Jump straight to an abstract:

The Abstracts

Introduction to Information Assurance
Eric Hibbard

Many organizations face the task of implementing data protection and data security measures to meet a wide range of requirements. With increasing frequency, storage managers and professionals are being asked to handle elements of this protection, which are often presented in the form of a security checklist. However, checklist compliance by individuals who are missing a basic background in Information Assurance is a quick recipe for trouble.   At its core, Information Assurance is about ensuring that authorized users have access to authorized information at the authorized time. Further, it doesn't matter whether the information is in storage, processing, or transit, and whether threatened by malice or accident. This session provides an introduction to Information Assurance as well as details that will help storage personnel better understand its applicability in their own environments.

Learning Objectives

  • General understanding of key Information Assurance concepts
  • Insight into the importance of checklist items
  • Practical tips on ways to leverage Information Assurance

SNIA Storage Security Best Practices
Eric Hibbard

With the increasing importance and emphasis on security in mind, the Storage Networking Industry Association (SNIA) had developed and published (see /forums/ssif/programs/best_practices/) a set of storage security best current practices (BCPs). This vendor neutral guidance has a broad scope, covering both storage systems and entire storage ecosystems. Specific elements include, but are not limited to, storage management, protocols, compliance, encryption, key management, and long-term archive.   As with many aspects of security, a balance must be struck between mitigating risks and minimizing the impacts, which may take the form of cost, complexity, throughput, availability, scalability, etc. Each organization must make its own trade-off decisions based on its unique situation (e.g., deployed infrastructure, legal and regulatory requirements, and due care expectations) and the importance of its data. This session provides an introduction to the BCPs as well as information that that will help organizations exploit the BCPs in their environments.

Learning Objectives

  • General introduction to the SNIA storage security BCPs
  • Understand which storage security BCPs are considered critical
  • Practical tips on ways to utilize the storage security BCPs

A CISO's View of the Storage Ecosystem
Andrew Nielsen

Many organizations face the task of implementing data protection and data security measures to meet a wide range of compliance requirements.  Heading that charge is the CISO and other security professionals, who are responsible for protecting information at rest, in transit, and when threatened intentionally or not.  Until recently the CISO, as well as security professionals, have had limited interaction with the storage layer.  However, this trend is changing rapidly.    The CISO and the security organization are now expanding their purview and placing increased scrutiny on the storage ecosystem.  The scrutiny comes in the form of traditional and non-traditional security controls and requirements.  In order for organizations to be successful, security and storage professionals must partner in order to protect information assets from current and emerging threats.

Learning Objectives

  • Insight into what drives the CISOs and their view of the Storage Ecosystem
  • Understand how security professionals measure the storage layer and combat risk and threat
  • Practical tips on how the CISO and the Storage Team can peacefully co-exist and partner

How E-Discovery Will Impact Your Life as a Storage Professional
David Stevens

Mention the term E-Discovery to a storage professional and watch their reaction.  They may run away and hide.  Storage Professionals today face the daunting task of being able to quickly know where every email, word document and database file lives and how to get it back in a hurry in the event of a catastrophe. With the recent update to the Federal Rules of Civil Procedure (FRCP) a storage professional now has even more pressure to potentially know the content inside those files.

  • Learning Objectives
  • Help the storage professional understand the new Federal Rules of Civil Procedure (FRCP) that were updated December 1, 2006.
  • Look at an e-discovery request from the perspective of a storage professional.
  • Provide some recommendations on how to prepare for an e-discovery request.

Computing or Litigating in the Cloud - Emerging Issues in E-Discovery, Search and Digital Evidence Management
Steven Teppler

The 2006 Federal eDiscovery rules have resulted in a flood of lawsuits involving digital evidence. Issues of authentication, integrity, search protocol efficacy, challenges of withholding evidence, failure to preserve (store), and spoliation (tampering or deletion) of computer generated information are now being raised early and often in litigation. Further complicating the process is the advent of "cloud computing," which adds additional search, storage and preservation concerns and challenges for enterprises (as well as their attorneys) that request as well as produce digital evidence in litigation.  IT/storage/info-sec stakeholders will be increasingly tasked to inform and educate attorneys whose technical sophistication is lacking, or even missing.

Learning Objectives

  • This track will offer information security and management stakeholders an insight into a litigating attorney's perspective about digital evidence management throughout the information life-cycle.
  • This track will and outline the increasingly important role of IT in ensuring enterprise compliance with both eDiscovery and evidentiary preservation obligations.

Storage Security - Learning from Others Experiences (Panel Discussion)
Moderator:  Blair Semple
Panelists: David Stevens, Steven Teppler, Eric Hibbard


This session features a panel discussion made up of end-users, standards bodies representatives, and vendor individuals that have been involved with the evaluation, selection, and deployment of various storage security solutions within their enterprises. The session goal is to help IT management and administrators learn from the challenges and successes other have had in deploying storage encryption and key management solutions. Topics include: What processes and policies have, or haven’t worked for other organizations? What are the various architectural options for deploying this type of solution? How can you determine what deployment option is best for your organization? What are the primary key management factors for consideration? What services are available to help in this area? A higher level of co-ordination between the events at SNW is desirable. Past SNW participant feedback has indicated that a conference session facilitating understanding of daily operations would help drive traffic to a Hands-On Lab and give the conferences a real-world practical side that should appeal to a number of SNW attendees. This conference session will provide the groundwork for what will be demonstrated at the Data Protection/Security Hands-On Lab and serve as an educational foundation for this event, enabling end users to both become aware of SNIA educational opportunities and to help them get the maximum benefit

Learning Objectives

  • Help IT management and administrators learn from the challenges and successes other have had in deploying storage encryption and key management solutions.
  • Learn about which processes and policies have, or haven’t worked for other organizations and what are the various architectural options for deploying this type of solution?
  • Learn how you determine what deployment option is best for your organization? What are the primary key management factors for consideration? What services are available to help in this area

Preparing for a Security Audit:  Best Practices for Storage Professionals
Blair Semple

Until recently, being in compliance with security requirements and preparing materials for a security audit typically wasn't part of storage operations, but times have changed. This tutorial focuses on practical advice for storage administrators without assuming you have an information security background. At the end of the session you should have a set of guidelines for meeting expectations of preparing for, going through, and avoiding the pitfalls that could result from an audit

Learning Objectives

  • Know what may be required of you during a security audit
  • Understand what data collection you should be doing to be prepared for an audit
  • Implement procedures and processes to make the audit go smoothly  4) look for capabilities and solutions to help you meet the requirements of an audit

ABCs of Encryption
Roger Cummings

Public disclosures of data indiscretions have become regular enough and embarrassing enough that many organizations are exploring encryption options both to satisfy information protection requirements and to simply stay out of the headlines. Those who have ventured into this space quickly realize that there is no magic crypto fairy dust that will make the problems go completely away. However, with careful planning and judicious use of the right technologies, organizations can eliminate many of their exposures.  This session focuses on the efforts required at the storage layer to both create a successful encryption strategy and effectively deploy products that address encryption of data at-rest as well as data in-flight. The session is based on an established step-by-step process that is defined in detail in a SNIA white paper, and also covers recent SNIA work on Best Current Practices.

Learning Objectives

  • Understand where encryption can applied to the storage layer.
  • Identify data at-rest encryption prerequisites and opportunities.
  • Be able to create a process to support encryption that's appropriate to a specific enterprise.

An Introduction to Key Management for Secure Storage
Walt Hubis

As secure storage becomes more pervasive throughout the enterprise, the focus quickly moves from implementing encrypting storage devices to establishing effective key management policies. Without the proper generation, distribution, storage, and recovery

  • Learning Objectives
  • Participants will gain a basic understanding of key management for storage systems.
  • Participants will learn of the technologies and terminology used for key management in secure storage systems.
  • Participants will be presented with the methods of and management of keys for secure storage that are currently in use.

Self-Encrypting Drives
Michael Willett

Self-encrypting storage (e.g. hard drives) integrates the AES encryption hardware and strong access control directly into the drive electronics and thus avoids many of the vulnerabilities of software-based solutions, providing protection against computer loss or theft and facilitating computer re-purposing and end-of-life. By deleting the cryptographic key under strong administrative access control, the drive can be instantly
"sanitized." Advantages include:

Learning Objectives

  • Automatic, always-on, hardware-based encryption
  • Transparent to end user, operating system, applications and databases
  • No performance degradation
  • Simplifies key management: encryption key does not leave the drive
  • Enables instant secure disposal and re-purposing
  • Standards-based interoperability (Trusted Computing Group specifications for self-encryption and key management)
  • Applicable from the laptop to the data center