kras99 - stock.adobe.com
The security controls and capabilities within storage systems and ecosystems have not changed significantly for a few years. This is not surprising as the perception of likely threats has remained relatively constant.
Data-at-rest encryption, secured storage management and storage sanitization are commonly available and in use. However, recent events are causing organizations to reevaluate their storage security postures.
The cyber threat landscape is witnessing large numbers of ransomware attacks and increased nation state activities directed at critical infrastructure. The regulatory landscape is also changing and potentially imposing requirements that necessitate adjustments to security capabilities, controls and practices to reflect new realities. For storage, this translates into increased interest in having storage serve as a possible last line of defense or, at the very least, not having storage be a weak link in an organization's defenses.
For storage security, these are interesting times because developments are underway on multiple fronts. By the end of the first quarter of 2023, there will be significant changes to security standards and specifications relevant to storage. New technologies could increase the storage security options. Lastly, new practices and deployment strategies could add further data protections.
Standards affecting storage security
ISO/IEC JTC 1/SC 27 (Information security, cybersecurity and privacy protection) is in the middle of a major update to the ISO 27000 series of standards that started with a complete rewrite of ISO/IEC 27002:2022 (Information security, cybersecurity and privacy protection -- Information security controls), published in February 2022.
This rewrite of ISO/IEC 27002 necessitated updates to ISO/IEC 27001 (Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements). A new edition is anticipated to be published by mid-November 2022.
ISO/IEC 27001 serves as the basis for Information Security Management System certification of organizations and this new edition will affect existing certifications. The new ISO/IEC 27002 standard includes controls that are relevant to storage systems and ecosystems and includes references to the ISO/IEC 27040 storage security standard. As a result, auditors will more likely take note of storage security issues.
Speaking of ISO/IEC 27040 (Information technology -- Security techniques -- Storage security), SC 27 has almost completed a major revision of this standard, which was originally published in January 2015. This update, which may happen in early 2023, includes requirements as opposed to just guidance.
It includes numerous technology updates -- such as NVMe, Intelligent Platform Management Interface and cryptography -- expansion of previous guidance, updates to storage sanitization and a revised structure that mirrors and builds upon the new ISO/IEC 27002.
The original version of ISO/IEC 27040 was synchronized with the National Institute of Standards and Technology Special Publication 800-88r1 (Media Sanitization) with regard to technology-specific media sanitization techniques. However, the new ISO standard now defers to the recently published Institute of Electrical and Electronics Engineers (IEEE) 2883-2022 for these techniques.
The new IEEE 2883 -- Standard for Sanitizing Storage -- published in September 2022. It provides requirements for eradicating data on specific storage devices and media. This standard provides a range of options for clear, purge and destruct methods. It encourages the use of eco-friendly sanitization. IEEE 2883 is anticipated to be the "go-to" standard for media sanitization.
Emerging storage security technologies
Trusted storage. Several organizations including Trusted Computing Group, DMTF, PCIe and the Open Compute Project are working on specifications that use roots of trust to verify the integrity of individual components and platforms. Initial implementations will likely focus on device attestations.
Computational storage. Both the Storage Networking Industry Association (SNIA) and NVM Express are working together on specifications for computational storage, which could increase the utility of SSDs by letting hosts and applications offload certain functions. There can be some interesting security issues and considerations, depending on the implementation, that need to be addressed. However, this functionality could also help an SSD defend itself.
New practices and implementation strategies
Expanded use of encryption. Both data-in-transit and data-at-rest encryption are likely to see changes. The migration to Transport Layer Security version 1.3 is underway and its use within storage should include data access and its historical help with securing storage management. NVM Express and the Trusted Computing Group are developing a new form of storage encryption under the heading of Key Per IO, which uses hardware encryption within an SSD, but the key management is completely controlled by a host, VM or container.
Cyber attack recovery. The scourge of ransomware has drawn attention to storage security and elevated the importance of data backups. Some organizations have adjusted their backup strategies to include cyber attack recovery platforms that may involve air-gapped, data vaulting and data immutability technologies.
Circularity. From a regulatory perspective, privacy and circularity are two examples where storage security may play a helpful role. In the case of circularity, reuse or disposal of storage media should only occur after all sensitive data is eliminated. Likewise, privacy necessitates the elimination of data on storage prior to loss of control. Failure to eliminate data can result in costly and embarrassing data breaches. However, performing media sanitization with appropriate documentation can eliminate the problems.
Zero trust architectures. The concept of zero trust is centered on explicit trust and defensive postures in an environment that is assumed to be compromised. A key element of zero trust architectures is the use of policy enforcement points and engines that make real-time decisions on all access and consumption of resources. The role of storage in such an architecture is being explored by both SNIA and IEEE as well as multiple U.S. government entities.
The security functionality within storage continues to expand to address evolving threats. In many implementations, storage can now be an active participant in the protection of data. As such, storage security should be included as an element of the system security architecture.
Several of these topics were discussed at the recent SNIA Storage Security Summit and the recorded sessions are available.
About the SNIA Data Protection and Privacy Committee (DPPC)
The SNIA DPPC is committed to further the awareness and adoption of data protection technologies, and to provide education, best practices and technology guidance on all matters related to the protection and privacy of data. This charter extends the focus of the DPPC into areas of data privacy, regulatory compliance and a more generic view of protecting data.
This mission, in collaboration with other relevant groups, such as the SNIA Security Technical Work Group, is to deliver a point of reference for end users looking to improve their management of primary data assets and reduce exposure to external threats.
If you are interested in supporting this committee, email [email protected].
Eric Hibbard is the chairperson of the SNIA Security Technical Work Group. Thomas Rivera is a member of the SNIA Data Protection and Privacy Committee.