Storage security

Last updated February 17, 2025

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

Introduction

According to the Storage Networking Industry Association (SNIA), storage security represents the convergence of the storage, networking, and security disciplines, technologies, and methodologies for the purpose of protecting and securing digital assets.^[1] Historically, the focus has been on both the vendor aspects of making storage product more secure and the consumer aspects associated with using storage products in secure ways.

The SNIA Dictionary defines storage security as:

Technical controls, which may include integrity, confidentiality and availability controls, that protect storage resources and data from unauthorized users and uses.

ISO/IEC 27040 provides the following more comprehensive definition for storage security:

application of physical, technical and administrative controls to protect storage systems and infrastructure as well as the data stored within them

Note 1 to entry: Storage security is focused on protecting data (and its storage infrastructure) against unauthorized disclosure, modification or destruction while assuring its availability to authorized users.

Note 2 to entry: These controls may be preventive, detective, corrective, deterrent, recovery or compensatory in nature.

Principles of Security Storage

Integrity: Stored data cannot be changed. ^[2]
Confidentiality: Only authorized users will have access to the data locally or through network.^[3]
Availability: Manage and minimize the risk of inaccessibility due to deliberate destructions or accidents such as natural disaster, mechanical and power failures. ^[4]

Data sanitization is a practice in which storage mediums are destroyed on-site. For instance if a hard-drive needs to be upgraded or replaced, it would be considered insecure to sell or recycle the drive since it is possible traces of the data may still exist even after formatting. Therefore destroying the drive rather than allowing it to leave the site is a common practice.^[5]

Relevant standards and specifications

Applying security to storage systems and ecosystems requires one to have a good working knowledge of an assortment of standards and specifications, including, but not limited to:

ISO Guide 73:2009, Risk management — Vocabulary
ISO 7498-2:1989, Information technology — Open Systems Interconnection — Basic Reference Model — Part 2: Security Architecture
ISO 16609:2004, Banking — Requirements for message authentication using symmetric techniques
ISO/PAS 22399:2007, Societal security — Guideline for incident preparedness and operational continuity management
ISO/IEC 10116:2006, Information technology — Security techniques — Modes of operation for an n-bit block cipher
ISO/TR 10255:2009, Document management applications — Optical disk storage technology, management and standards
ISO/TR 18492:2005, Long-term preservation of electronic document-based information
ISO 16175-1:2010, Information and documentation — Principles and functional requirements for records in electronic office environments — Part 1: Overview and statement of principles
ISO 16175-2:2011, Information and documentation — Principles and functional requirements for records in electronic office environments — Part 2: Guidelines and functional requirements for digital records management systems
ISO 16175-3:2010, Information and documentation — Principles and functional requirements for records in electronic office environments — Part 3: Guidelines and functional requirements for records in business systems
ISO/IEC 11770 (all parts), Information technology — Security techniques — Key management
ISO/IEC 17826:2012, Information technology — Cloud Data Management Interface (CDMI)
ISO/IEC 19790:2006, Information technology — Security techniques — Security requirements for cryptographic modules
ISO/IEC 24759:2008, Information technology — Security techniques — Test requirements for cryptographic modules
ISO/IEC 24775, Information technology — Storage management (to be published)
ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls
ISO/IEC 27003:2010, Information technology — Security techniques — Information security management systems implementation guidance
ISO/IEC 27005:2008, Information technology — Security techniques — Information security risk management
ISO/IEC 27031:2011, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity
ISO/IEC 27033-1:2009, Information technology — Security techniques — Network security — Part 1: Overview and concepts
ISO/IEC 27033-2, Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security
ISO/IEC 27033-3:2010, Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues
ISO/IEC 27033-4:2014, Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways
ISO/IEC 27037:2012, Information technology — Security techniques — Guidelines for identification, collection, acquisition, and preservation of digital evidence
ISO/IEC/IEEE 24765-2010, Systems and software engineering — Vocabulary
IEEE 1619-2007, IEEE Standard for Wide-Block Encryption for Shared Storage Media
IEEE 1619.1-2007, IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices
IEEE 1619.2-2010, IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices
IETF RFC 1813 NFS Version 3 Protocol Specification
IETF RFC 3195 Reliable Delivery for syslog
IETF RFC 3530 Network File System (NFS) version 4 Protocol
IETF RFC 3720 Internet Small Computer Systems Interface (iSCSI)
IETF RFC 3723 Securing Block Storage Protocols over IP
IETF RFC 3821 Fibre Channel Over TCP/IP (FCIP)
IETF RFC 4303 IP Encapsulating Security Payload (ESP)
IETF RFC 4595 Use of IKEv2 in the Fibre Channel Security Association Management Protocol
IETF RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2
IETF RFC 5424 The Syslog Protocol
IETF RFC 5425 TLS Transport Mapping for Syslog
IETF RFC 5426 Transmission of Syslog Messages over UDP
IETF RFC 5427 Textual Conventions for Syslog Management
IETF RFC 5661 Network File System (NFS) Version 4 Minor Version 1 Protocol
IETF RFC 5663 Parallel NFS (pNFS) Block/Volume Layout
IETF RFC 5848 Signed Syslog Messages
IETF RFC 6012 Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog
IETF RFC 6071 IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap
IETF RFC 6587 Transmission of Syslog Messages over TCP
IETF RFC 7146, Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3
ANSI INCITS 400–2004, Information technology — SCSI Object-based Storage Device Commands (OSD)
ANSI INCITS 458–2011, Information technology — SCSI Object-Based Storage Device Commands – 2 (OSD-2)
ANSI INCITS 461–2010, Fibre Channel — Switch Fabric — 5 (FC-SW-5)
ANSI INCITS 462–2010, Information Technology — Fibre Channel - Backbone — 5 (FC-BB-5)
ANSI INCITS 463–2010, Fibre Channel — Generic Services — 6 (FC-GS-6)
ANSI INCITS 470–2011, Fibre Channel — Framing and Signaling-3 (FC-FS-3)
ANSI INCITS 482–2012, Information Technology — ATA/ATAPI Command Set — 2 (ACS-2)
ANSI INCITS 496–2012, Information Technology — Fibre Channel — Security Protocols — 2 (FC-SP-2)
ANSI INCITS 512–2013, Information Technology — SCSI Block Commands — 3 (SBC-3)
NIST FIPS 140–2, Security Requirements for Cryptographic Modules
NIST FIPS 197, Advanced Encryption Standard
NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
NIST Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
NIST Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices
NIST Special Publication 800-57 Part 1, Recommendation for Key Management: Part 1: General (Revision 3)
NIST Special Publication 800-57 Part 2, Recommendation for Key Management: Part 2: Best Practices for Key Management Organization
NIST Special Publication 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Storage Networking Industry Association (SNIA), Storage Management Initiative – Specification (SMI-S), Version 1.5, Architecture Book, http://www.snia.org/tech_activities/standards/curr_standards/smi
Storage Networking Industry Association (SNIA), SNIA Technical Position: TLS Specification for Storage Systems v1.0, http://www.snia.org/tls
Trusted Computing Group, Storage Architecture Core Specification, Version 2.0, November 2011
Trusted Computing Group, Storage Security Subsystem Class: Enterprise, Version 1.0, January 2011
Trusted Computing Group, Storage Security Subsystem Class: Opal, Version 2.0, February 2012
OASIS, Key Management Interoperability Protocol Specification (Version 1.2 or later)
OASIS, Key Management Interoperability Protocol Profiles (Version 1.2 or later)
Recommendation ITU-T X.1601 (2013), Security framework for cloud computing
Recommendation ITU-T Y.3500 | ISO/IEC 17788:2014, Information technology — Cloud computing — Overview and vocabulary

External links

Storage Networking Industry Association: SNIA Home

References

↑ Eric A. Hibbard; Richard Austin. "Storage Security Professional's Guide to Skills and Knowledge" (PDF). www.snia.org/ssif. SNIA. Retrieved 18 August 2014.
↑ "What Is Security Storage and How to Protect Your Data Storage". MiniTool. 2021-08-07. Retrieved 2022-09-18.
↑ "What Is Security Storage and How to Protect Your Data Storage". MiniTool. 2021-08-07. Retrieved 2022-09-18.
↑ "What Is Security Storage and How to Protect Your Data Storage". MiniTool. 2021-08-07. Retrieved 2022-09-18.
↑ "Secure sanitisation of storage media". National Cyber Security Centre.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Eric A. Hibbard; Richard Austin. "Storage Security Professional's Guide to Skills and Knowledge" (PDF). www.snia.org/ssif. SNIA. Retrieved 18 August 2014.

[2] "What Is Security Storage and How to Protect Your Data Storage". MiniTool. 2021-08-07. Retrieved 2022-09-18.

[3] "What Is Security Storage and How to Protect Your Data Storage". MiniTool. 2021-08-07. Retrieved 2022-09-18.

[4] "What Is Security Storage and How to Protect Your Data Storage". MiniTool. 2021-08-07. Retrieved 2022-09-18.

[5] "Secure sanitisation of storage media". National Cyber Security Centre.

[1]

[2]

[3]

[4]

[5]