Data Storage Security Summit Abstracts

2015 Break Out Sessions and Agenda Tracks Include:

Note: This agenda is a work in progress. Check back for updates on additional sessions as well as the agenda schedule.

BASICS AND FUNDAMENTALS

Encryption Key Management Simplified

Liz Townsend, Director of Business Development, Townsend Security

Abstract

Your encrypted data is only as secure as your encryption keys. A strong encryption key management strategy is essential for a comprehensive security policy, as well as meeting compliance requirements. Attendees of this presentation will learn:

  • Principles and best practices for encryption key management including key management, key storage, secure key retrieval, key escrow, key mirroring, industry standards, compliance guidelines, and system audit
  • Why certifications are important for meeting compliance regulations such as PCI-DSS and HIPAA/HITECH
  • How key management systems work and how to evaluate vendor solutions.

This is a non-technical session but will be of value to developers and implementers. Attendees will learn the core principles of effective and secure encryption key management. These principles can be used in developing in-house key management solutions or in evaluating vendor solutions.

Learning Objectives

  • What is encryption key management and why is it important?
  • Principles of industry-standard key management
  • Industry must-haves for effective key management
  • Challenges of home grown key management solutions
  • Important certifications for meeting compliance and evaluation vendors

SNIA Tutorial:
Implementing Stored-Data Encryption

Michael Willett, VP Marketing, Bright Plaza

Abstract

Data security is top of mind for most businesses trying to respond to the constant barrage of news highlighting data theft, security breaches, and the resulting punitive costs. Combined with litigation risks, compliance issues and pending legislation, companies face a myriad of technologies and products that all claim to protect data-at-rest on storage devices. What is the right approach to encrypting stored data? The Trusted Computing Group, with the active participation of the drive industry, has standardized on the technology for self-encrypting drives (SED): the encryption is implemented directly in the drive hardware and electronics. Mature SED products are now available from all the major drive companies, both HDD (rotating media) and SSD (solid state) and both laptops and data center. SEDs provide a low-cost, transparent, performance-optimized solution for stored-data encryption. SEDs do not protect data in transit, upstream of the storage system. For overall data protection, a layered encryption approach is advised. Sensitive data (eg, as identified by specific regulations: HIPAA, PCI DSS) may require encryption outside and upstream from storage, such as in selected applications or associated with database manipulations. This presentation will examine a pyramid approach to encryption: selected, sensitive data encrypted at the higher logical levels, with full data encryption for all stored data provided by SEDs.

Learning Objectives

  • The mechanics of SEDs, as well as application and database-level encryption
  • The pros and cons of each encryption subsystem
  • The overall design of a layered encryption approach

SNIA Tutorial:
Privacy vs Data Protection — The Impact of the EU Data Protection Legislation

Thomas Rivera, Senior Technical Associate, Hitachi Data Systems

Abstract

After reviewing the diverging data protection legislation in the EU member states, the European Commission (EC) decided that this situation would impede the free flow of data within the EU zone. The EC response was to undertake an effort to "harmonize" the data protection regulations and it started the process by proposing a new data protection framework. This proposal includes some significant changes like defining a data breach to include data destruction, adding the right to be forgotten, adopting the U.S. practice of breach notifications, and many other new elements. Another major change is a shift from a directive to a rule, which means the protections are the same for all 27 countries and includes significant financial penalties for infractions. This tutorial explores the new EU data protection legislation and highlights the elements that could have significant impacts on data handling practices.

Learning Objectives

  • Highlight the major changes to the previous data protection directive.
  • Understand the differences between “Directives” versus “Regulations”, as it pertains to the EU members.

IoT Security: Problems, Challenges and Solutions

Liwei Ren, Senior Architect, Trend Micro

Abstract

As a novel computing platform, IoT will bring many security challenges to enterprise networks, and create new opportunities for security industry. This talk will provide a general overview of enterprise network security problems, especially the data security, caused by IoT. After that, a few existing security technologies are evaluated as necessary elements of a holistic network security that cover IoT devices. These technologies include : (a) IoT security monitoring and control; (b) FOTA for firmware vulnerability management; (c) NetFlow based big data security analysis. In the end, the practice of standard security protocols (such as OpenIoC and IODEF) will be strongly advocated for delivering effective IoT security solutions.

Learning Objectives

  • What IoT security problems and challenges are.
  • A few existing security technologies.
  • How to apply these security technologies to IoT security.
  • Why standard security protocols are important for best practice.

Advancements in Trusted Computing Group Storage Standards

Jason Cox, Security Architect, Intel Corporation

Abstract

The Trusted Computing Group's Storage Work Group published the Opal Security Subsystem Class, a specification defining management of the cryptographic protection of data at rest, in 2009. Since then, new storage technologies and interfaces have become more common, and the TCG Storage Work Group is in the process of releasing additional specifications enhancing Opal and defining enhancements to its existing capabilities. This presentation will describe the new specifications and capabilities, as well as associated use cases and benefits.

Learning Objectives

  • Understand new specifications
  • Learn about new use cases
  • Find out how TCG Storage is working with NVMe Work Group
  • Learn about features that may be coming to Storage Devices in the near future

KEY MANAGEMENT PANEL – MAIN STAGE

Enterprise Key Management: The Real Story - Q&A with EKM Vendors

Moderator: Tony Cox, Chair SNIA Storage Security Industry Forum, Chair OASIS KMIP Technical Committee
Panelists: Tim Hudson, CTO, Cryptsoft
Nathan Turajski, Senior Product Manager, HP
Bob Lockhart, Chief Solutions Architect, Thales e-Security, Inc
Liz Townsend, Director of Business Development, Townsend Security
Imam Sheikh, Director of Product Management, Vormetric Inc

Abstract

Representatives from a range of established KMIP Key Management vendors answer questions from the moderators and from the audience on various aspects of encryption, standardised key management via KMIP and some of the deployment issues and opportunities brought about through enterprise key management.


KEYNOTE SPEAKERS

Personal Cloud Self-Protecting Self-Encrypting Storage Devices

Robert Thibadeau, Ph.D., Scientist and Entrepreneur, CMU, Bright Plaza

Abstract

Self-Protecting, Self-Encrypting, Storage Devices (SP-SEDs) are already widely available and successful in the marketplace. This talk will focus on exciting new concepts that take existing standards, and existing Open Source code repositories to create opportunities for new wealth through security and privacy. Look to the clouds for guidance for what should be in the Personal Storage Device.



Hitachi Data Systems - Security Directions and Trends

Eric Hibbard, Chair SNIA Security Technical Working Group, CTO Security and Privacy HDS

Abstract

Abstract pending



Lessons Learned from the 2015 Verizon Data Breach Investigations Report

Suzanne Widup, Senior Analyst, Verizon

Abstract

Based on forensic evidence collected from 70 partner organizations as well as the Verizon caseload, the 2015 Verizon Data Breach Investigation Report (DBIR) presents a rare and comprehensive view into the world of corporate cybercrime. Now in its' eighth year of publication, this research has been used by thousands of organizations to evaluate and improve their security programs. The presentation will discuss the evolution of results over the years and delve into the people, methods and motives that drive attackers today to better inform your own security program.



Data Encryption Key Management – Truths and Consequences

Justin Corlett, Business Development Manager, Cryptsoft

Abstract

The imperative to encrypt data has driven the strong and sustained growth in the Enterprise Key Management market. Gaining accurate knowledge and clear insight into this market is a significant challenge both for vendors and end-users. Publically accessible information is littered with half-truths, misdirection and creative marketing content. Failing to distil reality from fantasy will undermine your ability to make the critical decisions you need stay competitive. This session will provide you with the inside information about what was, what is and what will be in the next 18 months of Enterprise Key Management.


SNIA's Position and Response to Data Storage Security Industry Requirements

Eric Hibbard, Chair SNIA Security Technical Working Group, CTO Security and Privacy HDS

Abstract

Abstract Pending

SOLUTIONS, CASE STUDIES
and BEST PRACTICES

Reliable Expiration of Data from a Storage System

Radia Perlman, Fellow, EMC

Abstract

There is a natural balance between keeping enough copies of data so that it does not get prematurely lost, and assuring that data that should be destroyed is reliably destroyed. This talk describes a technology that enables a storage system to allow a piece of data to be stored with an optional expiration date. After the expiration date the data is impossible to recover from the storage system, even if all of the state of the storage system is captured on backups, including, for instance, copies that are stored offline. Obviously, the answer involves encrypting the data and then discarding keys, but that isn't the entire answer, because it would be necessary to make backup copies of the keys, and once keys are copied, it is difficult to assure that no copies can be recovered after the expiration date. This presentation describes a system that is easy to build, very scalable, and very robust.



Introducing Data-Awareness: Gain Unprecedented Data Security and Visibility at the Point of Storage

David Siles, Chief Technology Officer, DataGravity

Abstract

Be honest with yourself: do you really know what's in your data? And do you know who is doing what with the information that data contains? Probably not. Unfortunately, that lack of awareness is growing increasingly dangerous. Data stores for organizations in all industries are growing at a rapid rate, and without cutting to the core of the storage and finding what sensitive information lurks inside, you're setting your team and your business up for potential disaster. This presentation will cover what it means to truly take control of and defend your company's data across the full spectrum of vulnerabilities.

Learning Objectives

  • Data security and perimeter security are not synonymous. Create an effective strategy that goes beyond firewalls.
  • Being data-aware involves more than gathering insights about your data – it means knowing exactly what you’re storing, and exactly how you can protect it.
  • EThere are threats to your organization's data assets that range beyond external hackers; identifying the source of the potential problem is the first step.
  • Every storage professional has the power to become a security superhero for his organization.

Secure Storage: Encryption Implications

Bob Guimarin, CEO, Fornetix

Abstract

With the increasing sophistication of cyber-attacks penetrating the most highly protected government and commercial systems, many look to encrypted storage as a silver bullet to prevent the loss of critical data and reputational loss. The session will explore the implications of mainstreaming the use of encrypted storage and the future of large scale encryption.


Extracting Value from Health Insurance Portability and Accountability Act (HIPAA) Data

James Yaple, Principal Consultant, Jackson-Hannah, LLC

Abstract

HIPAA Privacy Rules protect individually identifiable health information held by covered entities and gives patients’ rights with respect to that information. The Privacy Rule is balanced so that it allows disclosure of health information needed for patient care and other important purposes. Researchers and software developers can obtain valuable information from health data repositories. Analytics can determine correlations between variables that can improve patient care. Developers can integrate functionality into a electronic health record (EHR) systems if the data they use supports testing that functionality. PHI presents a unique challenge in that de-identification of data can invalidate the conclusions that may be drawn. Data may be de-identified based two standard methods; “Expert Determination” (statistical analysis) and “Safe Harbor” (removing data elements). The “Safe Harbor” method requires that 18 specific data elements be de-identified. Some of these have relevance to the value of the resulting data repository.

Learning Objectives

  • Examine the value of realistic information in research and software testing
  • Explore the challenges of de-identifying health data in accordance with HIPAA
  • Identify the 18 data elements that must be de-identified and the value they represent
  • Compare and contrast the two standard methods for de-identifying health data in accordance with HIPAA

KMIP - A Key to Commercial Success

Nathan Turajski, Senior Product Manager, HP
Tony Cox, Director Business Development, Strategy & Alliances - Cryptsoft

Abstract

Two veterans of the KMIP world work through various approaches from both the perspective of data storage appliance and key management servers, using their experience to provide practical examples of how commercial success has been achieved through the deployment of KMIP. Between them Nathan and Tony have a wealth of knowledge garnered through participation in the KMIP specification development and enabling the success of their customers as they deliver KMIP solutions.