Jump straight to an abstract:

The Abstracts

Introduction to Storage Security

Gordon Arnold Download

Many enterprises face the task of implementing data protection and datasecurity measures to meet a wide range of legal, regulator, and/or duediligence requirements. Increasingly, these requirements are being appliedto the storage layer, so it is important to understand the areas of mostrisk. In addition, understanding the differences between compliance andsecuring the data can be critical when information systems (IS) auditors areinspecting the storage ecosystem, looking for things like accountability,traceability, and proofs of encryption and destruction.

This session lays a foundation for you to better understand storagesecurity risks, and their mitigation strategies. We will examine commonsecurity mistakes and challenges, including encryption and its impacts ondisaster recovery and business continuity. Finally, we will provide specificrecommendations and offer insights into emerging storage securitymeasures.

After completing this tutorial, you should be able to:

  • Know storage security measures in response to risk and threat
  • Understand storage security technologies including encryption, logging, and key management
  • Understand the upfront and continuing effort required to secure the storage layer

Preparing for a Storage Security Audit

LeRoy Budnik Download

The thought of 'being audited' often evokes fear. Actions taken on storedinformation, storage infrastructure security and the practices of storageprofessionals are all subject to internal and external audit. Recently, thespecialized nature of IS auditing has extended to include the storageinfrastructure, however, auditors with specialized storage skills andknowledge are a limited resource. Auditors are required to be technicallycompetent in the storage area while being aware of the many standards andlegal requirements, in addition to security guidelines. That makes them agreat asset to our work! As a result, a storage security auditor can providegreat benefit to the storage professional and their organization. Storageprofessionals maintain information security policies within and around thestorage infrastructure; some establish policies and practices,independently, or in concert with others. When we set a security or storagepolicy, we do so based on our understanding of the requirements, ourpersonal experience and budget constraints. However, is our due diligenceenough? This is where the auditor can provide external validation andrecommendations (authentication, control, encryption, etc.) in midst oftheir role as professional skeptic and risk manager. In this session, wepresent a client case scenario, review the Storage Security Audit Processand then follow the process in a case study. Our goal: to prepare you for astorage security audit. In addition, we believe that you will have adifferent perspective on the security of storage infrastructures that youdesign today.

Learning Objectives

  • Describe the Storage Security Audit Process
  • Secure Information Assets in the Storage Systems
  • Apply storage security and governance best practices

Best Current Practices and Implementing the FC Security Protocol(FC-SP)

Larry Hofer Download

The variety of environments in which Fibre Channel fabrics are deployedmakes it difficult to rely on physical security. Different users may accessstorage subsystems over Fabrics that may span several sites. Securityservices are extremely important to prevent misconfigurations or access todata by non-authorized entities.

A new standard, the Fibre Channel Security Protocol (FC-SP) can improvefabric security, reduce the total cost of ownership (FCO) and improveavailability. These benefits are the result of simplified management andmitigated threats, both accidental and malicious.

This mostly technical tutorial identifies the best current practices forstorage security and shows how they are supported by FC-SP and identifiessome choices that vendors may make that are outside the standard. We developan in-depth understanding of the new security architecture for FibreChannel. Then, we identify key steps to help you implement the FC-SPframework. Within this framework, a Fibre Channel device can verify theidentity of another Fibre Channel device. A device may also use a sharedsecret and a key exchange protocol to establish security associationsapplied to Fibre Channel frames and information units. This framework alsoallows for the distribution of fabric-enforced policies within a FibreChannel fabric. Some of these features are quickly becoming available from avendor near you.

Learning Objectives

  • Understand underpinning concepts and best practices supported by FC technology, including device to device (hosts, disk, switches) authentication, data origin authentication, integrity, anti-replay protection, confidentiality, the role of IKEv2 protocol for Fibre Channel entities authentication and/or setup of security associations, and security policy distribution.
  • Manage and establish secrets and security associations.
  • Prepare to implement FC-SP functionality, including planning decisions, implementation process and changes in storage administrator practices

Alternative Approaches to Storage Security

Michael Fahey Download

Encryption and security are very popular topics in the storage industrytoday and there are many solutions available for different security threats.Security practices should be based upon a realistic threat assessment andthe level of confidentiality required. Overly complex security approachescan be as dangerous as not employing security at all. This session willfocus on encryption for data at rest with several storage architectures andexplain various alternatives for key management. There are many legal,regulatory, and security requirements that may conflict with one another.For example, certain compliance requirements may not be met with common keymanagement practices. Simplified key management using the encrypted storagemedium itself may offer the privacy protection that is required and meetother legal and regulatory requirements at much lower cost.

Learning Objectives

  • Basic properties of object based storage and several approaches used within the industry today.
  • The challenges of tiering with transactional systems and how object based storage can be utilized to simplify management and reduce costs.
  • The integration of search and classification for intelligent policy based file movement and reporting.

Look Ma, No Disks

Richard Austin Download

As more and more enterprise information is consolidated into fibrechannel storage networks, the likelihood of a storage administrator findingthemselves challenged to identify, collect and preserve electronic evidencerelevant to an intrusion, crime or corporate policy violation. Thispresentation presents a whirlwind tour of the processes for collection andpreservation of digital evidence and the challenges traditional forensicspractitioners face in this brave new world where a server may have nodirectly attached disks.

  • Understand the general requirements placed on information used in the legal process
  • Build familiarity with sound processes for identification, collection and preservation of digitalevidence
  • Understand the challenges SAN attached storage poses to the traditional practice of digital forensics

TCG Trusted Storage Specifications

Michael Willett Download

The Trusted Computing Group (TCG) Storage WorkGroup has published formalspecifications for security and trust services on storage devices, includinghard drives, flash, and tape drives. The majority of hard drive and otherstorage device manufacturers participated. Putting security directly on thestorage device avoids the vulnerabilities of platform OS-based softwaresecurity. The details of the Specification will be highlighted, as well asvarious use cases, including Full Disk Encryption with enterprise keymanagement.

Learning Objectives

  • Learn the high-level details of the TCG Storage Specifications
  • Learn how to program applications that exploit the security and trust services on the storage device
  • Learn the variety of use cases possible with storage device-based security

ABCs of Data Encryption for Storage

Rogert Cummings Download

Public disclosures of data 'indiscretions' have become regular enough andembarrassing enough that many organizations are exploring encryption optionsto simply stay out of the headlines. Those who have ventured into this spacequickly realize that there is no 'magic crypto fairy dust' that will makethe problems go completely away. However, with careful planning andjudicious use of the right technologies, organizations can eliminate many oftheir exposures. This session focuses on the efforts required at the storagelayer to create a successful encryption strategy. Major uses along withfactors to consider are presented for protecting storage management, datain-flight, and data at-rest. The session provides expanded coverage onencrypting data at-rest, including key management and a step-by-stepapproach.

Learning Objectives

  • Identify where encryption is applied to the storage layer.
  • Discuss uses and issues associated with the application of encryption, with special emphasis on data at-rest encryption prerequisites and opportunities.
  • Develop an approach for implementing data at-rest encryption.

A Chief Information Security Officer's View of StorageSecurity

Eric Hibbard Download

The CISO is accountable for the mitigation of risk. Their diligenceassures the success of their organization. While securing the storage in allof its forms may be tasks of the storage team, if that team fails, the CISOmay pay the price. C-Level Security Executives are leaders who set vision,choose information security models, define the security services, build ateam, manage budget, run the business and prepare for potential crisis’s allfor one purpose: to meet business and regulatory expectations. To understandthe CISO is to know what they value and what they expect.

This session helps the storage professional understand the perspective ofthe security executive. How do they see storage risk? What is their approachto mitigation? We will examine how they challenge conventional wisdom andadapt while assessing threats, assets and vulnerabilities. Then we will lookat how they lead in the heat of an incident. Finally, we will providespecific recommendations and offer insight into the best ways for storageprofessionals to work with the security executive.

After completing this tutorial, you should be able to:

  • Better understand information assurance and the CISO “interests” within the storage layer
  • Know how security professionals measure storage security and respond to risk and threat
  • Understand the upfront and continuing effort required to work with the secure team while securing the storage layer