Security

Material on this page is intended solely for the purpose of content review by SNIA members. Tutorial material may be read and commented upon by any SNIA member, but may not be saved, printed, or otherwise copied, nor may it be shared with non-members of the SNIA. Tutorial managers are responsible for responding to all comments made during the open review period. No responses will be given to comments made outside the open review period.

Jump straight to an abstract:

The Abstracts

A Hype-free Stroll through Cloud Storage Security
Eric Hibbard
Download

Cloud storage is emerging as a cloud offering that has appeal to a potentially broad set of organizations. Like other forms of cloud computing, the security must be addressed as part of good governance, managing risks and common sense. The Cloud Security Alliance (CSA) guidance on cloud computing security can be used as a starting point for what some believe is a make-or-break element of cloud storage.    This session provides an introduction to cloud computing security concepts and issues as well as identifying key guidance and emerging standards. An overview of the current CSA materials and activities is also provided. The session concludes by providing a security review of the SNIA Cloud Data Management Interface (CDMI) specification, which includes protective measures employed in the management and access of data and storage.

Learning Objectives

  • General introduction to cloud security threats and risks 
  • Understand the security issues considered critical to cloud storage 
  • Basic knowledge of the SNIA CDMI security capabilities 

Storage Security - the ISO/IEC Standard
Eric Hibbard
Download

Storage and security professional don't typically move in the same technology and management circle within an organization, and as a result, storage frequently plays a diminished role in protecting the organization's digital assets. This situation is unfortunate because storage systems and infrastructure could be and effective weapon in the organization's war chest against cybercrime, cyberwarfare, and other less insidious types of incidents. One might say that storage could be the last line of defense in an organization's defense-in-depth strategy.     The pressure to change is already there from the statutory and regulatory requirements, but the catalyst for this change could come from a new standard being developed by ISO/IEC Joint Technical Committee 1 / Subcommittee 27 (IT Security techniques). The new ISO/IEC 27040 "Storage security" project seeks to provide detailed technical guidance on the protection (security) of information where it is stored and to the security of the information being transferred across the communication links; it includes the security of devices and media, the security of management activities related to the devices and media, the security of applications and services, and security relevant to end-users    This session introduces the new draft standard, highlights key elements of the guidance, and describes how it can be leveraged by an organization (RFPs, policy, skills, etc.).

Learning Objectives

  • General introduction to the ISO/IEC 27040 Storage security standard 
  • Identifies key elements of the guidance (e.g., media sanitization) 
  • Describes how this standard is likely to be used (from both a customer and vendor perspective) 

Implementing Stored Data Encryption
Michael Willett
Download

Data security is top of mind for most businesses trying to respond to the constant barrage of news highlighting data theft, security breaches, and the resulting punitive costs.  Combined with litigation risks, compliance issues and pending legislation, companies face a myriad of technologies and products that all claim to protect data-at-rest on storage devices. What is the right approach to encrypting stored data?  The Trusted Computing Group, with the active participation of the drive industry, has standardized on the technology for self-encrypting drives (SED): the encryption is implemented directly in the drive hardware and electronics. Mature SED products are now available from all the major drive companies, both HDD (rotating media) and SSD (solid state) and both laptops and data center. SEDs provide a low-cost, transparent, performance-optimized solution for stored-data encryption. SEDs do not protect data in transit, upstream of the storage system.  For overall data protection, a layered encryption approach is advised. Sensitive data (eg, as identified by specific regulations: HIPAA, PCI DSS) may require encryption outside and upstream from storage, such as in selected applications or associated with database manipulations.  This tutorial will examine a ‘pyramid’ approach to encryption: selected, sensitive data encrypted at the higher logical levels, with full data encryption for all stored data provided by SEDs.

Learning Objectives

  • The mechanics of SEDs, as well as application and database-level encryption 
  • The pros and cons of each encryption subsystem 
  • The overall design of a layered encryption approach

Got Lawyers? They've Got Storage and ESI in the Cross-hairs!
Eric Hibbard
Download

Many organizations face the challenge of implementing protection and data security measures necessary to comply with a wide range of regulatory, statutory, and other legal requirements. Because storage systems (actually the data they contain) play an important part in many of these issues, storage managers and administrators may be asked to assist in supporting a variety of legal actions as well as help their organizations guard against data transgressions having legal consequences. Thus, they need to be capable of taking abstract regulatory, statutory and other legal requirements and translating them into implementable solutions. In addition, they must be able to partner with the legal community to ensure these solutions address the organization’s compliance requirements and that the support is timely and responsive.    This session describes the legal issues storage security professionals are likely to encounter as part of their role as the focal point for securing storage systems. It also highlights relevant emerging trends from the legal community.

Learning Objectives

  • General introduction to the relevant legal issues 
  • Understand how these legal issues impact storage 
  • Practical tips on ways to deal with some of the more pressing legal issue