Farsighted News SNIA
Community Advertising Subscribe to FarSighted Feedback Contact

Table of Contents

Home Page
Only in FarSighted
Spotlight on SNIA
Analyst Watch
Events

Archives

June 2008
March 2008
November 2007
August 2007
May 2007
February 2007



IT Corner

Focus on Storage Security

With security now an activity with joint responsibilities throughout the organization, it is more important than ever to understand and define specific security threats to storage, and to seek approaches that lead to an enhanced security posture.

The SNIA Storage Security Industry Forum (SSIF) brings storage professionals, security experts and academics together in a consortium dedicated to increase the overall knowledge and availability of robust security solutions in today's storage ecosystems. Upcoming SSIF activities include SNIA Tutorial sessions on encryption, forensics, key management and end-to-end security at SNW Dallas October 15-19, 2007 and at SNW Europe Congress Frankfurt October 29-31, 2007, as well as the SNIA Security Summit highlighting eDiscovery, being held January 31-February 1, 2008 in Santa Clara, CA, (with a Security Tutorial Day on January 30, 2008, preceding the Summit.)

For this issue of FarSighted, we sat down with Gordon Arnold of IBM, SSIF Governing Board Chair, to learn more about storage security and how the SSIF is driving new opportunities to enhance security in the storage industry through education and best practices development.

What is "storage security" and how does it relate to the overall concept of computer security?

Gordon Arnold (GA): Storage security embraces a number of disciplines for securing the storage infrastructure and the data it contains:

  • Securing the connection between servers and their storage - particularly important when storage is accessed via a network such as a SAN
  • Securing the management of storage components through storage management software and the hardware devices themselves
  • Securing data at rest, particularly when storage media leaves the physical protection of a data center

Securing storage management is highlighted in the SSIF white paper on storage security, where security features of SMI-S, best practices around maintaining storage administrator credentials and access to storage management interfaces are presented.

Does the SNIA have a vision of storage security?

GA: The SSIF focuses on educating both industry and end users on best practices for securing the storage infrastructure. Additionally, we are working on standards and protocol interoperability to enable adoption of security facilities, such as encryption, and to give users multiple choices in the components they deploy.

In addition, SSIF assists in the adoption of storage security by sharing best practices through education, and by helping end users understand their best options for providing security for their storage infrastructure. Given the challenges in performance, reliability, long-term retention and complexity that security introduces into the enterprise storage infrastructure, it is critical to provide guidance to IT professionals in successfully assuring storage security, an important and critical discipline in current and future deployments.

Where can an IT professional go to learn more about storage security and best practices?

GA: The SSIF tutorials and SNIA education offerings are available to IT professionals wishing to learn more about storage security. At the upcoming SNW, SSIF tutorials will include:

  • Introduction to Storage Security
  • Cryptographic Use Cases and the Case for End-to-End Security
  • A Do-It-Yourself Guide to Storage Forensics
  • TCG Trusted Storage Specification
  • ABCs of Data Encryption
  • Key Management, A Primer
  • Best Practices for Building a Key Management Strategy: Understanding Standards and Solutions

The SSIF has also published a number of white papers introducing storage security issues, providing specifics on processes such as audit logging for storage, and describing a step-by-step checklist for encryption of data at-rest. We also provide a risk assessment toolkit. All these can be found on our Web site www.snia.org/ssif.

What is the SSIF doing to promote the advancement of storage security?

GA: While some standards bodies (like TCG and IEEE P1619) have focused on implementation protocols and standards important to vendor interoperability, SSIF adds the perspective of data management and the whole ecosystem of functions required to secure both data and storage. The SSIF builds on the foundation laid by the technical working groups of SNIA, as well as other standards bodies, to address the business focus and practical advice needed by end users to deploy and securely manage storage.

How can I participate?

GA: The SSIF welcomes to membership all individual professionals and companies who are involved in or interested in security issues. Come join us to make a difference.

For more information

To learn more or to join the SSIF, visit the Web site at www.snia.org/ssif.

Congratulations to the newly elected SNIA Storage Security Industry Forum (SSIF) 2007-2008 Governing Board: Gordon Arnold, IBM - Chair:; James Hughes, Sun Microsystems - Vice Chair; Dan Vogel, LSI Corporation - Treasurer; Blair Semple, Decru, A NetApp Company - Education and Alliances Officer; James Norton, Brocade Communications Systems - Marketing Officer; Richard Austin, independent - Membership and Business Development Officer.







Training at the SNIA Tech Center