Security

Material on this page is intended solely for the purpose of content review by SNIA members. Tutorial material may be read and commented upon by any SNIA member, but may not be saved, printed, or otherwise copied, nor may it be shared with non-members of the SNIA. Tutorial managers are responsible for responding to all comments made during the open review period. No responses will be given to comments made outside the open review period.

Jump straight to an abstract:

The Abstracts

Storage Security Tutorial With a Focus on Cloud Storage
Gordon Arnold
Download

Introduction of computing and data services in a virtualized and service provider context exposes the customer's information to a new set of threats and vulnerabilities. This session provides an introduction to those threats and what techniques are available to mitigate the threats.

Learning Objectives

  • Learn about storage vulnerabilities in service providers and the cloud models 
  • Learn about solutions available for securing data in service providers and cloud deployments 
  • What legal and regulatory implications are there for cloud and service provider deployments 

Securing the Cloud - Using Encryption and Key Management to Solve Today's Cloud Security Challenges
Steve Pate, Tushar Tambay
Download

Moving to "The Cloud" is viewed as a path that most companies believe they will head down over the next several years. However, concern around security is the number one barrier to cloud adoption.      Encryption and Key Management are important technologies that can help secure applications and data in the cloud. Companies considering moving to a cloud based infrastructure need to understand various aspects of encryption and key management - regulations guiding their use, the impact of key expiration and rotation on application performance and backup / restore / archiving, hardware versus software key management and  retaining control of keys when applications and data are with a Cloud Service Provider.    We will discuss industry best practices around encryption and key management, look at how various existing solutions fare on these considerations, and look at emerging solutions in this space

Learning Objectives

  • Understand new security vulnerabilities exposed by virtualization and virtual machine mobility together with how a combination of encryption and  key management techniques can address these vulnerabilities. 
  • Review existing solutions in this space and understand how well these meet the requirements. 
  • Look at emerging standards and solutions that will better enable security in the Cloud.

Legal Issues Relevant to Storage
David Stevens
Download

Many organizations face the challenge of implementing protection and data security measures necessary to comply with a wide range of regulatory, statutory, and other legal requirements. Because storage systems (actually the data they contain) play an important part in many of these issues, storage managers and administrators may be asked to assist in supporting a variety of legal actions as well as help their organizations guard against data transgressions having legal consequences. Thus, they need to be capable of taking abstract regulatory, statutory and other legal requirements and translating them into implementable solutions. In addition, they must be able to partner with the legal community to ensure these solutions address the organization's compliance requirements and that the support is timely and responsive.        This session describes the legal issues storage security professionals are likely to encounter as part of their role as the focal point for securing storage systems

SNIA Storage Security Best Practices
Gordon Arnold
Download

With the increasing importance and emphasis on security in mind, the Storage Networking Industry Association (SNIA) had developed and published (see /forums/ssif/programs/best_practices/) a set of storage security best current practices (BCPs). This vendor neutral guidance has a broad scope, covering both storage systems and entire storage ecosystems. Specific elements include, but are not limited to, storage management, protocols, compliance, encryption, key management, and long-term archive. This session provides an introduction to the BCPs as well as information that that will help organizations exploit the BCPs in their own environments.

Learning Objectives

  • General introduction to the SNIA storage security BCPs 
  • Understand which storage security BCPs are considered critical 
  • Practical tips on ways to utilize the storage security BCPs 

Self-Encrypting Drives: Simple, Yet Powerful
Dr. Michael Willett
Download

Data security is top of mind for most businesses trying to respond to the constant barrage of news highlighting data theft, security breaches, and the resulting punitive costs.  Combined with litigation risks, compliance issues and pending legislation, companies face a myriad of technology and products that all claim to protect data-at-rest on storage devices.     The drive industry has standardized and is now deploying,  innovative, simple yet powerful technology intended to secure data where it lives – in storage.  This tutorial will give storage users and managers a look at emerging drive-level self-encryption technology (both HDD and SSD)  from notebook PCs to the data center that provides a more secure storage foundation and compare that technology with alternate storage encryption methods, including: host-based, appliance, network fabric, and controller-based. Self-encryption will be compared to software-based encryption in several aspects, including performance. Independent side-by-side performance testing of both HDDs and SSDs demonstrates dramatically the superior read/write/startup capabilities of self-encrypting drives.

Learning Objectives

  • Appreciate the business requirement for data encryption
  •  Understand the technology of self-encryption 
  • Compare self-encryption to software-based encryption 

ABCs of Data Encryption for Storage
Eric Hibbard
Download

Public disclosures of data indiscretions have become regular enough and embarrassing enough that many organizations are exploring encryption options to simply stay out of the headlines. Those who have ventured into this space quickly realize that there is no magic crypto fairy dust that will make the problems go completely away. However, with careful planning and judicious use of the right technologies, organizations can eliminate many of their exposures.    This session focuses on the efforts required at the storage layer to create a successful encryption strategy. Major uses along with factors to consider are presented for protecting storage management, data in-flight, and data at-rest. The session provides expanded coverage on encrypting data at-rest, including key management and a step-by-step approach.

Learning Objectives

  • Identify where encryption is applied to the storage layer 
  • Discuss uses and issues associated with the application of encryption, with special emphasis on data at-rest encryption prerequisites and opportunities 
  • Develop an approach for implementing data at-rest encryption 

An Introduction to Storage Security
Eric Hibbard
Download

As society becomes more dependent on IT and digital assets, the social impact of the failure of IT resources ceases to be an inconvenience and begins to take on the character of a disaster. Few other elements of the IT infrastructure have a more important relationship with data than that of storage systems. They may also be the last line of defense against an adversary, but only if storage managers and administrators invest the time and effort to implement and activate the available storage security controls.  This session covers the storage security fundamentals. It starts by providing information on the types of data that should be protected along with the drivers for this protection. Next, it summarizes important information assurance and security concepts, with a particular emphasis on risk. It continues with a characterization of storage security and concludes with practical guidance on starting a storage security program.

Learning Objectives

  • General introduction to storage security concepts
  • Practical tips on ways to utilize storage security mechanisms

Cryptography Deciphered
Dr. Michael Willett
Download

Cryptography, the science of "secret writing" is being exploited more extensively by the I.T. community in order to provide data confidentiality and to satisfy multiple regulatory requirements. Cryptography is also a component in other elements of the security infrastructure, including authentication/authorization, identity management, data integrity, and non-repudiation. Cryptographic methods and associated best practices are essential elements of a successful, modern business. Cryptography comes in two flavors: symmetric cryptography for high-speed and bulk encryption, asymmetric (or public-key) cryptography for instantaneous, shorter, yet secure encryption. The state-of-the-art cryptography standards and methods for both flavors will be reviewed, with a eye toward how each technology is integrated into an overall I.T. strategy. A brief, historical perspective on cryptography will be included.

Learning Objectives

  • Understand the basic algorithms of cryptography, both symmetric and asymmetric
  • Appreciate the role of cryptography in the overall security infrastructure
  • Learn how cryptography helps satisfy business objectives