Security

Material on this page is intended solely for the purpose of content review by SNIA members. Tutorial material may be read and commented upon by any SNIA member, but may not be saved, printed, or otherwise copied, nor may it be shared with non-members of the SNIA. Tutorial managers are responsible for responding to all comments made during the open review period. No responses will be given to comments made outside the open review period.

Jump straight to an abstract:

• Guarding the Jewels:  A Primer on Storage Network Security
• First on the Digital Scene:  A Forensic Primer for Storage Professionals
• ABCs of Encryption
• An Introduction to Key Management for Secure Storage
• Best Practices for Key Management for Secure Storage
• Storge Security: Learning from Others Experiences (Panel)
• How e-Discovery Will Impact Your Life as a Storage Professional
• Information Security and IT Compliance
• SCSI Security Nuts and Bolts
• Trusted Computing Group (TCG):  Trusted Storage Specification

The Abstracts

Guarding the Jewels:  A Primer on Storage Network Security
Richard Austin
Download

Information has come to be the crown jewels of the modern enterprise but with its value has come increased risk of compromise or unauthorized disclosure. This presentation will review the common risks in the storage network environment, useful ways of mitigating them and the guidance provided by the SNIA Best Common Practices for Storage Security.

Learning Objectives

• Recognize common security threats in the storage network environment
• Identify useful risk mitigation strategies for networked storage
• Identify how the SNIA Security BCP's can be leveraged in a successful storage security program

First on the Digital Scene:  A Forensic Primer for Storage Professionals
Richard Austin
Download

With most enterprise information concentrated within storage networks, the likelihood of a storage administrator being "first on the digital scene" of an intrusion, a crime, a policy violation or an e-discovery request is becoming almost a certainty. This presentation presents a whirlwind tour of the requirements, processes and procedures for collecting and preserving digital evidence.

Learning Objectives

• Understand the general requirements for information to be used in the legal process
• Understand the role "digital first response" plays in the incident response process
• Build familiarity with sound processes for identification, collection and preservation of digital evidence

ABCs of Encryption
Roger Cummings
Download

Public disclosures of data “indiscretions” have become regular enough and embarrassing enough that many organizations are exploring encryption options both to satisfy information protection requirements and to simply stay out of the headlines. Those who have ventured into this space quickly realize that there is no “magic crypto fairy dust” that will make the problems go completely away. However, with careful planning and judicious use of the right technologies, organizations can eliminate many of their exposures. This session focuses on the efforts required at the storage layer to both create a successful encryption strategy and effectively deploy products that address encryption of data at-rest as well as data in-flight. The session is based on an established step-by-step process that is defined in detail in a SNIA white paper, and also covers recent SNIA work on Best Current Practices.

Learning Objectives

• Understand where encryption can applied to the storage layer.
• Identify data at-rest encryption prerequisites and opportunities.
• Be able to create a process to support encryption that's appropriate to a specific enterprise.

An Introduction to Key Management for Secure Storage
Walt Hubis
Download

As secure storage becomes more pervasive throughout the enterprise, the focus quickly moves from implementing encrypting storage devices to establishing effective key management policies. Without the proper generation, distribution, storage, and recovery

Learning Objectives

• Participants will gain a basic understanding of key management for storage systems.
• Participants will learn of the technologies and terminology used for key management in secure storage systems.
• Participants will be presented with the methods of and management of keys for secure storage that are currently in use.

Best Practices for Key Management for Secure Storage
Walt Hubis 
Download

This presentation will explore in detail the SNIA Current Best Practices in Key Management for secure storage. Specific examples and applications of key management for tape, disk, and other storage material will be presented.

Learning Objectives

• Become familiar with the SNIA best practices for key management.
• Learn how to apply the current best practices to storage systems.
• Explore the ramifications of key management to technological and regulatory issues.

Storge Security: Learning from Others Experiences - A Panel
Moderator: Blair Semple; Panelists: David Stevens, Keith Bankston, Robert Przykucki, Eric Hibbard
Download

This session features a panel discussion made up of end-user organizations that have deployed various storage security solutions within their enterprises. The session goal is to help IT management and administrators learn from the challenges and successes other have had in deploying storage encryption and key management solutions. Topics include: What processes and policies have, or haven’t, worked for other organizations? What are the various architectural options for deploying this type of solution? How can you determine what deployment option is best for your organization? What are the primary key management factors for consideration? What services are available to help in this area? A higher level of co-ordination between the events at SNW is desirable. Past SNW participant feedback has indicated that a conference session facilitating understanding of daily operations would help drive traffic to a Hands-On Lab and give the conferences a real-world practical side that should appeal to a number of SNW attendees. This conference session will provide the groundwork for what will be demonstrated at the Data Protection/Security Hands-On Lab and serve as an educational foundation for this event, enabling end users to both become aware of SNIA educational opportunities and to help them get the maximum benefit.

Learning Objectives:

• Attendees will come away with knowledge of what a storage manager needs to know about storage security, including assessing the environment, mitigating risk, and preparing for an audit
• The session will cite real world examples, particularly those relating to the PCI environment, which will be a focus of the Hands-On Lab
• The Data Protection/Security Hands-On lab will then validate the feasibility by direct display and interactive use of technologies involved in storage security applications performed by storage managers.

How E-Discovery Will Impact Your Life as a Storage Professional
David Stevens
Download

Mention the term E-Discovery to a storage professional and watch their reaction. Storage Professionals today face the daunting task of being able to quickly know where every email, word document and database file lives and how to get it back in a hurry in the event of a catastrophe. With the recent update to the Federal Rules of Civil Procedure (FRCP) a storage professional now has even more pressure to potentially know the content inside those files. This session helps the storage professional understand the new Federal Rules of Civil Procedure (FRCP) that were recently updated. We will also look at an e-discovery request from the perspective of an end-user. Finally, we will provide some recommendations on how to prepare for an e-discovery request.

Learning Objectives

• Be aware of the FRCP regulations that govern e-discovery
• Know what you can expect to do for an e-discovery request
• Understand how to prepare for an e-discovery request

Information Security and IT Compliance
Eric Hibbard
Download

In times past, the sole yardstick of an Enterprise's IT department was business application availability. Today, however, a multitude of both internal and external requirements are applied to IT. IT Policies are now driven by a need for compliance with national and international legislation on data protection and privacy (e.g. HIPPA, Sarbanes-Oxley, EU Data Protection Directive), various standardized and industry-developed security frameworks (e.g. ISO 27002, COBIT, PCI DSS), auditing standards, and even risk management requirements derived from insurance coverage. New IT yardsticks include not only demonstrating compliance to the requirements but also such items as e-discovery response times, intrusion detection tests, and data retention periods. This session will leverage the SNIA Storage Security Best Current Practices (BCPs) addressing data security compliance, understanding risks, and utilizing event logging. Commonly encountered requirements will be identified, and approaches to creating IT Policies and collecting evidence will be described.

Learning Objectives

• Understand appropriate national, international and industry-specific frameworks.
• Identify appropriate internal and external requirements for a specific enterprise's IT department.
• Be able to use SNIA Best Practices as the basis for creating detailed policies and procedures

SCSI Security Nuts and Bolts
Ralph Weber
Download

The SCSI Command Sets are the lingua franca of computer storage, the language by which computer systems and peripherals communicate to support the storage and retrieval of information - the lifeblood of any modern business. SCSI has evolved from origins in the early 1980s in small computers to support modern SANs that interconnect ten of thousands of peripherals and servers. The latest SCSI standards projects underway in INCITS Technical Committee T10 define the creation of Security Associations, methods of deriving keys & performing strong mutual authentication, per-command security controls supporting multiple levels of protection, support for security protocols defined separately by multiple other standards organizations, and the control and operation of new security features within storage peripherals themselves. This session will cover these new features in detail, and will highlight the new requirements that these features will place on the operation and management of future computer systems and their storage configurations.

Trusted Computing Group (TCG):  Trusted Storage Specification
Dr. Michael Willett
Download

The Trusted Computing Group (TCG) Storage WorkGroup has published formal specifications for security and trust services on storage devices, including hard drives, flash, and tape drives. The majority of hard drive and other storage device manufacturers participated. Putting security directly on the storage device avoids the vulnerabilities of platform OS-based software security. The details of the Specification will be highlighted, as well as various use cases, including Full Disk Encryption with enterprise key management and trusted optical storage.

Learning Objectives

• Learn the high-level details of the TCG Storage Specifications
• Learn how to program applications that exploit the security and trust services on the storage device
• Learn the variety of use cases possible with storage device-based security, including laptop and data center hard drives and optical storage