Security

Material on this page is intended solely for the purpose of content review by SNIA members. Tutorial material may be read and commented upon by any SNIA member, but may not be saved, printed, or otherwise copied, nor may it be shared with non-members of the SNIA. Tutorial managers are responsible for responding to all comments made during the open review period. No responses will be given to comments made outside the open review period.

Jump straight to an abstract:

The Abstracts

Practical Storage Security with Key Management
Russ Fellows
Download

Security has always been a critical aspect of IT Storage.  Until recently physical security and other administrative policies were often sufficient to establish security for data centers and corporate information.  The current set of regulations combined with the need to access data by more applications, devices and locations makes past security techniques ineffective. 

This presentation examines practical steps and technologies available to solve the need to maintain security for sensitive data without impacting application or users.  An overview of security choices is presented, along with recommendations for establishing practical security practices that can be integrated into typical IT environments.  Securing data in both public and private infrastructure is covered, with an examination of the issues around securing Cloud and other storage services. 
This session will focus on implementing successful security policies that ensure data is secured whenever it is transmitted or stored.  Issues such as when and where to encrypt data, products to use and the all-important key-management question are addressed.

Learning Objectives

  • Overview of storage security, key management and trends 
  • Best practices for enterprise key management to ensure regulatory compliance
  • Ways to implement security without impacting business operations

Unmasking Virtualization Security
Eric Hibbard
Download

As enterprises adopt virtualization technologies in their data centers, it is important to understand the risks and to employ protective measures appropriate to the sensitivity and criticality of the data. Special attention is required for storage-based technologies to ensure both data security and data resilience. In addition, cloud computing has a heavy reliance on virtualization, which can be a source of problems if not handled correctly.    This session summarizes the key threats and their relevance, outlines strategies for addressing the risks, and describes the relevant virtualization security technologies that should be considered

Learning Objectives

  • General introduction to virtualization security
  • Understand the types of threats and attacks that currently exists
  • Guidelines for guarding against virtualization security problems

Data Breaches and the Encryption Safe Harbor
Eric Hibbard
Download

As data breaches continue to plague organization and the impacts to individuals increase, the statutory and regulatory responses become more severe. Nearly all states in the U.S. have passed data breach laws, which include costly breach notification requirements. The international community has adopted stringent privacy laws and some countries are now considering adding breach notification requirements as a further deterrent for organizations that haven't taken the requirements seriously.    This session explores the complexities and ambiguities associated with these breach laws, especially when encryption can serve as a safe harbor. Recent massive breaches and lawsuits will be used as case studies

Learning Objectives

  • General introduction to breach laws and notification requirements 
  • Understand the role encryption can play with breach notifications

Storage Security - the ISO/IEC Standard
Eric Hibbard
Download

Many organizations face the challenge of implementing protection and data security measures to meet a wide range of requirements, including statutory and regulatory compliance. Too often the security associated with storage systems and infrastructure has been missed because of misconceptions and limited familiarity with the storage technology, or in the case of storage managers and administrators, a limited understanding of the inherent risks or basic security concepts. The net result of this situation is that digital assets are needlessly placed at risk of compromise due to data breaches, intentional corruption, being held hostage, or other malicious events.    To help combat this situation, ISO/IEC Joint Technical Committee 1 / Subcommittee 27 (IT Security techniques) has undertaken a new standardization project, ISO/IEC 27040 "Storage security." This standard seeks to provide detailed technical guidance on the protection (security) of information where it is stored and to the security of the information being transferred across the communication links; it includes the security of devices and media, the security of management activities related to the devices and media, the security of applications and services, and security relevant to end-users.    This session introduces the new draft standard, highlights key elements of the guidance, and describes how it can be leveraged by an organization (RFPs, policy, skills, etc.).

Learning Objectives

  • General introduction to the ISO/IEC 27040 Storage security standard 
  • Identifies key elements of the guidance (e.g., media sanitization)
  • Describes how this standard is likely to be used (from both a customer and vendor perspective)

A Hype-free Stroll Through Cloud Security
Eric Hibbard
Download

Cloud storage is emerging as a cloud offering that has appeal to a potentially broad set of organizations. Like other forms of cloud computing, the security must be addressed as part of good governance, managing risks and common sense. The Cloud Security Alliance (CSA) guidance on cloud computing security can be used as a starting point for what some believe is a make-or-break element of cloud storage.    This session provides an introduction to cloud computing security concepts and issues as well as identifying key guidance and emerging standards. An overview of the current CSA materials and activities is also provided. The session concludes by providing a security review of the emerging ISO/IEC standards in the cloud space.

Learning Objectives

  • General introduction to cloud security threats and risks
  • Understand the security issues considered critical to cloud storage 

Got Lawyers?  They've Got Storage and ESI in the Cross-hairs!
Eric Hibbard
Download

Many organizations face the challenge of implementing protection and data security measures necessary to comply with a wide range of regulatory, statutory, and other legal requirements. Because storage systems (actually the data they contain) play an important part in many of these issues, storage managers and administrators may be asked to assist in supporting a variety of legal actions as well as help their organizations guard against data transgressions having legal consequences. Thus, they need to be capable of taking abstract regulatory, statutory and other legal requirements and translating them into implementable solutions. In addition, they must be able to partner with the legal community to ensure these solutions address the organization’s compliance requirements and that the support is timely and responsive.    This session describes the legal issues storage security professionals are likely to encounter as part of their role as the focal point for securing storage systems. It also highlights relevant emerging trends from the legal community.

Learning Objectives

  • General introduction to the relevant legal issues
  • Understand how these legal issues impact storage
  • Practical tips on ways to deal with some of the more pressing legal issues