Emerging Storage Security Landscape

Current storage technologies include a range of security features and capabilities to allow storage to serve as a last line of defense in an organization’s defense in depth strategy. However, the threat landscape continues to change in negative ways, so new responses are needed. Additionally, the storage technology itself is changing to address the increased capacity and throughput needs of organizations. Technical work in ISO/IEC, IEEE, NVM Express, DMTF, OpenFabric Alliance, Trusted Computing Group (TCG), Open Compute Project (OCP), Storage Networking Industry Association (SNIA), etc. are introducing new storage technologies, specifying the way storage fits into increasingly complex ICT ecosystems, and identifying protection mechanism for data and the systems themselves. Understanding these developments and their interrelationships will be critical for securing storage systems of the future. This session highlights important storage security elements of both current and emerging storage technologies, including encryption, key management, storage sanitization, roots of trust and attestations, secure communications, and support for multitenancy. Like storage, security technologies are also changing, so crypto-agility, protocol changes, and security practices (e.g., zero trust) are explored.

Eric Hibbard

Director, Product Planning – Storage Networking & Security

Samsung Semiconductor, Inc.

Quantum computers with the capability to threaten the cryptography used today may seem a long way off, but they already pose a threat to both data and systems that we are protecting today. This talk will introduce the quantum threat and discuss why this is already a topic for today and not sometime in the future when large quantum systems will emerge, with particular considerations for long-term secure storage. This will be followed by an overview of the race to standardize new cryptographic algorithms that are secure even against large quantum computers of the future. The new quantum safe algorithms will bring a lot of diversity to the cryptographic landscape. It is expected that multiple schemes will be standardized, based on different mathematical problems such as lattices, isogenies of elliptic curves or error-correcting codes. Different performance and bandwidth characteristics will further increase the complexity of cryptographic management and will pose a demand for cryptographic agility. We will further give an overview of ongoing projects in quantum safety in areas such as in storage and will also show how developers can already today prototype quantum safe applications using open-source projects like Open Quantum Safe.

Basil Hess

Research Engineer

IBM Research Europe

Business requirements are not the only influencers of our technical solutions. Laws and Regulations transform the technical landscape in ways that require us to redefine our architecture, as well as our skill-set. This is especially true with Data Privacy. Since GDPR and CCPA, our industry is witnessing a new career path emerge: the Privacy Engineer. Where security started 10 years ago, so does privacy engineering. Join us as we look at Privacy by Design (PbD) and introduce some architecture patterns that align with privacy strategies. Agenda: - Overview - Data Usage Agreements - Data Tracker Chain - Data Security Guard - Data Privacy Inspector - Forward Thinking

David Sietz

Systems / Solution Architect

IAPP

Every organization today is in some state of digital transformation. While the understanding of security needs in the digital age has matured significantly in the last 2 decades, the implication for data privacy and in particular its interaction with technology solutions, are still not well understood. As data regulations and laws continue to evolve, globally, organizations require an increased understanding of privacy requirements and their impact on technology solutions. In this session, Cathy will provide a high level overview of data privacy including a snapshot of the evolution of privacy, key privacy principles, Privacy by Design, Privacy and the SDLC, the NIST Privacy framework. Cathy will also discuss the overlap between Security and Privacy and highlight the criticality of understanding the critical role of tech professionals data privacy today.

Cathleen Scerbo

VP, Chief Information Officer

International Association of Privacy Professionals

Almost everyone understands that systems and data both have lifecycles that typically include a disposal phase (i.e., what you do when you do not need something anymore). Conceptually, data needs to be eliminated either on a system or entirely (everywhere stored) as part of this disposal. Simply hitting the delete-key may seem like the right approach, but the reality is that eliminating data can be difficult. Additionally, failing to correctly eliminate certain data can result in costly data breach scenarios. “Sanitization” is the term used to label actions taken to eliminate data with a given level of assurance. This assurance assumes a competent forensic profession with a full complement of forensic tools being used for data recovery attempts. To be successful, the sanitization techniques must be matched to the underlying storage and, in some cases, may require action prior to recording of any data. This session outlines the various forms of sanitization and methods used (e.g., clear, purge, and destruct). In addition, details are provided on representative storage to help explore what needs to be done, what can go wrong, and identify additional measures that may be needed to protect an organization. Lastly, the session will provide information on the state of sanitization standards and practices.

Eric Hibbard

Director, Product Planning – Storage Networking & Security

Samsung Semiconductor, Inc.

Malware, short for malicious software, is a blanket term for viruses, worms, trojans and other harmful software that attackers use to damage, destroy, and gain access to sensitive information; software is identified as malware based on its intended use, rather than a particular technique or technology used to build it. Ransomware is a blended malware attack that uses a variety of methods to target the victim’s data and then requires the victim to pay a ransom (usually in crypto currency) to the attacker to regain access to the data upon payment (with no guarantees). However, the landscape is changing, and ransomware is no longer just about a financial ransom. Attacks are now being aimed at the infrastructure and undermining public confidence, witness recent headlines regarding incidents affecting police informant databases and oil pipeline sensors. There is also the recent US Treasury guideline to businesses advising them not to pay the ransom. What can we realistically do to prevent such attacks, or do we simply surrender and accept we will lose our data and that the insurance payout will cover any loss? There is increasing evidence that the insurance companies are unwilling to meet those claims, so the situation is perilous as the criminals always appear one step ahead. As a starting point, everyone needs to start assuming they will be attacked at some stage – therefore prevention and mitigation strategies should be based on that assumption. This session outlines the current threats, the scale of the problem, and examines the technology responses currently available as countermeasures. What can be done to prevent an attack? What works and what doesn’t? What should storage developers be thinking about when developing products that need to be more resilient to attack?

Thomas Rivera

Director of Technology

VMware

Mounir Elmously

Executive, Consulting Services

Ernst & Young