Standards Watch: Storage Security Update

The world of storage security standards continues to evolve. In fact, it can be hard to keep up with all that’s happening. Here’s a quick recap of SNIA’s involvement and impact on some notable storage security work – past, present and future.

The Storage Security ISO/IEC 27040 standard provides security techniques and detailed technical guidance on how organizations can define an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. SNIA has been a key industry advocate of this standard by providing many of the concepts and best practices dating back to 2006. Recently, the SNIA Storage Security Technical Work Group (TWG) authored a series of white papers that explored a range of topics covered by the ISO/IEC 27040 standard. 

Read More

Security Watch

Issues related to security have great importance in IT today. SNIA is participating in the creation of international standards with leading security-focused industry organizations. Here’s an update on recent activities from the SNIA Security Technical Work Group (TWG):

Transport Layer Security

  • The SNIA Security TWG is keeping a keen eye on the TLS 1.3 landscape, which is starting to get interesting since the IETF approved RFC 8446 last August. TLS 1.3 is significantly different from previous versions and it is expected to have an impact on the mandatory elements for the SNIA TLS Specification for Storage and ISO/IEC 20648:2016, which are based on TLS 1.2. While TLS 1.2 is still valid and will be for some time, it is important to keep in mind that ISO standards like ISO/IEC 20648:2016 have a 5-year shelf life. SNIA plans to work on an update later this year so that a new specification is in place in 2021.

Read More

Security GDPR, SNIA and You

In April 2016, the European Union (EU) approved a new law called the General Data Protection Regulation (GDPR). This coming May 25th, however, is the start of enforcement, meaning that any out-of-compliance organization that does business in the EU could face large fines. Some companies are choosing to not conduct business in the EU as a result, including email services and online games.

The GDPR is applicable to any information classified as personal or that can be used to determine your identity, including your name, photo, email address, social media post, personal medical information, IP addresses, bank details and more. Read More

Data Security is an Integral Part of any Business Endeavor

In the wake of all the data breaches, privacy scandals, and cybercrime in the world these days, it can be worrisome if you’re responsible for keeping your company and customer data safe. Sure, there are standards to help you plan and implement policies and procedures around data security, like the ISO/IEC 27040:2015 document. It provides detailed technical guidance on how organizations can be consistent in their approach to plan, design, document and implement data storage security.

While the ISO/IEC 27040 standard is fairly thorough, there are some specific elements in the area of data protection — including data preservation, data authenticity, archival security and data disposition — that the ISO document doesn’t fully get into. The Storage Networking Industry Association (SNIA) Security Technical Working Group (TWG) has released a whitepaper that addresses these specific topics in data protection. One of a series of educational documents provided by the TWG, this one extends, builds on, and complements the ISO 27040 standard, while also suggesting best practices. Read More

Registration Now Open for Storage Developer Conference India – May 25-26 in Bangalore

For the third consecutive year, SNIA will present their highly successful Storage Developer Conference (SDC) in Bangalore, India, on May 25-26, 2017 at the My Fortune Hotel.  The 2017 agenda, developed under the supervision of the SNIA India agenda committee, leads off with a keynote by Indian Institute of Science Professor P. Vijay Kumar on Codes for Big Data:  Error-Correction for Distributed Storage, followed by Amar Tunballi, Engineering Manager at Red Hat, speaking on Software Defined Storage and Why It Will Continue To Be Relevant.  Thursday keynotes will feature Anand Ghatnekar, Country Read More

SNIA Activities in Security, Containers, and File Storage on Tap at Three Bay Area Events

SNIA will be out and about in February in San Francisco and Santa Clara, CA, focused on their security, container, and file storage activities.

February 14-17 2017, join SNIA in San Francisco at the RSA Conference in the OASIS Interop: KMIP & PKCS11 booth S2115. OASIS and SNIA member companies will be demonstrating OASIS Key Management Interoperability Protocol (KMIP) through live interoperability across all participants. SNIA representatives will be on hand in the booth to answer questions about the Storage Security Industry Forum KMIP Conformance Test Program, which enables organizations with KMIP implementations to validate the protocol conformance of those products and meet market requirements for secure, plug-and-play storage solutions. And Eric Hibbard, Chair of the SNIA Security Technical Work Group and CTO Security and Privacy, HDS Corporation, will participate in the “Can I Get a Witness? Technical Witness Bootcamp” session on February 17.

The following week, February 21-23, join SNIA at Container World in Santa Clara CA. Enabling access to memory is an important concern to container designers, and Arthur Sainio, SNIA NVDIMM Special Interest Group Co-Chair from SMART Modular, will speak on Boosting Performance of Data Intensive Applications via Persistent Memory. Integrating containers into legacy solutions will be a focus of a panel where Mark Carlson, SNIA Technical Council Co-Chair from Toshiba, will speak on Container Adoption Paths into Legacy Infrastructure. SNIA experts will be joined by other leaders in the container ecosystem like Docker, Twitter, ADP, Google, and Expedia . The SNIA booth will feature cloud infrastructure and storage discussions and a demonstration of a multi-vendor persistent memory solution featuring NVDIMM!  (P.S. – Are you new to containers? Get a head start on conference discussions by checking out a December 2016 SNIA blog on Containers, Docker, and Storage.)  

Closing out February, find SNIA at their booth at USENIX FAST from February 27-March 2 in Santa Clara, CA, where you can engage with SNIA Technical Council leaders on the latest activities in file and storage technologies.

We look forward to seeing you at one (or more) of these events!

 

Securing Fibre Channel Storage

by Eric Hibbard, SNIA Storage Security TWG Chair, and SNIA Storage Security TWG team members

Fibre Channel is often viewed as a specialized form of networking that lives within data centers and which neither has, or requires, special security protections. Neither of these assumptions is true, but finding the appropriate details to secure Fibre Channel infrastructure can be challenging.summit2

The ISO/IEC 27040:2015 Information technology – Security techniques – Storage Security standard provides detailed technical guidance in securing storage systems and ecosystems. However, while the coverage of this standard is quite broad, it lacks details for certain important topics.

ISO/IEC 27040:2015 addresses storage security risks and threats at a high level. This blog is written in the context of Fibre Channel. The following list is a summary of the major threats that may confront Fibre Channel implementations and deployments.

  1. Storage Theft: Theft of storage media or storage devices can be used to access data as well as to deny legitimate use of the data.
  2. Sniffing Storage Traffic: Storage traffic on dedicated storage networks or shared networks can be sniffed via passive network taps or traffic monitoring revealing data, metadata, and storage protocol signaling. If the sniffed traffic includes authentication details, it may be possible for the attacker to replay9 (retransmit) this information in an attempt to escalate the attack.
  3. Network Disruption: Regardless of the underlying network technology, any software or congestion disruption to the network between the user and the storage system can degrade or disable storage.
  4. WWN Spoofing: An attacker gains access to a storage system in order to access/modify/deny data or metadata.
  5. Storage Masquerading: An attacker inserts a rogue storage device in order to access/modify/deny data or metadata supplied by a host.
  6. Corruption of Data: Accidental or intentional corruption of data can occur when the wrong hosts gain access to storage.
  7. Rogue Switch: An attacker inserts a rogue switch in order to perform reconnaissance on the fabric (e.g., configurations, policies, security parameters, etc.) or facilitate other attacks.
  8. Denial of Service (DoS): An attacker can disrupt, block or slow down access to data in a variety of ways by flooding storage networks with error messages or other approaches in an attempt to overload specific systems within the network.

A core element of Fibre Channel security is the ANSI INCITS 496-2012, Information Technology – Fibre Channel – Security Protocols – 2 (FC-SP-2) standard, which defines protocols to authenticate Fibre Channel entities, set up session encryption keys, negotiate parameters to ensure frame-by-frame integrity and confidentiality, and define and distribute policies across a Fibre Channel fabric. It is also worth noting that FC-SP-2 includes compliance elements, which is somewhat unique for FC standards.

Fibre Channel fabrics may be deployed across multiple, distantly separated sites, which make it critical that security services be available to assure consistent configurations and proper access controls.

A new whitepaper, one in a series from SNIA that addresses various elements of storage security, is intended to leverage the guidance in the ISO/IEC 27040 standard and enhance it with a specific focus on Fibre Channel (FC) security.   To learn more about security and Fibre Channel, please visit www.snia.org/security and download the Storage Security: Fibre Channel Security whitepaper.

And mark your calendar for presentations and discussions on this important topic at the upcoming SNIA Data Storage Security Summit, September 22, 2016, at the Hyatt Regency Santa Clara CA. Registration is complimentary – go to www. http://www.snia.org/dss-summit for details on how you can attend and get involved in the conversation.

 

Podcasts Bring the Sounds of SNIA’s Storage Developer Conference to Your Car, Boat, Train, or Plane!

SNIA’s Storage Developer Conference (SDC) offers exactly what a developer of cloud, solid state, security, analytics, or big data applications is looking  for – rich technical content delivered in a no-vendor bias manner by today’s leading technologists.  The 2016 SDC agenda is being compiled, but now yousdc podcast pic can get a “sound bite” of what to expect by downloading  SDC podcasts via iTunes, or visiting the SDC Podcast site at http://www.snia.org/podcasts to download the accompanying slides and/or listen to the MP3 version.

Each podcast has been selected by the SNIA Technical Council from the 2015 SDC event, and include topics like:

  • Preparing Applications for Persistent Memory from Hewlett Packard Enterprise
  • Managing the Next Generation Memory Subsystem from Intel Corporation
  • NVDIMM Cookbook – a Soup to Nuts Primer on Using NVDIMMs to Improve Your Storage Performance from AgigA Tech and Smart Modular Systems
  • Standardizing Storage Intelligence and the Performance and Endurance Enhancements It Provides from Samsung Corporation
  • Object Drives, a New Architectural Partitioning from Toshiba Corporation
  • Shingled Magnetic Recording- the Next Generation of Storage Technology from HGST, a Western Digital Company
  • SMB 3.1.1 Update from Microsoft

Eight podcasts are now available, with new ones added each week all the way up to SDC 2016 which begins September 19 at the Hyatt Regency Santa Clara.  Keep checking the SDC Podcast website, and remember that registration is now open for the 2016 event at http://www.snia.org/events/storage-developer/registration.  The SDC conference agenda will be up soon at the home page of http://www.storagedeveloper.org.

Enjoy these great technical sessions, no matter where you may be!

Implementing Stored Data Encryption – Learn the Latest at SNIA Education Day at Storage Visions Conference

by Marty Foltyn

SNIA on Storage continues its preview of SNIA Tutorials at the Storage Visions Conference, a partner program of CES held on January 3-5, 2016 at the Luxor Hotel in Las Vegas.  “SNIA Education Day” is held on afternoon of the pre-conference day at Storage Visions – January 3, 2016 – and is designed to give attendees the opportunity to learn about important storage topics on depth with leading industry speakers.Education_continuum_new_resize

Five tutorials will be presented on the SNIA Education Day.  In the December 17th SNIA on Storage blog, we featured the  tutorial which examines the conflict between privacy and data protection as illustrated in the European Union, but really applicable worldwide. In the December 18 blog, we previewed the Practical Online Cache Analysis and Optimization tutorial. In the December 21 blog, we examined Massively Scalable File Storage – the Key to the Internet of Things. And in the December 22 blog, a tutorial in a new research area – Fog Computing – was explained.

Today we preview the final tutorial of the SNIA Education Day – Implementing Stored-Data Encryption, presented by Dr. Michael Willett of Bright Plaza.

Data security is top of mind for most businesses trying to respond to the constant barrage of news highlighting data theft, security breaches, and the resulting punitive costs. Combined with litigation risks, compliance issues and pending legislation, companies face a myriad of technologies and products that all claim to protect data-at-rest on storage devices. This SNIA Tutorial will answer the question “What is the right approach to encrypting stored data?”.

The Trusted Computing Group, with the active participation of the drive industry, has standardized on the technology for self-encrypting drives (SED): the encryption is implemented directly in the drive hardware and electronics. Mature SED products are now available from all the major drive companies, both HDD (rotating media) and SSD (solid state) and both laptops and data center. SEDs provide a low-cost, transparent, performance-optimized solution for stored-data encryption, but SEDs do not protect data in transit, upstream of the storage system.

For overall data protection, a layered encryption approach is advised. Sensitive data (eg, as identified by specific regulations: HIPAA, PCI DSS) may require encryption outside and upstream from storage, such as in selected applications or associated with database manipulations. This tutorial will examine a ‘pyramid’ approach to encryption: selected, sensitive data encrypted at the higher logical levels, with full data encryption for all stored data provided by SEDs.

SNIA Tutorial presenter Dr. Michael Willett serves as a consultant on the marketing of storage-based security and is currently working with the Bright Plaza executive team to promote the Drive Trust Alliance, whose mission is to promote adoption of SEDs in the marketplace. Dr. Willett received a Bachelor of Science degree from the US Air Force Academy (Top Secret clearance) and a Masters and PhD in mathematics from NC State University. After a career as a university professor of mathematics and computer science, Dr. Willett joined IBM as a design architect, moving into IBM’s Cryptography Competency Center. Later, Dr. Willett joined Fiderus, a security and privacy consulting practice, subsequently accepting a position with Wave Systems. Recently, Dr. Willett was a Senior Director at Seagate Research, focusing on security functionality on hard drives, including self-encryption, related standardization, product rollout, patent development, and partner liaison.  Dr. Willett also chaired the OASIS Privacy Management Reference Model Technical Committee (PMRM TC), which has developed an operational reference model for implementing privacy requirements. Most recently, Dr. Willett worked with Samsung as a storage security strategist, helping to define their self-encryption strategy across Samsung’s portfolio of storage products.

SNIA is a proud sponsor of the Storage Visions Conference, a partner program of the Consumer Electronics Show (CES).  Storage Visions, held in Las Vegas right before CES on January 3-5, 2016, is the place to explore the latest information on the rapidly evolving technology of digital storage and how it impacts consumer electronics, the internet of things, and storage in the cloud. If you have not registered for Storage Visions, head over to http://www.storagevisions.com for the conference preview.  Take $100 off your registration with the link:  https://sv2016.eventbrite.com/?discount=onehundredoff_67349921

Security is Strategic to Storage Developers – and a Prime Focus at SDC and SNIA Data Storage Security Summit

Posted by Marty Foltyn

Security is critical in the storage development process – and a prime focus of sessions at the SNIA Storage Developer Conference AND the co-located SNIA Data Storage Security Summit on Thursday September 24. Admission to the Summit is complimentary – register here at http://www.snia.org/dss-summit.DataStorageSecuritySummitlogo200x199[1]

The Summit agenda is packed with luminaries in the field of storage security, including keynotes from Eric Hibbard (SNIA Security Technical Work Group and Hitachi), Robert Thibadeau (Bright Plaza), Tony Cox (SNIA Storage Security Industry Forum and OASIS KMIP Technical Committee), Suzanne Widup (Verizon), Justin Corlett (Cryptsoft), and Steven Teppler (TimeCertain); and afternoon breakouts from Radia Perlman (EMC); Liz Townsend (Townsend Security); Bob Guimarin (Fornetix); and David Siles (Data Gravity). Roundtables will discuss current issues and future trends in storage security. Don’t miss this exciting event!

SDC’s “Security” sessions highlight security issues and strategies for mobile, cloud, user identity, attack prevention, key management, and encryption. Preview sessions here, and click on the title to find more details.SDC15_WebHeader3_999x188

Geoff Gentry, Regional Director, Independent Security Evaluators Hackers, will present Attack Anatomy and Security Trends, offering practical experience from implementing the OASIS Key Management Interoperability Protocol (KMIP) and from deploying and interoperability testing multiple vendor implementations of KMIP .

David Slik, Technical Director, Object Storage, NetApp will discuss Mobile and Secure: Cloud Encrypted Objects Using CDMI, introducing the Cloud Encrypted Object Extension to the CDMI standard, which permits encrypted objects to be stored, retrieved, and transferred between clouds.

Dean Hildebrand, IBM Master Inventor and Manager | Cloud Storage Software and Sasikanth Eda, Software Engineer, IBM will present OpenStack Swift On File: User Identity For Cross Protocol Access Demystified. This session will detail the various issues and nuances associated with having common ID management across Swift object access and file access ,and present an approach to solve them without changes in core Swift code by leveraging powerful SWIFT middleware framework.

Tim Hudson, CTO and Technical Director, Cryptsoft will discuss Multi-Vendor Key Management with KMIP, offering practical experience from implementing the OASIS Key Management Interoperability Protocol (KMIP) and from deploying and interoperability testing multiple vendor implementations of KMIP .

Nathaniel McCallum, Senior Software Engineer, Red Hat will present Network Bound Encryption for Data-at-Rest Protection, describing Petera, an open source project which implements a new technique for binding encryption keys to a network.

Finally, check out SNIA on Storage previous blog entries on File Systems, Cloud, Management, New Thinking, and Disruptive Technologies. See the agenda and register now for SDC at http://www.storagedeveloper.org.