Issues related to security have great importance in IT today. SNIA is participating in the creation of international standards with leading security-focused industry organizations. Here’s an update on recent activities from the SNIA Security Technical Work Group (TWG):
Transport Layer Security
- The SNIA Security TWG is keeping a keen eye on the TLS 1.3 landscape, which is starting to get interesting since the IETF approved RFC 8446 last August. TLS 1.3 is significantly different from previous versions and it is expected to have an impact on the mandatory elements for the SNIA TLS Specification for Storage and ISO/IEC 20648:2016, which are based on TLS 1.2. While TLS 1.2 is still valid and will be for some time, it is important to keep in mind that ISO standards like ISO/IEC 20648:2016 have a 5-year shelf life. SNIA plans to work on an update later this year so that a new specification is in place in 2021.
Storage Security ISO Standard
- The Security TWG completed its initial work on a potential refresh/update of the ISO/IEC 27040:2015 (Storage security) standard and submitted a recommendation to INCITS/CS1 (U.S. TAG to ISO/IEC JTC 1/SC 27) that included a proposal to subdivided it into at least 4 parts. The Security TWG also prepared 4 drafts and submitted along with the recommendation. SC 27/WG 4 accepted the U.S. recommendation at the April 2019 meeting in Israel and has initiated a Study Period on the revision of ISO/IEC 27040, which will leverage SNIA’s draft and consider a fast-track approval process (joint NWIP and CD ballots on each document). The Study Period will present it recommendation at the SC 27/WG 4 meeting in Paris in October 2019.
Electronic Discovery
- With the inclusion of the Security TWG’s text preservation, retention, and archive language from SNIA’s Data Protection technical white paper along with additional comments, ISO/IEC 27050-4 (Electronic discovery – Part 4: Technical readiness) has progressed to the Committee Draft (CD) stage. The Security TWG is now working with the 27050-4 editing team on specific text for the CD draft. This ISO/IEC 27050 standard targets both the legal and records management communities and Part 4 is very relevant to the storage industry.
Supply Chain Security
- The TWG is also seeing Supply Chain Security as a topic that will definitely come up in 2019. ISO/IEC JTC 1/SC 27 has initiated revision of three of the parts for the multi-part ISO/IEC 27036 (Supply chain security) standard and the SNIA TWG will be an active participant.
Security Techniques
- The TWG has been actively monitoring the ISO/IEC 27552 project (Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines) in SC 27, which has been approved for publication (expected availability in late summer 2019). Given the focus of the Europeans, we are reasonably certain that this standard will serve as the basis for organization certification for privacy (e.g., for GDPR). Efforts are underway to help the storage industry understand what it is and how it could affect us.
Other areas that the TWG is actively tracking
- AI, big data, IoT, smart cities, blockchain, etc. anticipating that some or all of them could have an impact especially in the computational storage arena
- Fabric security as it relates to NVMe
To learn more, please consider joining the SNIA Security Technical Work Group, visit https://www.snia.org/technology-focus/data-security or contact the SNIA Technical Council Managing Director at tcmd@snia.org.