Standards help ensure compliance and can prepare organizations for audit activities in any discipline. Data storage security standards can provide helpful guidance for protection.
Data storage security is critical from a legal compliance perspective. Data that organizations may use for litigation must be both secure and easily accessible. This requirement also applies to business operations data.
Confidentiality, integrity and availability are vital to protect and secure data. Admins must address physical issues, such as the storage medium, location of the storage device, access to the device, and the infrastructure that supports it. They must also consider nonphysical elements, such as data access controls, data backup and storage applications, authentication and data encryption. This will help provide the optimal secure data storage environment.
Below, we examine key standards for data storage security. This is not an exhaustive list but will cover the six major standards and compliance regulations that affect data storage security today.
ISO/IEC 27040:2015, Information technology -- Security techniques -- Storage security
This international standard, created by the ISO, specifies the need for physical, technical and administrative controls to protect storage systems and their associated infrastructures, as well as the data stored within them. Controls defined by ISO/IEC 27040 can be preventive, detective, corrective, deterrent, recovery or compensatory in nature, as well as combinations of these attributes. The standard provides technical guidance on how to manage all aspects of data storage security, from initial planning and design to implementation, documentation and ongoing management, testing and review.
Risk mitigation for data storage is a key element in ISO/IEC 27040 and examines risks of data breaches and corruption. The standard also covers new technologies and connectivity issues. It complies with the requirements of an information security management system according to ISO/IEC 27001:2013, Information technology -- Security techniques -- Information security management systems -- Requirements.
In addition to the standard's strong risk focus, it also aims to help organizations provide the best possible security for their data and serves as a basis to design, review and audit storage security controls.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1, 2018, is a global information security standard that helps companies prevent fraud through the deployment of strong security and access controls for credit card data. Organizations that accept payment cards from the five major credit card brands -- Visa, MasterCard, American Express, Discover and the Japan Credit Bureau -- must comply with PCI DSS requirements.
Compliance with PCI DSS is mandatory for organizations that store, process or transmit payment and cardholder data. Requirement 6 of the standard specifically addresses the need of organizations to "develop and maintain secure systems and applications," such as data storage systems.
General Data Protection Regulation
Released in 2018, the General Data Protection Regulation (GDPR) specifies how personal data of EU citizens must be protected by the organization that possesses it, regardless of where the data is located. GDPR regulates how businesses collect, store, process and destroy data. Data storage security is an important component of GDPR, and compliance with the regulation has become a critical goal for IT departments worldwide.
Storage Networking Industry Association Transport Layer Security Specification
The Storage Networking Industry Association (SNIA) is a nonprofit global organization dedicated to developing standards and education programs to advance storage and information technology. The association has provided its views on the ISO data storage security standard, its role and how it describes good practice for data storage security.
SNIA's Transport Layer Security Specification (Version 2.0, 2021) provides requirements and guidance for the TLS protocol in conjunction with data storage technologies. The requirements are intended to facilitate secure interoperability of storage clients and servers, as well as nonstorage technologies that may have specific interoperability needs.
NIST SP 800-209 (2020) Security Guidelines for Storage Infrastructure
This National Institute of Standards and Technology (NIST) Special Publication (SP) technical standard provides an overview of the development and evolution of storage technology, examines current data storage security threats, and delivers a detailed set of security recommendations and guidance to address storage threats.
NIST SP 800-209 progresses beyond traditional IT infrastructure elements, such as physical and logical security, access control and authentication, change management, configuration management, incident response, and recovery. It examines storage infrastructure issues, including data protection, networks, encryption and storage device security.
HIPAA Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 provides a broad range of auditable requirements for the protection of electronic protected health information. The security rule has numerous parts that address data security issues.
For example, the HIPAA data backup plan requirement states, "Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information." Further, the access control requirement for encryption and decryption states, "Implement a mechanism to encrypt and decrypt electronic protected health information."