top benefits of cloud file shares - are also the platform’s biggest weaknesses from a security perspective. In many cases, attackers need just a single entry point to access a host of private interdepartmental company data. But how easy is it to gain access?  

According to the Cloud Security Alliance (CSA), attackers can reach the “crown jewels” in just three steps.1 This means an attacker needs just three “connected and exploitable weaknesses” in a cloud environment to exfiltrate data and/or hold the data for ransom. And with ransomware gangs constantly scouring for known vulnerabilities (CVEs) and common misconfigurations, organizations are often unaware of just how insecure their data environment is.


Are my current security methods strong enough to protect Amazon FSx?

By and large, organizations today are not confident in their current security structures.  A recent survey conducted by the CSA and BigID shows that only 4% of respondents say they have sufficient security for 100% of their cloud data. The majority of respondents in the same survey believe they will experience a data breach over the next year.2 Common sentiment among IT security professionals is that current security methods are becoming increasingly insufficient against today’s sophisticated cyber attacks. This year, the CSA sent a powerful message to the security community when it released its countdown clock to the exact date where a quantum computer will be able to break through present-day cybersecurity infrastructure. The clock, counting down to April 14, 2030, is an urgent reminder to continually find new, creative solutions to data security, particularly as attack surfaces increase with the great cloud migration. In the persistent arms race to secure data against theft, ransomware, and other cyber threats, organizations are starting to look for new approaches to cloud security.


Cyberstorage for AWS FSx

A new security category is emerging that provides a much needed layer of defense for the cloud file share environment. Cyberstorage fuses high-performance security and intelligence with accessible storage to maintain the efficiency benefits of cloud workloads.  Introduced in Gartner’s recent Hype Cycle for 2022 Innovation, cyberstorage “protects storage system data against ransomware attacks through early detection and blocking of attacks, and aids in recovery through analytics to pinpoint when an attack started.”3

The cyberstorage security category is purpose-built to withstand ransomware and data exfiltration attacks. Calamu Protect, our flagship cyberstorage solution, includes multiple safeguards at the data level that prevents data from being copied off site in a readable format, even if a backdoor vulnerability was used. Calamu Protect provides a powerful defense layer that plugs into the AWS FSx environment and intelligently tiers off the most sensitive data to a safe data harbor in order to continually reduce the attack surface and the risk of exposure. Calamu also works alongside data discovery and classification tools such as BigID and behavior analysis and intelligence platforms for data risk management. 



Creating a data (safe) harbor for AWS FSx protection


Automatically tiering off vulnerable files to a secure location reduces risk of exposure and protects against theft and exfiltration attacks. The Calamu Protect solution transforms the way data is processed in the cloud environment. Instead of housing data in a single vault in its complete form, the Calamu Protect process automatically runs the data sets through a process that compresses, encrypts, and breaks them down into fragments before scattering them across user-defined storage locations, making it virtually impossible to access the entire readable data file. The technology that enables this process never takes possession of the data but instead works through the metadata, eliminating the threat of a third-party failure point.  

The data is transformed and only available to authorized users and applications. The resulting data harbor eliminates any single failure point, even safeguarding against misconfigurations in cloud set up, and offers a safe way to scale over time as data volumes grow.


Protection against cloud outages

A cyberstorage plugin for AWS FSx environment not only protects the most vulnerable data against theft and exfiltration attacks, it can also ensure that data remains safe and available for use even during a cloud outage. The data harbor scans the environment for anomalous behaviors, be it from attack or outage, and quarantines the location automatically. The system automatically self-heals by rebuilding a new location and re-populates it from the remaining healthy locations, all with 100% uptime and no impact to operations.  


Shared responsibility

AWS’ shared responsibility model dictates that it is the responsibility of the customer to protect their data as well as manage the encryption and authentication.4  A cyberstorage solution like Calamu Protect helps organizations maintain their share of responsibility by:

  • making data illegible to any outside threat actor hoping to steal and leak valuable data.

  • providing additional layers of authentication down to the file level.

  • delivering options for a multicloud approach to truly protect critical data.

AWS Shared Responsibility

Want to see how Calamu Cyberstorage works alongside Amazon FSx? Click below to schedule a custom demo.  

Schedule Now


1 2022 State of Public Cloud Security Report Reveals Critical Security Gaps |  2 CSA and BigID Study | 3 Gartner | 4 Amazon Shared Responsibility 


See Calamu in Action.