Truly understanding storage security issues is no small task, but the SNIA Networking Storage Forum (NSF) is taking that task on in our Storage Networking Security Webcast Series. Earlier this month, we hosted the first in this series, “Understanding Storage Security and Threats” where my SNIA colleagues and I examined the big picture of storage security, relevant terminology and key concepts. If you missed the live event, you can watch it on-demand. Our audience asked some great questions during the live event. Here are answers to them all. Q. If I just deploy self-encrypting drives, doesn’t that take care of all my security concerns?   A. No it does not. Self-encrypted drives can protect if the drive gets misplaced or stolen, but they don’t protect if the operating system or application that accesses data on those drives is compromised. Q. What does “zero trust” mean? A. “Zero Trust” is a security model that works on the principal that organizations should not automatically trust anything inside their network (typically inside the firewalls). In fact they should not automatically trust any group of users, applications, or servers. Instead, all access should be authenticated and verified. What this typically means is granting the least amount of privileges and access needed based on who is asking for access, the context of the request, and the risk associated.  Q. What does white hat vs. black hat mean?  A. In the world of hackers, a “black hat” is a malicious actor that actually wants to steal your data or compromise your system for their own purposes. A “white hat” is an ethical (or reformed) hacker that attempts to compromise your security systems with your permission, in order to verify its security or find vulnerabilities so you can fix them. There are entire companies and industry groups that make looking for security vulnerabilities a full-time job. Q. Do I need to hire someone to try to hack into my systems to see if they are secure? A. To achieve the highest levels of information security, it is often helpful to hire a “white hat” hacker to scan your systems and try to break into them. Some organizations are required–by regulation–to do this periodically to verify the security of their systems. This is sometimes referred to as “penetration testing” or “ethical hacking” and can include physical as well as electronic testing of an infrastructure or even directing suspicious calls and emails to employees to test their security training. All known IT security vulnerabilities are eventually documented and published. You might have your own dedicated security team that regularly tests your operating systems, applications and network for known vulnerabilities and performs penetration testing, or you can hire independent 3^rd parties to do this. Some security companies sell tools you can use to test your network and systems for known security vulnerabilities. Q. Can you go over the difference between authorization and authentication again? A. Authorization is a mechanism for verifying that a person or application has the authority to perform certain actions or access specific data. Authentication is a mechanism or process for verifying a person is who he or she claims to be. For example, use of passwords, secure tokens/badges, or fingerprint/iris scans upon login (or physical entry) can authenticate who a person is. After login or entry, the use of access control lists, color coded badges, or permissions tables can determine what that person is authorized to do. Q. Can you explain what non-repudiation means, and how you can implement it? A. Non-repudiation is a method or technology that guarantees the accuracy or authenticity of information or an action, preventing it from being repudiated (successfully disputed or challenged). For example, a hash could ensure that a retrieved file is authentic, or a combination of biometric authentication with an audit log could prove that a particular person was the one who logged into a system or accessed a file. Q. Why would an attacker want to infiltrate data into a data center, as opposed to exfiltrating (stealing) data out of the data center? A. Usually malicious actors (hackers) want to exfiltrate (remove) valuable data. But sometimes they want to infiltrate (insert) malware into the target’s data center so this malware can carry out other attacks. Q. What is ransomware, and how does it work?  A. Ransomware typically encrypts, hides or blocks access to an organization’s critical data, then the malicious actor who sent it demands payment or action from the organization in return for sharing the password that will unlock the ransomed data. Q. Can you suggest some ways to track and report attacking resources? A. Continuous monitoring tools such as Splunk can be used. Q. Does “trust nobody” mean, don’t trust root/admin user as well? A. Trust nobody means there should be no presumption of trust, instead we should authenticate and authorize all users/requests. For example, it could mean changing the default root/admin password, requiring most administrative work to use specific accounts (instead of the root/admin account), and monitoring all users (including root/admin) to detect inappropriate behavior. Q. How do I determine my greatest vulnerability or the weakest link in my security? A. Activities such as Threat Models and Security Assessments can assist in determining weakest links. Q. What does a ‘trust boundary’ mean? A. Trust boundary is a boundary where program data or execution changes its level of “trust”. For example, Internet vs intranet. We are busy planning out the rest of this webcast series. Please follow us Twitter @SNIANSF for notifications of dates and times for each presentation.                          

This series of webcasts, hosted by the SNIA Networking Storage Forum, is going to tackle an ambitious project – the scope of securing data, namely storage systems and storage networks. Obviously, many of the concepts and realities contained in this series are going to be broadly applicable to all kinds of data protection, but there are some aspects of security that have a unique impact on storage, storage systems, and storage networks. Because of the fact that security is a holistic concern, there has to be more than "naming the parts." It's important to understand how the pieces fit together, because it's where those joints exist that many of the threats become real. Understanding Storage Security and Threats This presentation is going to go into the broad introduction of security principles in general. This will include some of the main aspects of security, including defining the terms that you must know, if you hope to have a good grasp of what makes something secure or not. We'll be talking about the scope of security, including threats, vulnerabilities, and attacks – and what that means in real storage terms. Securing the Data at Rest When you look at the holistic concept of security, one of the most obvious places to start are the threats to the physical realm. Among the topics here, we will include: ransomware, physical security, self-encrypting drives, and other aspects of how data and media are secured at the hardware level. In particular, we'll be focusing on the systems and mechanisms of securing the data, and even touch on some of the requirements that are being placed on the industry by government security recommendations. Storage Encryption This is a subject so important that it deserves its own specific session. It is a fundamental element that affects hardware, software, data-in-flight, data-at-rest, and regulations. In this session, we're going to be laying down the taxonomy of what encryption is (and isn't), how it works, what the trade-offs are, and how storage professionals choose between the different options for their particular needs. This session is the "deep dive" that explains what goes on underneath the covers when encryption is used for data in flight or at rest. Key Management In order to effectively use cryptography to protect information, one has to ensure that the associated cryptographic keys are also protected.   Attention must be paid to how cryptographic keys are generated, distributed, used, stored, replaced and destroyed in order to ensure that the security of cryptographic implementations are not compromised. This webinar will introduce the fundamentals of cryptographic key management including key lifecycles, key generation, key distribution, symmetric vs asymmetric key management and integrated vs centralized key management models. Relevant standards, protocols and industry best practices will also be presented. Securing Data in Flight Getting from here to there, securely and safely. Whether it's you in a car, plane, or train – or your data going across a network, it's critical to make sure that you get there in one piece. Just like you, your data must be safe and sound as it makes its journey. This webcast is going to talk about the threats to your data as it's transmitted, how interference happens along the way, and the methods of protecting that data when this happens. Securing the Protocol Different storage networks have different means for creating security beyond just encrypting the wire. We'll be discussing some of the particular threats to storage that are specific to attacking the vulnerabilities to data-in-flight. Here we will be discussing various security features of Ethernet and Fibre Channel, in particular, secure data in flight at the protocol level, including (but not limited to): MACSec, IPSec, and FC-SP2. Security Regulations It's impossible to discuss storage security without examining the repercussions at the regulatory level. In this webcast, we're going to take a look at some of the common regulatory requirements that require specific storage security configurations, and what those rules mean in a practical sense. In other words, how do you turn those requirements into practical reality? GDPR, the California Consumer Privacy Act (CCPA), other individual US States' laws – all of these require more than just ticking a checkbox. What do these things mean in terms of applying them to storage and storage networking? Securing the System: Hardening Methods "Hardening" is something that you do to an implementation, which means understanding how all of the pieces fit together. We'll be talking about different methods and mechanisms for creating secure end-to-end implementations. Topics such as PCI compliance, operating system hardening, and others will be included. Obviously, storage security is a huge subject. This ambitious project certainly doesn't end here, and there will always be additional topics to cover. For now, however, we want to provide you with the industry's best experts in storage and security to help you navigate the labyrinthian maze of rules and technology... in plain English. Please join us and register for the first webcast in the series, Understanding Storage Security and Threats on October 8th.

This series of webcasts, hosted by the SNIA Networking Storage Forum, is going to tackle an ambitious project – the scope of securing data, namely storage systems and storage networks. Obviously, many of the concepts and realities contained in this series are going to be broadly applicable to all kinds of data protection, but there are some aspects of security that have a unique impact on storage, storage systems, and storage networks. Because of the fact that security is a holistic concern, there has to be more than “naming the parts.” It’s important to understand how the pieces fit together, because it’s where those joints exist that many of the threats become real. Understanding Storage Security and Threats This presentation is going to go into the broad introduction of security principles in general. This will include some of the main aspects of security, including defining the terms that you must know, if you hope to have a good grasp of what makes something secure or not. We’ll be talking about the scope of security, including threats, vulnerabilities, and attacks – and what that means in real storage terms. Storage Encryption This is a subject so vast that it deserves its own specific session. It is a foundational element that affects hardware, software, data-in-flight, data-at-rest, and regulations. In this session, we’re going to be laying down the taxonomy of what encryption is (and isn’t), how it works, what the trade-offs are, and how storage professionals choose between the different options for their particular needs. This session will also lay the groundwork for future webcasts (especially Securing the Data and Storage Regulations). Securing the Data and the Media When you look at the holistic concept of security, one of the most obvious places to start are the threats to the physical realm. Among the topics here, we will include “Data Encryption at Rest,” physical security, self-encrypting drives, and other aspects of how data and media are secured at the hardware level. Securing the Protocol Different storage networks have different means for creating security beyond just encrypting the wire. We’ll be discussing some of the particular threats to storage that are specific to attacking the vulnerabilities to data-in-flight. Here we will be discussing various security features of Ethernet and Fibre Channel, in particular, secure data in flight at the protocol level, including (but not limited to): MACSec, IPSec, and FC-SP2. Security Regulations It’s impossible to discuss storage security without examining the repercussions at the regulatory level. In this webinar, we’re going to take a look at some of the common regulatory requirements that require specific storage security configurations, and what those rules mean in a practical sense. In other words, how do you turn those requirements into practical reality? GDPR, the California Consumer Privacy Act (CCPA), other individual US States’ laws – all of these require more than just ticking a checkbox. What do these things mean in terms of applying them to storage and storage networking? Securing the System: Hardening Methods “Hardening” is something that you do to an implementation, which means understanding how all of the pieces fit together. We’ll be talking about different methods and mechanisms for creating secure end-to-end implementations. Topics such as PCI compliance, operating system hardening, and others will be included. Obviously, storage and security is a huge subject. This ambitious project certainly doesn’t end here, and there will always be additional topics to cover. For now, however, we want to provide you with the industry’s best experts in storage and security to help you navigate the labyrinthian maze of rules and technology… in plain English. Please join us and register for the first webcast in the series, Understanding Storage Security and Threats on October 8th.

Issues related to security have great importance in IT today. SNIA is participating in the creation of international standards with leading security-focused industry organizations. Here’s an update on recent activities from the SNIA Security Technical Work Group (TWG): Transport Layer Security

• The SNIA Security TWG is keeping a keen eye on the TLS 1.3 landscape, which is starting to get interesting since the IETF approved RFC 8446 last August. TLS 1.3 is significantly different from previous versions and it is expected to have an impact on the mandatory elements for the SNIA TLS Specification for Storage and ISO/IEC 20648:2016, which are based on TLS 1.2. While TLS 1.2 is still valid and will be for some time, it is important to keep in mind that ISO standards like ISO/IEC 20648:2016 have a 5-year shelf life. SNIA plans to work on an update later this year so that a new specification is in place in 2021.

Storage Security ISO Standard

• The Security TWG completed its initial work on a potential refresh/update of the ISO/IEC 27040:2015 (Storage security) standard and submitted a recommendation to INCITS/CS1 (U.S. TAG to ISO/IEC JTC 1/SC 27) that included a proposal to subdivided it into at least 4 parts. The Security TWG also prepared 4 drafts and submitted along with the recommendation. SC 27/WG 4 accepted the U.S. recommendation at the April 2019 meeting in Israel and has initiated a Study Period on the revision of ISO/IEC 27040, which will leverage SNIA's draft and consider a fast-track approval process (joint NWIP and CD ballots on each document). The Study Period will present it recommendation at the SC 27/WG 4 meeting in Paris in October 2019.

Electronic Discovery

• With the inclusion of the Security TWG's text preservation, retention, and archive language from SNIA’s Data Protection technical white paper along with additional comments, ISO/IEC 27050-4 (Electronic discovery – Part 4: Technical readiness) has progressed to the Committee Draft (CD) stage. The Security TWG is now working with the 27050-4 editing team on specific text for the CD draft. This ISO/IEC 27050 standard targets both the legal and records management communities and Part 4 is very relevant to the storage industry.

Supply Chain Security

• The TWG is also seeing Supply Chain Security as a topic that will definitely come up in 2019. ISO/IEC JTC 1/SC 27 has initiated revision of three of the parts for the multi-part ISO/IEC 27036 (Supply chain security) standard and the SNIA TWG will be an active participant.

Security Techniques

• The TWG has been actively monitoring the ISO/IEC 27552 project (Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines) in SC 27, which has been approved for publication (expected availability in late summer 2019). Given the focus of the Europeans, we are reasonably certain that this standard will serve as the basis for organization certification for privacy (e.g., for GDPR). Efforts are underway to help the storage industry understand what it is and how it could affect us.

Other areas that the TWG is actively tracking

• AI, big data, IoT, smart cities, blockchain, etc. anticipating that some or all of them could have an impact especially in the computational storage arena
• Fabric security as it relates to NVMe

To learn more, please consider joining the SNIA Security Technical Work Group, visit https://www.snia.org/technology-focus/data-security or contact the SNIA Technical Council Managing Director at tcmd@snia.org.

In April 2016, the European Union (EU) approved a new law called the General Data Protection Regulation (GDPR). This coming May 25th, however, is the start of enforcement, meaning that any out-of-compliance organization that does business in the EU could face large fines. Some companies are choosing to not conduct business in the EU as a result, including email services and online games. The GDPR is applicable to any information classified as personal or that can be used to determine your identity, including your name, photo, email address, social media post, personal medical information, IP addresses, bank details and more. There are many key changes in the new regulations (they were revised from a 1995 EU directive). Companies must now get the consent of their customers to collect and/or use their data, and must do so in an understandable way. It must also be easy for customers to revoke their consent. If there is a data breach, companies must notify their customers within 72 hours of the discovery of such a breach. Consumers now have the right to access and obtain a copy of all their personal data, and they must also be able to request their data be expunged from the company's databases, called “the right to be forgotten.” Customer data must also be portable, in that their personal data must be given back to them in a “commonly used and machine-readable format” so they can send that data to a different company. Overall, the new GDPR requires that when designing new systems, privacy must be built into the design from the start, and not added later. SNIA has been tracking the requirements of the GDPR for a while now, and can provide a host of helpful content to introduce the GDPR and explain key elements that are relevant to storage ecosystems. The organization’s latest applicable document, Storage Security Data Protection Technical White Paper, was just released this past March and contains information on ISO/IEC 27040 (Storage security) and is also relevant to protecting your customer’s data. There’s also a slide deck available that relates directly to the issue of Privacy vs Data Protection and the impact of the new legislation on companies who wish to be compliant. SNIA has another set of informational slides, as presented originally by Eric Hibbard, that help explain the difference between Data Protection and Privacy, as well, and how it relates to the new GDPR requirements. Even more specifically, SNIA members Thomas Rivera, Katie Dix Elsner and Eric Hibbard presented a webcast titled: “GDPR & The Role of the DPO (Data Protection Officer).” In addition to these specific products, SNIA offers a wide range of white papers, tutorials, articles and other resources to help you make sure you and your company is ready for GDPR on May 25th.  

In the wake of all the data breaches, privacy scandals, and cybercrime in the world these days, it can be worrisome if you’re responsible for keeping your company and customer data safe. Sure, there are standards to help you plan and implement policies and procedures around data security, like the ISO/IEC 27040:2015 document. It provides detailed technical guidance on how organizations can be consistent in their approach to plan, design, document and implement data storage security. While the ISO/IEC 27040 standard is fairly thorough, there are some specific elements in the area of data protection — including data preservation, data authenticity, archival security and data disposition — that the ISO document doesn’t fully get into. The Storage Networking Industry Association (SNIA) Security Technical Working Group (TWG) has released a whitepaper that addresses these specific topics in data protection. One of a series of educational documents provided by the TWG, this one extends, builds on, and complements the ISO 27040 standard, while also suggesting best practices.

SNIA’s Technical Work Group Activity for 2018

Data protection is an essential element of storage security, with many nuanced issues to work through. Data must be stored, it must be kept private, and clear decisions must be made about who needs access to the data, where that data resides, what types of devices and data exist in the system, how data is recovered during disasters or regular operations, and what best practice technologies should be in place in your organization. The SNIA’s new technical whitepaper addresses these issues in depth in order to raise awareness of data protection and help educate those in the storage security business (and most companies are, these days). The document also highlights relevant data protection guidance from ISO/IEC27040 so that you can get a complete picture of the things you need to do to keep your data secure. Data security is an integral part of any business endeavor; making sure that your organization has considered and implemented as many best practices in the area of data security as possible is made easier by this current publication, which comes from (and also benefits) SNIA’s own members of the storage security technical working group. For more information about the work of SNIA’s storage security group, visit: www.snia.org/security. Click here to download the complete Storage Security: Data Protection white paper. .

by Eric Hibbard, SNIA Storage Security TWG Chair, and SNIA Storage Security TWG team members Fibre Channel is often viewed as a specialized form of networking that lives within data centers and which neither has, or requires, special security protections. Neither of these assumptions is true, but finding the appropriate details to secure Fibre Channel infrastructure can be challenging. The ISO/IEC 27040:2015 Information technology - Security techniques - Storage Security standard provides detailed technical guidance in securing storage systems and ecosystems. However, while the coverage of this standard is quite broad, it lacks details for certain important topics. ISO/IEC 27040:2015 addresses storage security risks and threats at a high level. This blog is written in the context of Fibre Channel. The following list is a summary of the major threats that may confront Fibre Channel implementations and deployments.

1. Storage Theft: Theft of storage media or storage devices can be used to access data as well as to deny legitimate use of the data.
2. Sniffing Storage Traffic: Storage traffic on dedicated storage networks or shared networks can be sniffed via passive network taps or traffic monitoring revealing data, metadata, and storage protocol signaling. If the sniffed traffic includes authentication details, it may be possible for the attacker to replay9 (retransmit) this information in an attempt to escalate the attack.
3. Network Disruption: Regardless of the underlying network technology, any software or congestion disruption to the network between the user and the storage system can degrade or disable storage.
4. WWN Spoofing: An attacker gains access to a storage system in order to access/modify/deny data or metadata.
5. Storage Masquerading: An attacker inserts a rogue storage device in order to access/modify/deny data or metadata supplied by a host.
6. Corruption of Data: Accidental or intentional corruption of data can occur when the wrong hosts gain access to storage.
7. Rogue Switch: An attacker inserts a rogue switch in order to perform reconnaissance on the fabric (e.g., configurations, policies, security parameters, etc.) or facilitate other attacks.
8. Denial of Service (DoS): An attacker can disrupt, block or slow down access to data in a variety of ways by flooding storage networks with error messages or other approaches in an attempt to overload specific systems within the network.

A core element of Fibre Channel security is the ANSI INCITS 496-2012, Information Technology - Fibre Channel - Security Protocols - 2 (FC-SP-2) standard, which defines protocols to authenticate Fibre Channel entities, set up session encryption keys, negotiate parameters to ensure frame-by-frame integrity and confidentiality, and define and distribute policies across a Fibre Channel fabric. It is also worth noting that FC-SP-2 includes compliance elements, which is somewhat unique for FC standards. Fibre Channel fabrics may be deployed across multiple, distantly separated sites, which make it critical that security services be available to assure consistent configurations and proper access controls.

A new whitepaper, one in a series from SNIA that addresses various elements of storage security, is intended to leverage the guidance in the ISO/IEC 27040 standard and enhance it with a specific focus on Fibre Channel (FC) security.   To learn more about security and Fibre Channel, please visit www.snia.org/security and download the Storage Security: Fibre Channel Security whitepaper.

And mark your calendar for presentations and discussions on this important topic at the upcoming SNIA Data Storage Security Summit, September 22, 2016, at the Hyatt Regency Santa Clara CA. Registration is complimentary - go to www. http://www.snia.org/dss-summit for details on how you can attend and get involved in the conversation.  

Posted by Marty Foltyn Security is critical in the storage development process - and a prime focus of sessions at the SNIA Storage Developer Conference AND the co-located SNIA Data Storage Security Summit on Thursday September 24. Admission to the Summit is complimentary - register here at http://www.snia.org/dss-summit. The Summit agenda is packed with luminaries in the field of storage security, including keynotes from Eric Hibbard (SNIA Security Technical Work Group and Hitachi), Robert Thibadeau (Bright Plaza), Tony Cox (SNIA Storage Security Industry Forum and OASIS KMIP Technical Committee), Suzanne Widup (Verizon), Justin Corlett (Cryptsoft), and Steven Teppler (TimeCertain); and afternoon breakouts from Radia Perlman (EMC); Liz Townsend (Townsend Security); Bob Guimarin (Fornetix); and David Siles (Data Gravity). Roundtables will discuss current issues and future trends in storage security. Don't miss this exciting event! SDC's "Security" sessions highlight security issues and strategies for mobile, cloud, user identity, attack prevention, key management, and encryption. Preview sessions here, and click on the title to find more details. Geoff Gentry, Regional Director, Independent Security Evaluators Hackers, will present Attack Anatomy and Security Trends, offering practical experience from implementing the OASIS Key Management Interoperability Protocol (KMIP) and from deploying and interoperability testing multiple vendor implementations of KMIP . David Slik, Technical Director, Object Storage, NetApp will discuss Mobile and Secure: Cloud Encrypted Objects Using CDMI, introducing the Cloud Encrypted Object Extension to the CDMI standard, which permits encrypted objects to be stored, retrieved, and transferred between clouds. Dean Hildebrand, IBM Master Inventor and Manager | Cloud Storage Software and Sasikanth Eda, Software Engineer, IBM will present OpenStack Swift On File: User Identity For Cross Protocol Access Demystified. This session will detail the various issues and nuances associated with having common ID management across Swift object access and file access ,and present an approach to solve them without changes in core Swift code by leveraging powerful SWIFT middleware framework. Tim Hudson, CTO and Technical Director, Cryptsoft will discuss Multi-Vendor Key Management with KMIP, offering practical experience from implementing the OASIS Key Management Interoperability Protocol (KMIP) and from deploying and interoperability testing multiple vendor implementations of KMIP . Nathaniel McCallum, Senior Software Engineer, Red Hat will present Network Bound Encryption for Data-at-Rest Protection, describing Petera, an open source project which implements a new technique for binding encryption keys to a network. Finally, check out SNIA on Storage previous blog entries on File Systems, Cloud, Management, New Thinking, and Disruptive Technologies. See the agenda and register now for SDC at http://www.storagedeveloper.org.