Current storage technologies include a range of security features and capabilities to allow storage to serve as a last line of defense in an organization’s defense in depth strategy. However, the threat landscape continues to change in negative ways, so new responses are needed. Additionally, the storage technology itself is changing to address the increased capacity and throughput needs of organizations. Technical work in ISO/IEC, IEEE, NVM Express, DMTF, OpenFabric Alliance, Trusted Computing Group (TCG), Open Compute Project (OCP), Storage Networking Industry Association (SNIA), etc.

Almost everyone understands that systems and data both have lifecycles that typically include a disposal phase (i.e., what you do when you do not need something anymore). Conceptually, data needs to be eliminated either on a system or entirely (everywhere stored) as part of this disposal. Simply hitting the delete-key may seem like the right approach, but the reality is that eliminating data can be difficult. Additionally, failing to correctly eliminate certain data can result in costly data breach scenarios.

Register to Attend this BoF

Security, unlike most technologies, is driven by changes to the threat landscape as well as the legal/regulatory responses. This BoF provides a forum to explore recent and anticipated developments. It may also serve as a forum to further explore details from the various SDC security and data protection sessions.

Almost everyone understands that systems and data both have lifecycles that typically include a disposal phase (i.e., what you do when you do not need something anymore). Conceptually, data needs to be eliminated either on a system or entirely (everywhere stored) as part of this disposal. Failure to correctly eliminate certain data can result in costly data breach scenarios. Selecting the form of storage sanitization that is appropriate to the sensitivity of the data sensitivity and that also considers circular business models is something that many organizations are pursuing.

2022 has been an interesting and challenging year for storage security. The cyber threat landscape has witnessed large numbers of attacks impacting data and increased nation state activities directed at critical infrastructure. The regulatory landscape is undergoing change as well (e.g., EU Directive 2009/125/EC also known as LOT 9) and potentially imposing requirements that necessitate adjustments to security capabilities, controls, and practices to reflect new realities. By the end of 2022 there will be significant changes to security standards and specifications relevant to storage.

A nation-state attack on the SolarWinds network management system in December 2020 compromised the supply chains of over 18,000 organizations, including the Pentagon and the Department of Homeland Security. As these supply chain security attacks continue, there is an increased focus on securing the supply chain. Organizations are seeking to understand their risk exposures from third parties and products they acquire and use. For products, security certifications can be useful to demonstrate security functionality as well as to assure security efficacy.

Zero Trust is a collection of security methodologies that work together to enforce access, with the view that your network has already been compromised, and using contextual information from identity, security, and IT infrastructure, along with risk and analytics tools, to enable dynamic enforcement of security policies uniformly across the corporate network. This session will highlight the main attributes of Zero Trust, and why it is important for storage developers.

This session is an open forum to discuss security and privacy protection issues that are of concern to you. Topics are likely to include the current threat landscape, legal/regulatory developments, potential countermeasures and risk mitigation strategies, security implications for emerging technology, and the state of relevant standards. Moderated by the editor of the ISO storage security standard, the dialogue could influence industry initiatives and formal standards.

2023 has been an interesting and challenging year for storage security. The cyber threat landscape has witnessed large numbers of attacks impacting data and increased nation state activities directed at critical infrastructure. The regulatory landscape is undergoing change as well and potentially imposing requirements that necessitate adjustments to security capabilities, controls, and practices to reflect new realities. By the end of 2023 there will be significant changes to security standards and specifications relevant to storage.

The Key Per IO (KPIO) project was a joint initiative between NVM Express® and the Trusted Computing Group (TCG) Storage Work Group to define a new KPIO Security Subsystem Class (SSC) under TCG Opal SSC for NVMe® class of Storage Devices. Self-Encrypting Drives (SED) perform continuous encryption on user accessible data based on contiguous LBA ranges per namespace. This is done at interface speeds using a small number of keys generated/held in persistent media by the storage device. KPIO allows a large number of encryption keys to be managed and securely downloaded into the NVM subsystem.