Tutorials

Storage Security Industry Forum and SNIA members contribute to a rich set of educational tutorials on the broad range of storage security issues and solutions in the industry today.  These tutorials are offered live at events like SNW, and are also available for download and review. 

Below are the descriptions of our latest storage security tutorials.  Find the full abstracts and powerpoint slides of SNW Spring 2009 tutorials here. 

Introduction to Information Assurance with Eric Hibbard, Hitachi Data Systems, provides an introduction to ensuring that authorized users have access to authorized information at the authorized time.

SNIA Storage Security Best Practices with Eric Hibbard, Hitachi Data Systems, describes this vendor neutral guidance that covers both storage systems and entire storage ecosystems.

A CISO View of the Storage Ecosystem with Andrew Nielsen, Hitachi Data Systems, outlines how security and storage professionals must partner in order to protect information assets from current and emerging threats.

How e-Discovery Will Impact Your Life as a Storage Professional with David Stevens, CMU, provides an end user perspective on how the storage professional can understand and work with the new Federal Rules of Civil Procedure (FRCP).

Computing or Litigating in the Cloud: Emerging Issues in eDiscovery, Search and Digital Evidence Management with Steven Teppler, KamberEdelson, LLC, offers information security and management stakeholders an insight into a litigating attorney's perspective about digital evidence management through the information lifecycle.

Storage Security Panel: Learning from Others Experiences with Blair Semple, SSIF, helps IT management and administrators learn from the challenges and successes of deploying storage encryption and key management solutions.

Preparing for a Security Audit: Best Practices for Storage Architects with Blair Semple, SSIF and NetApp, provides a set of guidelines for preparing for, undertaking, and avoiding the pitfalls of a security audit.

ABCs of Encryption with Roger Cummings, Symantec, focuses on the efforts required at the storage layer to create a successful encryption strategy and effectively deploy products that address both data-at-rest and data-in-flight.

Self-Encrypting Drives with Dr. Michael Willett, Seagate, describes how these solutions can provide protection against computer loss or theft and facilitate computer repurpose and end of life.

SNW Fall 2008 Tutorials

Below are the abstracts of the  SNW Fall 2008 tutorials, which you can find in full here.

Saving Private Data: An Introduction to Storage Security Richard Austin Download

In their relentless drive to master the ever increasing floods of data, organizations increasingly exploit the efficiencies and cost reductions realized through storage networking.  But as these information assets centralize, their value as targets increases dramatically.  Tales of breaches litter the popular and industry press as more organizations find themselves becoming statistics in the struggle to safeguard their information.    This tutorial introduces the newly revised best common practices for storage security developed by SNIA's Security Technical Working Group and will provide timely guidance on how you can succeed in the mission of saving your organization's private data. 

Learning Objectives:

  1. Review the challenges of securing the enterprise storage networking infrastructure
  2. Present the best common practices for storage security as articulated by the SNIA Security Technical Working Group

ABCs of Encryption Roger Cummings Download

Public disclosures of data indiscretions have become regular enough and embarrassing enough that many organizations are exploring encryption options both to satisfy information protection requirements and to simply stay out of the headlines. Those who have ventured into this space quickly realize that there is no magic crypto fairy dust that will make the problems go completely away. However, with careful planning and judicious use of the right technologies, organizations can eliminate many of their exposures.  This session focuses on the efforts required at the storage layer to both create a successful encryption strategy and effectively deploy products that address encryption of data at-rest as well as data in-flight.. The session is based on an established step-by-step process that is defined in detail in a SNIA white paper, and also covers recent SNIA work on Best Current Practices. 

Learning Objectives:

  1. Understand where encryption can applied to the storage layer
  2. Identify data at-rest encryption prerequisites and opportunities
  3. Be able to create a process to support encryption that's appropriate to a specific enterprise

 

An Introduction to Key Management for Secure Storage Walt Hubis Download

As secure storage becomes more pervasive throughout the enterprise, the focus quickly moves from implementing encrypting storage devices to establishing effective key management policies. Without the proper generation, distribution, storage, and recovery of key material, valuable data will be eventually compromised.  Worse, without proper management of key information, data can be completely lost.  This session explores the fundamental issues and technologies that impact key management for disk, tape, array, and other storage devices. Major issues associated symmetric encryption keys are presented, along with practical advice on effective key management issues and practices. 

Learning Objectives:

  1. Understand the basics of symmetric encryption keys with an emphasis on data-at-rest encryption
  2. Understand the basics of symmetric encryption keys with an emphasis on data-at-rest encryption
  3. Identify the best practices for key management in the storage environment.

 

Storage Security Panel: Learning from Others Experiences

Blair Semple, Moderator.  Panelists: David Murray, Dave Stauffacher, Neil Strand Download

This session features a panel discussion made up of end-user organizations that have deployed various storage security solutions within their enterprises.  The session goal is to help IT management and administrators learn from the challenges and successes other have had in deploying storage encryption and key management solutions.

Topics include:

  • What processes and policies have, or haven’t, worked for other organizations?
  • What are the various architectural options for deploying this type of solution?
  • How can you determine what deployment option is best for your organization?
  • What are the primary key management factors for consideration?

TCG Trusted Storage Specifications Jason Cox Download

The Trusted Computing Group (TCG) Storage WorkGroup has published formal specifications for security and trust services on storage devices, including hard drives, flash, and tape drives. The majority of hard drive and other storage device manufacturers participated. Putting security directly on the storage device avoids the vulnerabilities of platform OS-based software security. The details of the Specification will be highlighted, as well as various use cases, including Full Disk Encryption with enterprise key management, from the laptop to the data center.

Learning Objectives:

  1. Learn the high-level details of the TCG Storage Specifications
  2. Learn how to program applications that exploit the security and trust services on the storage device
  3. Learn the variety of use cases possible with storage device-based security

SCSI Security Nuts and Bolts Ralph Weber Download

The SCSI Command Sets are the "lingua franca" of computer storage, the language by which computer systems and peripherals communicate to support the storage and retrieval of information - the lifeblood of any modern business. SCSI has evolved from origins in the early 1980s in "small" computers to support modern SANs that interconnect ten of thousands of peripherals and servers. The latest SCSI standards projects underway in INCITS Technical Committee T10 define the creation of Security Associations, methods of deriving keys & performing strong mutual authentication, per-command security controls supporting multiple levels of protection, support for security protocols defined separately by multiple other standards organizations, and the control and operation of new security features within storage peripherals themselves. This session will cover these new features in detail, and will highlight the new requirements that these features will place on the operation and management of future computer systems and their storage configurations. 

Learning Objectives:

  1. Understand the new security features being included in SCSI standards projects in development
  2. Identify new management and support requirements of SCSI peripherals with security features
  3. Be able to identify where new SCSI peripherals with security features may be best utilized

Information Security and IT Compliance Roger Cummings and Frank Bunn Download

In times past, the sole yardstick of an Enterprise's IT department was business application availability. Today, however, a multitude of both internal and external requirements are applied to IT, along with a host of metrics. IT Policies are now driven by a need for compliance with national and international legislation on information security (e.g. HIPPA, Sarbanes-Oxley), various standardized and industry-developed regulatory frameworks (e.g. ISO 17799, COBIT), auditing standards, and even risk management requirements derived from insurance coverage. IT metrics include not only demonstrating compliance to the requirements but also such items as e-discovery response times, intrusion detection tests, and data retention periods. This session will describe SNIA Best Practices addressing data security compliance, understanding risks, and utilizing event logging. Commonly encountered requirements will be identified, and approaches to creating IT Policies and collecting evidence that enable appropriate metrics to be used to demonstrate compliance will be described. 

Learning Objectives:

  1. Understand appropriate national, international and industry-specific frameworks
  2. Identify appropriate internal and external requirements for a specific enterprise's IT department
  3. Be able to define and measure appropriate metrics for a specific enterprise's IT department

How E-Discovery Will Impact Your Life as a Storage Professional David Stevens Download

Mention the term E-Discovery to a storage professional and watch their reaction.  Storage Professionals today face the daunting task of being able to quickly know where every email, word document and database file lives and how to get it back in a hurry in the event of a catastrophe.  With the recent update to the Federal Rules of Civil Procedure (FRCP) a storage professional now has even more pressure to potentially know the content inside those files.  This session helps the storage professional understand the new Federal Rules of Civil Procedure (FRCP) that were recently updated.  We will also look at an e-discovery request from the perspective of an end-user.  Finally, we will provide some recommendations on how to prepare for an e-discovery request. 

Learning Objectives:

  1. Be aware of the FRCP regulations that govern e-discovery
  2. Know what you can expect to do for an e-discovery request
  3. Understand how to prepare for an e-discovery request