Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Philip Williams
on 8 February 2024

Cloud storage security best practices


Secure your data by using Ceph’s security features

Photo by FlyD on Unsplash

How can I securely store data in a cloud storage system?

Data is like the crown jewels of any organisation, if lost or exposed there could be severe repercussions.  Failure to protect against system failure could lead to the loss of business data rendering a business non-functional and ultimately causing it’s failure.  Exposing sensitive data to unauthorised parties not only leads to reputational damage, but can also cause businesses to incur massive fines.

This blog takes a closer look at these risks and how you can mitigate them with Ceph’s security features. Let’s start with some of the most common ways in which data breaches can occur:

Physical theft / transport

The loss of storage related hardware, disks or entire storage systems could lead to the exposure of sensitive information.  This could happen during a traditional burglary situation, where an unauthorised party gains access to a data centre and removes hardware, or where a piece of hardware is intercepted during transit, for example when being returned to the manufacturer for repair or replacement.

Another type of physical compromise is via the theft of backup tapes, which can easily be mitigated with encryption, or tapeless backups that use inflight and at-rest encryption.

Corruption / Bitrot

Storage systems are made up of hardware, and sometimes hardware components can completely fail. In rarer cases, components like disk drives can introduce bit-level errors which cause corruption of the data that is being stored.

Most modern systems will also store checksums for slices or chunks of data that are stored, so that any corruption is discovered when the data is read. Some, such as Ceph, will proactively scrub the stored data, so that any potential corruption is detected and repaired from either other replicas or rebuilt from erasure coded chunks.

Network eavesdropping

When data is copied between systems, either on a local network, or across the internet, there is a possibility of eavesdropping, which means that the data could be intercepted by an unauthorised party during transmission. There are many components in a network path – network interface controllers (NICs), switches, routers, cables etc, and all of these can be compromised.  Detection of such a compromise is difficult or impossible, even with state of the art technologies.

Insecure storage system software

A software supply chain attack could cause the software running within a storage system to be compromised, giving an adversary another path to introduce malicious code. This is not limited to just the core storage software, but all of the components as well, disks, NICs, RAID controllers etc.  Keeping all of these software components uptodate is essential.

Malicious obfuscation and encryption

Ransomware attacks have become more and more common. They are a type of attack where a malicious party gains access to an organisation’s IT estate, and encrypts the contents of all storage devices, both local drives in servers, but also networked storage too.

Mitigate these risks with cloud storage security features

In a modern open source storage system such as Ceph, there are multiple ways for protecting against the risks outlined above.

Data at rest encryption

As data is written to disk, it is encrypted by the storage system, so that if a disk is stolen, lost, or returned to the manufacturer for replacement after failure, there is no chance of a leak of the data contained on the device.

Data in flight encryption

Using encryption for all flows of data across all networks means that no sensitive data can be intercepted.  The storage system can either store the data in its encrypted form, or re-encrypt and use at-rest-encryption to securely store it.

Access control

Ceph makes use of CephX and LDAP to enforce strict access control across all protocols, ensuring that only authorised users have access to the block devices, file shares or object buckets that an administrator has mapped or shared with specific users.

Snapshots and versioning

Point in time snapshots can provide a user with the ability to roll back to a known good state after corruption or malicious encryption is detected, allowing for a recovery path from such events.  Object storage also allows for full-object-versioning, which means that when a new version of an existing object is added to the system the older version is also retained and can be accessed if required.  This feature is particularly useful in heavily regulated environments where an audit trail is required.

Key rotation

Cryptographic keys are used to secure communication between different devices, but it is of utmost importance that these keys are periodically renewed so that if a key were to be compromised the window for its use and a successful breach is relatively short.

Learn more

Ceph provides multiple mechanisms to secure data stored within the cluster no matter the protocol used. Additionally, even when hardware components are removed from the cluster, the data remains protected thanks to strong encryption.  Internet facing APIs such a RADOS Gateway’s S3 endpoint can be configured to accept TLS connections only, and reject insecure HTTP.

FInd out more about Ceph here.

Additional resources

Further Reading

Learn more about Canonical’s open source infrastructure solutions.

Related posts


Philip Williams
19 November 2024

Meet the Canonical Ceph team at Cephalocon 2024

Ceph Article

Date: December 4-5th, 2024 Location: Geneva, Switzerland In just a few weeks, Cephalocon will be held at CERN in Geneva. After last year’s successful Cephalocon in Amsterdam, which was the first live event held since the pandemic, it is great to return to regular community gatherings . Canonical Ubuntu is proud to be sponsoring the ...


Philip Williams
16 August 2024

Managed storage with Ceph

Ceph Article

Treat your open source storage infrastructure as a service What if storage was like coffee: menu driven and truly service oriented? Everyone knows how quick and easy it is to order a cappuccino or cortado and have a friendly barista bring it to you in just minutes. Now imagine this is a user who needs ...


Philip Williams
25 July 2024

How do you select the best enterprise data storage solution for your business?

Ceph Article

The choices you make around IT infrastructure have great impact for both business cost and performance, across areas as diverse as operations, finance, data analysis and marketing. Given the importance of data across all of these areas and frankly, across your business as a whole, making the right decision when choosing a new storage syst ...