The complex and changeable structure of edge computing, together with its network connections, massive real-time data, challenging operating environment, distributed edge cloud collaboration, and other characteristics, create a multitude of security challenges. It was the topic of our SNIA Networking Storage Forum (NSF) live webcast “Storage Life on the Edge: Security Challenges” where SNIA security experts Thomas Rivera, CISSP, CIPP/US, CDPSE and Eric Hibbard, CISSP-ISSAP, ISSMP, ISSEP, CIPP/US, CIPT, CISA, CDPSE, CCSK debated as to whether existing security practices and standards are adequate for this emerging area of computing. If you missed the presentation, you can view it on-demand here.

It was a fascinating discussion and as promised, Eric and Thomas have answered the questions from our live audience.

Q. What complexities are introduced from a security standpoint for edge use cases?

A. The sheer number of edge nodes, the heterogeneity of the nodes, distributed ownership and control, increased number of interfaces, fit-for-use versus designed solution, etc. complicate the security aspects of these ecosystems. Performing risk assessments and/or vulnerability assessments across the full ecosystem can be extremely difficult; remediation activities can be even harder.

Q. How is data privacy impacted and managed across cloud to edge applications?

A. Movement of data from the edge to core systems could easily cross multiple jurisdictions that have different data protection/privacy requirements. For example, personal information harvested in the EU might find its way into core systems in the US; in such a situation, the US entity would need to deal with GDPR requirements or face significant penalties. The twist is that the operator of the core systems might not know anything about the source of the data.

Q. What are the priority actions that customers can undertake to protect their data?

A. Avoid giving personal information. If you do, understand your rights (if any) as well as how it will be used, protected, and ultimately eliminated.

This session is part of our “Storage Life on the Edge” webcast series. Our next session will be “Storage Life on the Edge: Accelerated Performance Strategies” where we will dive into the need for faster computing, access to storage, and movement of data at the edge as well as between the edge and the data center. Register here to join us on July 12, 2022. You can also access the other presentations we’ve done in this series at the SNIA Educational Library.

The complex and changeable structure of edge computing, together with its network connections, massive real-time data, challenging operating environment, distributed edge cloud collaboration, and other characteristics, create a multitude of security challenges. It was the topic of our SNIA Networking Storage Forum (NSF) live webcast “Storage Life on the Edge: Security Challenges” where SNIA security experts Thomas Rivera, CISSP, CIPP/US, CDPSE and Eric Hibbard, CISSP-ISSAP, ISSMP, ISSEP, CIPP/US, CIPT, CISA, CDPSE, CCSK debated as to whether existing security practices and standards are adequate for this emerging area of computing. If you missed the presentation, you can view it on-demand here. It was a fascinating discussion and as promised, Eric and Thomas have answered the questions from our live audience. Q. What complexities are introduced from a security standpoint for edge use cases? A. The sheer number of edge nodes, the heterogeneity of the nodes, distributed ownership and control, increased number of interfaces, fit-for-use versus designed solution, etc. complicate the security aspects of these ecosystems. Performing risk assessments and/or vulnerability assessments across the full ecosystem can be extremely difficult; remediation activities can be even harder. Q. How is data privacy impacted and managed across cloud to edge applications? A. Movement of data from the edge to core systems could easily cross multiple jurisdictions that have different data protection/privacy requirements. For example, personal information harvested in the EU might find its way into core systems in the US; in such a situation, the US entity would need to deal with GDPR requirements or face significant penalties. The twist is that the operator of the core systems might not know anything about the source of the data. Q. What are the priority actions that customers can undertake to protect their data? A. Avoid giving personal information. If you do, understand your rights (if any) as well as how it will be used, protected, and ultimately eliminated. This session is part of our “Storage Life on the Edge” webcast series. Our next session will be “Storage Life on the Edge: Accelerated Performance Strategies” where we will dive into the need for faster computing, access to storage, and movement of data at the edge as well as between the edge and the data center. Register here to join us on July 12, 2022. You can also access the other presentations we’ve done in this series at the SNIA Educational Library.

The complex and changeable structure of edge computing, together with its network connections, massive real-time data, challenging operating environment, distributed edge cloud collaboration, and other characteristics, create a multitude of security challenges. It’s a topic the SNIA Networking Storage Forum (NSF) will take on as our "Storage Life on the Edge" webcast series continues. Join us on April 27, 2022 for “Storage Life on the Edge: Security Challenges” where I’ll be joined by security experts Thomas Rivera, CISSP, CIPP/US, CDPSE and Eric Hibbard, CISSP-ISSAP, ISSMP, ISSEP, CIPP/US, CIPT, CISA, CDPSE, CCSK as they explore these challenges and wade into the debate as to whether existing security practices and standards are adequate for this emerging area of computing. Our discussion will cover:

• Understanding the key security issues associated with edge computing
• Identify potentially relevant standards and industry guidance (e.g., IoT security)
• Offer awareness of new security initiatives focused on edge computing

Register today and bring your questions. Eric and Thomas will be on-hand to answer them. And if you’re interested in the other “Storage Life on the Edge” presentations we’ve done. You can find them in the SNIA Educational Library.

The complex and changeable structure of edge computing, together with its network connections, massive real-time data, challenging operating environment, distributed edge cloud collaboration, and other characteristics, create a multitude of security challenges. It’s a topic the SNIA Networking Storage Forum (NSF) will take on as our “Storage Life on the Edge” webcast series continues. Join us on April 27, 2022 for “Storage Life on the Edge: Security Challenges” where I’ll be joined by security experts Thomas Rivera, CISSP, CIPP/US, CDPSE and Eric Hibbard, CISSP-ISSAP, ISSMP, ISSEP, CIPP/US, CIPT, CISA, CDPSE, CCSK as they explore these challenges and wade into the debate as to whether existing security practices and standards are adequate for this emerging area of computing. Our discussion will cover:

• Understanding the key security issues associated with edge computing
• Identify potentially relevant standards and industry guidance (e.g., IoT security)
• Offer awareness of new security initiatives focused on edge computing

Register today and bring your questions. Eric and Thomas will be on-hand to answer them. And if you’re interested in the other “Storage Life on the Edge” presentations we’ve done. You can find them in the SNIA Educational Library.

Ever wonder what’s the difference between data privacy, data governance and data security? All of these terms are frequently (and mistakenly) used interchangeably. They are indeed related, particularly when it comes to keeping data in the cloud protected, private and secure, but the definitions and mechanics of executing on each are all quite different. Join us on March 30, 2022 for another SNIA Cloud Storage Technologies Initiative (CSTI) “15 Minutes in the Cloud” session for an overview of what each of these terms means, how and where they intersect, and why each one demands adequate attention or you risk threatening the overall security of your data. Presenting will be Thomas Rivera, CISSP, CIPP/US, CDPSE and Strategic Success Manager at VMware Black Carbon together with Eric Hibbard, CISSP-ISSAP, ISSMP, ISSEP, CIPP/US, CIPT, CISA, CDPSE, CCSK and Director, Product Planning – Storage Networking & Security, Samsung Semiconductor. As you see, our security experts have more credentials than the alphabet! Register today for “15 Minutes in the Cloud: Data Privacy vs. Governance vs. Security.” We look forward to seeing you on March 30^th.

Cloud to Edge infrastructures are rapidly growing.  It is expected that by 2025, up to 75% of all data generated will be created at the Edge.  However, Edge is a tricky word and you’ll get a different definition depending on who you ask. The physical edge could be in a factory, retail store, hospital, car, plane, cell tower level, or on your mobile device. The network edge could be a top-of-rack switch, server running host-based networking, or 5G base station.

The Edge means putting servers, storage, and other devices outside the core data center and closer to both the data sources and the users of that data—both edge sources and edge users could be people or machines.

 This trilogy of SNIA Networking Storage Forum (NSF) webcasts will provide:

1. An overview of Cloud to Edge infrastructures and performance, cost and scalability considerations
2. Application use cases and examples of edge infrastructure deployments
3. Cloud to Edge performance acceleration options

Attendees will leave with an improved understanding of compute, storage and networking resource optimization to better support Cloud to Edge applications and solutions.

At our first webcast in this series on January 26, 2022, “Storage Life on the Edge: Managing Data from the Edge to the Cloud and Back” you‘ll learn:

• Data and compute pressure points: aggregation, near & far Edge
• Supporting IoT data
• Analytics and AI considerations
• Understanding data lifecycle to generate insights
• Governance, security & privacy overview
• Managing multiple Edge sites in a unified way

Register today! We look forward to seeing you on January 26th.

Cloud to Edge infrastructures are rapidly growing.  It is expected that by 2025, up to 75% of all data generated will be created at the Edge.  However, Edge is a tricky word and you’ll get a different definition depending on who you ask. The physical edge could be in a factory, retail store, hospital, car, plane, cell tower level, or on your mobile device. The network edge could be a top-of-rack switch, server running host-based networking, or 5G base station. The Edge means putting servers, storage, and other devices outside the core data center and closer to both the data sources and the users of that data—both edge sources and edge users could be people or machines. This trilogy of SNIA Networking Storage Forum (NSF) webcasts will provide:

1. An overview of Cloud to Edge infrastructures and performance, cost and scalability considerations
2. Application use cases and examples of edge infrastructure deployments
3. Cloud to Edge performance acceleration options

Attendees will leave with an improved understanding of compute, storage and networking resource optimization to better support Cloud to Edge applications and solutions. At our first webcast in this series on January 26, 2022, “Storage Life on the Edge: Managing Data from the Edge to the Cloud and Back” you‘ll learn:

• Data and compute pressure points: aggregation, near & far Edge
• Supporting IoT data
• Analytics and AI considerations
• Understanding data lifecycle to generate insights
• Governance, security & privacy overview
• Managing multiple Edge sites in a unified way

Register today! We look forward to seeing you on January 26th.

Ensuring the security of data on NVMe® over Fabrics was the topic of our SNIA Networking Storage Forum (NSF) webcast “Security of Data on NVMe over Fabrics, the Armored Truck Way.” During the webcast our experts outlined industry trends, potential threats, security best practices and much more. The live audience asked several interesting questions and here are answers to them.

Q. Does use of strong authentication and network encryption ensure I will be compliant with regulations such as HIPAA, GDPR, PCI, CCPA, etc.?

A. Not by themselves. Proper use of strong authentication and network encryption will reduce the risk of data theft or improper data access, which can help achieve compliance with data privacy regulations. But full compliance also requires establishment of proper processes, employee training, system testing and monitoring. Compliance may also require regular reviews and audits of systems and processes plus the involvement of lawyers and compliance consultants.

Q. Does using encryption on the wire such as IPsec, FC_ESP, or TLS protect against ransomware, man-in-the middle attacks, or physical theft of the storage system?

A. Proper use of data encryption on the storage network can protect against man-in-the middle snooping attacks because any data intercepted would be encrypted and very difficult to decrypt.  Use of strong authentication such DH-HMAC-CHAP can reduce the risk of a man-in-the-middle attack succeeding in the first place. However, encrypting data on the wire does not by itself protect against ransomware nor against physical theft of the storage systems because the data is decrypted once it arrives on the storage system or on the accessing server.

Q. Does "zero trust" mean I cannot trust anybody else on my IT team or trust my family members?

A. Zero Trust does not mean your coworker, mother or cousin is a hacker.  But it does require assuming that any server, user (even your coworker or mother), or application could be compromised and that malware or hackers might already be inside the network, as opposed to assuming all threats are being kept outside the network by perimeter firewalls. As a result, Zero Trust means regular use of security technologies--including firewalls, encryption, IDS/IPS, anti-virus software, monitoring, audits, penetration testing, etc.--on all parts of the data center to detect and prevent attacks in case one of the applications, machines or users has been compromised.

Q. Great information! Is there any reference security practice for eBOF and NVMe-oF™ that you recommend?

A. Generally security practices with an eBOF using NVMe-oF would be similar to with traditional storage arrays (whether they use NVMe-oF, iSCSI, FCP, or a NAS protocol). You should authenticate users, emplace fine-grained access controls, encrypt data, and backup your data regularly. You might also want to physically or logically separate your storage network from the compute traffic or user access networks. Some differences may arise from the fact that with an eBOF, it's likely that multiple servers will access multiple eBOFs directly, instead of each server going to a central storage controller that in turn accesses the storage shelves or JBOFs.

Q. Are there concerns around FC-NVMe security when it comes to Fibre Channel Fabric services? Can a rogue NVMe initiator discover the subsystem controllers during the discovery phase and cause a denial-of-service kind of attack? Under such circumstances can DH-CHAP authentication help?

A. A rogue initiator might be able to discover storage arrays using the FC-NVMe protocol but this may be blocked by proper use of Fibre Channel zoning and LUN masking. If a rogue initiator is able to discover a storage array, proper use of DH-CHAP should prevent it from connecting and accessing data, unless the rogue initiator is able to successfully impersonate a legitimate server. If the rogue server is able to discover an array using FC-NVMe, but cannot connect due to being blocked by strong authentication, it could initiate a denial-of-service attack and DH-CHAP by itself would not block or prevent a denial-of-service attack.

Q. With the recent example of Colonial Pipeline cyber-attack, can you please comment on what are best practice security recommendations for storage with regards to separation of networks for data protection and security?

A. It's a best practice to separate storage networks from the application and/or user networks. This separation can be physical or logical and could include access controls and authentication within each physical or logical network. A separate physical network is often used for management and monitoring. In addition, to protect against ransomware, storage systems should be backed up regularly with some backups kept physically offline, and the storage team should practice restoring data from backups on a regular basis to verify the integrity of the backups and the restoration process.

For those of you who follow the many educational webcasts that the NSF hosts, you may have noticed that we are discussing the important topic of data security a lot. In fact, there is an entire Storage Networking Security Webcast Series that dives into protecting data at rest, protecting data in flight, encryption, key management, and more.

We’ve also been talking about NVMe-oF a lot. I encourage you to watch “NVMe-oF: Looking Beyond Performance Hero Numbers” where our SNIA experts explain why it is important to look beyond test results that demonstrate NVMe-oF’s dramatic reduction in latency. And if you’re ready for more, you can “Geek Out” on NVMe-oF here, where we’ve curated several great basic and advanced educational assets on NVMe-oF.

Ensuring the security of data on NVMe over Fabrics was the topic of our SNIA Networking Storage Forum (NSF) webcast “Security of Data on NVMe over Fabrics, the Armored Truck Way.” During the webcast our experts outlined industry trends, potential threats, security best practices and much more. The live audience asked several interesting questions and here are answers to them. Q. Does use of strong authentication and network encryption ensure I will be compliant with regulations such as HIPAA, GDPR, PCI, CCPA, etc.? A. Not by themselves. Proper use of strong authentication and network encryption will reduce the risk of data theft or improper data access, which can help achieve compliance with data privacy regulations. But full compliance also requires establishment of proper processes, employee training, system testing and monitoring. Compliance may also require regular reviews and audits of systems and processes plus the involvement of lawyers and compliance consultants. Q. Does using encryption on the wire such as IPsec, FC_ESP, or TLS protect against ransomware, man-in-the middle attacks, or physical theft of the storage system? A. Proper use of data encryption on the storage network can protect against man-in-the middle snooping attacks because any data intercepted would be encrypted and very difficult to decrypt. Use of strong authentication such DH-HMAC-CHAP can reduce the risk of a man-in-the-middle attack succeeding in the first place. However, encrypting data on the wire does not by itself protect against ransomware nor against physical theft of the storage systems because the data is decrypted once it arrives on the storage system or on the accessing server. Q. Does “zero trust” mean I cannot trust anybody else on my IT team or trust my family members? A. Zero Trust does not mean your coworker, mother or cousin is a hacker.  But it does require assuming that any server, user (even your coworker or mother), or application could be compromised and that malware or hackers might already be inside the network, as opposed to assuming all threats are being kept outside the network by perimeter firewalls. As a result, Zero Trust means regular use of security technologies–including firewalls, encryption, IDS/IPS, anti-virus software, monitoring, audits, penetration testing, etc.–on all parts of the data center to detect and prevent attacks in case one of the applications, machines or users has been compromised. Q. Great information! Is there any reference security practice for eBOF and NVMe-oF that you recommend? A. Generally security practices with an eBOF using NVMe-oF would be similar to with traditional storage arrays (whether they use NVMe-oF, iSCSI, FCP, or a NAS protocol). You should authenticate users, emplace fine-grained access controls, encrypt data, and backup your data regularly. You might also want to physically or logically separate your storage network from the compute traffic or user access networks. Some differences may arise from the fact that with an eBOF, it’s likely that multiple servers will access multiple eBOFs directly, instead of each server going to a central storage controller that in turn accesses the storage shelves or JBOFs. Q. Are there concerns around FC-NVMe security when it comes to Fibre Channel Fabric services? Can a rogue NVMe initiator discover the subsystem controllers during the discovery phase and cause a denial-of-service kind of attack? Under such circumstances can DH-CHAP authentication help? A. A rogue initiator might be able to discover storage arrays using the FC-NVMe protocol but this may be blocked by proper use of Fibre Channel zoning and LUN masking. If a rogue initiator is able to discover a storage array, proper use of DH-CHAP should prevent it from connecting and accessing data, unless the rogue initiator is able to successfully impersonate a legitimate server. If the rogue server is able to discover an array using FC-NVMe, but cannot connect due to being blocked by strong authentication, it could initiate a denial-of-service attack and DH-CHAP by itself would not block or prevent a denial-of-service attack. Q. With the recent example of Colonial Pipeline cyber-attack, can you please comment on what are best practice security recommendations for storage with regards to separation of networks for data protection and security? A. It’s a best practice to separate storage networks from the application and/or user networks. This separation can be physical or logical and could include access controls and authentication within each physical or logical network. A separate physical network is often used for management and monitoring. In addition, to protect against ransomware, storage systems should be backed up regularly with some backups kept physically offline, and the storage team should practice restoring data from backups on a regular basis to verify the integrity of the backups and the restoration process. For those of you who follow the many educational webcasts that the NSF hosts, you may have noticed that we are discussing the important topic of data security a lot. In fact, there is an entire Storage Networking Security Webcast Series that dives into protecting data at rest, protecting data in flight, encryption, key management, and more. We’ve also been talking about NVMe-oF a lot. I encourage you to watch “NVMe-oF: Looking Beyond Performance Hero Numbers” where our SNIA experts explain why it is important to look beyond test results that demonstrate NVMe-oF’s dramatic reduction in latency. And if you’re ready for more, you can “Geek Out” on NVMe-oF here, where we’ve curated several great basic and advanced educational assets on NVMe-oF.

With ever increasing threat vectors both inside and outside the data center, a compromised customer dataset can quickly result in a torrent of lost business data, eroded trust, significant penalties, and potential lawsuits. Potential vulnerabilities exist at every point when scaling out NVMe® storage, which requires data to be secured every time it leaves a server or the storage media, not just when leaving the data center. NVMe over Fabrics is poised to be the one of the most dominant storage transports of the future and securing and validating the vast amounts of data that will traverse this fabric is not just prudent, but paramount.

Ensuring the security of that data will be the topic of our SNIA Networking Storage Forum (NSF) webcast “Security of Data on NVMe over Fabrics, the Armored Truck Way” on May 12, 2021. Join the webcast to hear industry experts discuss current and future strategies to secure and protect mission critical data.

You will learn:

• Industry trends and regulations around data security
• Potential threats and vulnerabilities
• Existing security mechanisms and best practices
• How to secure NVMe data in flight and at rest
• Ecosystem and market dynamics
• Upcoming standards

For those of you who follow the many educational webcasts that the NSF hosts, you may have noticed that we are discussing the important topic of data security a lot. In fact, there is an entire Storage Networking Security Webcast Series that dives into protecting data at rest, protecting data in flight, encryption, key management, and more. You might find it useful to check out some of the sessions before our May 12^th presentation.

Register today! We hope you will join us on May 12^th. And please bring your questions. Our experts will be ready to answer them.