Storage security

Last updated

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

Contents

Introduction

According to the Storage Networking Industry Association (SNIA), storage security represents the convergence of the storage, networking, and security disciplines, technologies, and methodologies for the purpose of protecting and securing digital assets. [1] Historically, the focus has been on both the vendor aspects of making storage product more secure and the consumer aspects associated with using storage products in secure ways.

The SNIA Dictionary defines storage security as:
Technical controls, which may include integrity, confidentiality and availability controls, that protect storage resources and data from unauthorized users and uses.
ISO/IEC 27040 provides the following more comprehensive definition for storage security:
application of physical, technical and administrative controls to protect storage systems and infrastructure as well as the data stored within them
Note 1 to entry: Storage security is focused on protecting data (and its storage infrastructure) against unauthorized disclosure, modification or destruction while assuring its availability to authorized users.
Note 2 to entry: These controls may be preventive, detective, corrective, deterrent, recovery or compensatory in nature.

Principles of Security Storage

Data sanitization is a practice in which storage mediums are destroyed on-site. For instance if a hard-drive needs to be upgraded or replaced, it would be considered insecure to sell or recycle the drive since it is possible traces of the data may still exist even after formatting. Threfore destroying the drive rather than allowing it to leave the site is a common practice. [5]

Relevant standards and specifications

Applying security to storage systems and ecosystems requires one to have a good working knowledge of an assortment of standards and specifications, including, but not limited to:

Related Research Articles

<span class="mw-page-title-main">Triple DES</span> Block cipher

In cryptography, Triple DES, officially the Triple Data Encryption Algorithm, is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The 56-bit key of the Data Encryption Standard (DES) is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power; Triple DES increases the effective security to 112 bits. A CVE released in 2016, CVE-2016-2183, disclosed a major security vulnerability in the DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of 3DES, led to NIST deprecating 3DES in 2019 and disallowing all uses by the end of 2023. It has been replaced with the more secure, more robust AES.

<span class="mw-page-title-main">Block cipher mode of operation</span> Cryptography algorithm

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

<span class="mw-page-title-main">Storage Networking Industry Association</span> Trade association formed to develop standards for storage area networks

The Storage Networking Industry Association (SNIA) is an American trade association, incorporated in December 1997. It is a registered 501(c)(6) non-profit organization. SNIA has more than 185 unique members, 2,000 active contributing members, and over 50,000 IT end users and storage professionals.

Remote database access (RDA) is a protocol standard for database access produced in 1993 by the International Organization for Standardization (ISO). Despite early efforts to develop proof of concept implementations of RDA for major commercial relational database management systems (RDBMSs), this standard has not found commercial support from database vendors. The standard has since been withdrawn, and replaced by ISO/IEC 9579:1999 - Information technology -- Remote Database Access for SQL, which has also been withdrawn, and replaced by ISO/IEC 9579:2000 Information technology -- Remote database access for SQL with security enhancement.

The InterNational Committee for Information Technology Standards (INCITS),, is an ANSI-accredited standards development organization composed of Information technology developers. It was formerly known as the X3 and NCITS.

The Storage Management Initiative Specification, commonly called SMI-S, is a computer data storage management standard developed and maintained by the Storage Networking Industry Association (SNIA). It has also been ratified as an ISO standard. SMI-S is based upon the Common Information Model and the Web-Based Enterprise Management standards defined by the Distributed Management Task Force, which define management functionality via HTTP. The most recent approved version of SMI-S is available on the SNIA website.

Offset codebook mode is an authenticated encryption mode of operation for cryptographic block ciphers. OCB mode was designed by Phillip Rogaway, who credits Mihir Bellare, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the integrity-aware parallelizeable mode (IAPM) of authenticated encryption by Charanjit S. Jutla. The OCB2 version was proven insecure, while the original OCB1 as well as OCB3 from 2011 are still considered secure.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

The ISO/IEC 27000 family comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and promote standards in the fields of information and communications technology (ICT).

The following outline is provided as an overview of and topical guide to cryptography:

Mark A. Carlson was a software engineer known in the systems management industry for his work in management standards and technology. Mark was the first employee of a small startup in Boulder, Colorado called Redcape Policy Software. Sun Microsystems acquired the company and its technology in 1998 and subsequently promoted it as Jiro, a common management framework based on Java and Jini.

ISO/IEC 17826Information technology — Cloud Data Management Interface (CDMI) Version 2.0.0 is an international standard that specifies a protocol for self-provisioning, administering and managing access to data stored in cloud storage, object storage, storage area network and network attached storage systems. The CDMI standard is developed and maintained by the Storage Networking Industry Association, who makes a publicly accessible version of the specification available.

ISO/IEC 27040 is part of a growing family of International Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the area of security techniques; the standard is being developed by Subcommitee 27 (SC27) - IT Security techniques of the first Joint Technical Committee 1 of the ISO/IEC. A major element of SC27's program of work includes International Standards for information security management systems (ISMS), often referred to as the 'ISO/IEC 27000-series'.

The SNIA Emerald Program Power Efficiency Measurement Specification, is a storage specification developed and maintained by the Storage Networking Industry Association (SNIA) and cross-referenced by the Environmental Protection Agency’s EnergyStar program. The specification consists of a storage types taxonomy, system under test workload and energy measurement method, measured metrics for active and idle operational states, and presence tests for capacity optimization technologies. The measured metric data is generated through the use of well-defined standard testing and data reduction procedures prescribed in the SNIA Emerald Specification.

References

  1. Eric A. Hibbard; Richard Austin. "Storage Security Professional's Guide to Skills and Knowledge" (PDF). www.snia.org/ssif. SNIA. Retrieved 18 August 2014.
  2. "What Is Security Storage and How to Protect Your Data Storage". MiniTool. 2021-08-07. Retrieved 2022-09-18.
  3. "What Is Security Storage and How to Protect Your Data Storage". MiniTool. 2021-08-07. Retrieved 2022-09-18.
  4. "What Is Security Storage and How to Protect Your Data Storage". MiniTool. 2021-08-07. Retrieved 2022-09-18.
  5. "Secure sanitisation of storage media". National Cyber Security Centre.