White Papers

The white papers shown here represent the kind of information IT professionals turn to the SSIF for - an introduction to storage security concepts, how to develop processes such as audit logging, and step-by-step checklists to implement initiatives like data encryption.  Check back often as we update our white paper library.  If you have a suggestion for a white paper, email ssif-info@snia.org.

Recently published papers:

Additional papers:

Introduction to Storage Security version 2.0 revised September 2009 

Many organizations face the challenge of implementing protection and data security measures to meet a wide range of requirements that lie beyond regulatory compliance.  Security professionals daily face the challenge of securing the application, compute and network environment while audit professionals are charged with verifying their success.  Too often storage security has slipped under their radar because limited familiarity with the technology. Storage managers and administrators may be confronting these issues and technologies for the first time. This whitepaper highlights the basics of identifying key business drivers for data security, describes threats and attacks, summarizes security concepts and relationships, and then describes what constitutes storage security.



Eric A. Hibbard, CISSP, ISSAP, ISSMP
Hitachi Data Systems.

Richard Austin, CISSP
Independent Consultant


Audit Logging for Storage

Experts agree that audit log management is a critical element of any organizations’s risk management strategy. Audit log data (or just log data) can provide a complete record of access, activity, and configuration changes for applications, servers, and network devices. It can be used to alert management and administrators to unusual or suspicious network and system behavior. Additionally, log data can provide auditors with information required to validate security policy enforcement and proper segregation of duties. Lastly, IT staff can mine log data during rootcause analysis following a security incident; this is particularly important for the recovery and/or damage cleanup as well as the remediation activities. Considering all of these potential uses, audit log management not only assists in achieving corporate compliance, but also reduces the risk of legal exposure from security breaches and costly network downtime. This whitepaper discusses log management from a storage security perspective and provides specific information as it relates to storage resources and networks.


Authors include:

Eric A. Hibbard, CISSP, ISSAP, ISSMP
Hitachi Data Systems

Richard Austin


Larry Hofer


Encryption of Data at Rest - a Step by Step Checklist - revised September 2009


Public disclosures of data “indiscretions” have become regular enough and embarrassing enough that many organizations are exploring encryption options to simply stay out of the headlines.  However getting the most out of encryption involves much more than purchasing a device with encryption features and connecting it to an existing storage infrastructure.  Existing management and control structures will need to evolve, information locations changed, and support is even required from the legal department! This paper defines a nine-step process that should be performed to effectively implement at-rest data encryption. While not all steps will be needed in all cases, they each merit consideration in every case. The steps are:

1. Understand Drivers

2. Classify the Data Assets

3. Inventory the Data Assets

4. Perform a Data Flow Analysis

5. Choose appropriate Points-of-Encryption

6. Design the Encryption Solution

7. Begin Data Re-Alignment

8. Implement the Encryption Solution

9. Activate Encryption



Eric A. Hibbard, CISSP, ISSAP, ISSMP
Hitachi Data Systems


Roger Cummings

Technical Director, Office of the CTO, Symantc Corporation