Storage security

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

Introduction
According to the Storage Networking Industry Association (SNIA), storage security represents the convergence of the storage, networking, and security disciplines, technologies, and methodologies for the purpose of protecting and securing digital assets. Historically, the focus has been on both the vendor aspects of making storage product more secure and the consumer aspects associated with using storage products in secure ways.


 * The SNIA Dictionary defines storage security as:


 * Technical controls, which may include integrity, confidentiality and availability controls, that protect storage resources and data from unauthorized users and uses.


 * ISO/IEC 27040 provides the following more comprehensive definition for storage security:


 * application of physical, technical and administrative controls to protect storage systems and infrastructure as well as the data stored within them


 * Note 1 to entry:	Storage security is focused on protecting data (and its storage infrastructure) against unauthorized disclosure, modification or destruction while assuring its availability to authorized users.


 * Note 2 to entry:	These controls may be preventive, detective, corrective, deterrent, recovery or compensatory in nature.

Principles of Security Storage

 * Integrity: Stored data cannot be changed.
 * Confidentiality: Only authorized users will have access to the data locally or through network.
 * Availability: Manage and minimize the risk of inaccessibility due to deliberate destructions or accidents such as natural disaster, mechanical and power failures.

Relevant standards and specifications
Applying security to storage systems and ecosystems requires one to have a good working knowledge of an assortment of standards and specifications, including, but not limited to:


 * ISO Guide 73:2009, Risk management — Vocabulary
 * ISO 7498-2:1989, Information technology — Open Systems Interconnection — Basic Reference Model — Part 2: Security Architecture
 * ISO 16609:2004, Banking — Requirements for message authentication using symmetric techniques
 * ISO/PAS 22399:2007, Societal security — Guideline for incident preparedness and operational continuity management
 * ISO/IEC 10116:2006, Information technology — Security techniques — Modes of operation for an n-bit block cipher
 * ISO/TR 10255:2009, Document management applications — Optical disk storage technology, management and standards
 * ISO/TR 18492:2005, Long-term preservation of electronic document-based information
 * ISO 16175-1:2010, Information and documentation — Principles and functional requirements for records in electronic office environments — Part 1: Overview and statement of principles
 * ISO 16175-2:2011, Information and documentation — Principles and functional requirements for records in electronic office environments — Part 2: Guidelines and functional requirements for digital records management systems
 * ISO 16175-3:2010, Information and documentation — Principles and functional requirements for records in electronic office environments — Part 3: Guidelines and functional requirements for records in business systems
 * ISO/IEC 11770 (all parts), Information technology — Security techniques — Key management
 * ISO/IEC 17826:2012, Information technology — Cloud Data Management Interface (CDMI)
 * ISO/IEC 19790:2006, Information technology — Security techniques — Security requirements for cryptographic modules
 * ISO/IEC 24759:2008, Information technology — Security techniques — Test requirements for cryptographic modules
 * ISO/IEC 24775, Information technology — Storage management (to be published)
 * ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary
 * ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements
 * ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls
 * ISO/IEC 27003:2010, Information technology — Security techniques — Information security management systems implementation guidance
 * ISO/IEC 27005:2008, Information technology — Security techniques — Information security risk management
 * ISO/IEC 27031:2011, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity
 * ISO/IEC 27033-1:2009, Information technology — Security techniques — Network security — Part 1: Overview and concepts
 * ISO/IEC 27033-2, Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security
 * ISO/IEC 27033-3:2010, Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues
 * ISO/IEC 27033-4:2014, Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways
 * ISO/IEC 27037:2012, Information technology — Security techniques — Guidelines for identification, collection, acquisition, and preservation of digital evidence
 * ISO/IEC/IEEE 24765-2010, Systems and software engineering — Vocabulary
 * IEEE 1619-2007, IEEE Standard for Wide-Block Encryption for Shared Storage Media
 * IEEE 1619.1-2007, IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices
 * IEEE 1619.2-2010, IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices
 * IETF RFC 1813 NFS Version 3 Protocol Specification
 * IETF RFC 3195 Reliable Delivery for syslog
 * IETF RFC 3530 Network File System (NFS) version 4 Protocol
 * IETF RFC 3720 Internet Small Computer Systems Interface (iSCSI)
 * IETF RFC 3723 Securing Block Storage Protocols over IP
 * IETF RFC 3821 Fibre Channel Over TCP/IP (FCIP)
 * IETF RFC 4303 IP Encapsulating Security Payload (ESP)
 * IETF RFC 4595 Use of IKEv2 in the Fibre Channel Security Association Management Protocol
 * IETF RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2
 * IETF RFC 5424 The Syslog Protocol
 * IETF RFC 5425 TLS Transport Mapping for Syslog
 * IETF RFC 5426 Transmission of Syslog Messages over UDP
 * IETF RFC 5427 Textual Conventions for Syslog Management
 * IETF RFC 5661 Network File System (NFS) Version 4 Minor Version 1 Protocol
 * IETF RFC 5663 Parallel NFS (pNFS) Block/Volume Layout
 * IETF RFC 5848 Signed Syslog Messages
 * IETF RFC 6012 Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog
 * IETF RFC 6071 IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap
 * IETF RFC 6587 Transmission of Syslog Messages over TCP
 * IETF RFC 7146, Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3
 * ANSI INCITS 400–2004, Information technology — SCSI Object-based Storage Device Commands (OSD)
 * ANSI INCITS 458–2011, Information technology — SCSI Object-Based Storage Device Commands – 2 (OSD-2)
 * ANSI INCITS 461–2010, Fibre Channel — Switch Fabric — 5 (FC-SW-5)
 * ANSI INCITS 462–2010, Information Technology — Fibre Channel - Backbone — 5 (FC-BB-5)
 * ANSI INCITS 463–2010, Fibre Channel — Generic Services — 6 (FC-GS-6)
 * ANSI INCITS 470–2011, Fibre Channel — Framing and Signaling-3 (FC-FS-3)
 * ANSI INCITS 482–2012, Information Technology — ATA/ATAPI Command Set — 2 (ACS-2)
 * ANSI INCITS 496–2012, Information Technology — Fibre Channel — Security Protocols — 2 (FC-SP-2)
 * ANSI INCITS 512–2013, Information Technology — SCSI Block Commands — 3 (SBC-3)
 * NIST FIPS 140–2, Security Requirements for Cryptographic Modules
 * NIST FIPS 197, Advanced Encryption Standard
 * NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
 * NIST Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
 * NIST Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
 * NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices
 * NIST Special Publication 800-57 Part 1, Recommendation for Key Management: Part 1: General (Revision 3)
 * NIST Special Publication 800-57 Part 2, Recommendation for Key Management: Part 2: Best Practices for Key Management Organization
 * NIST Special Publication 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
 * NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
 * Storage Networking Industry Association (SNIA), Storage Management Initiative – Specification (SMI-S), Version 1.5, Architecture Book, http://www.snia.org/tech_activities/standards/curr_standards/smi
 * Storage Networking Industry Association (SNIA), SNIA Technical Position: TLS Specification for Storage Systems v1.0, http://www.snia.org/tls
 * Trusted Computing Group, Storage Architecture Core Specification, Version 2.0, November 2011
 * Trusted Computing Group, Storage Security Subsystem Class: Enterprise, Version 1.0, January 2011
 * Trusted Computing Group, Storage Security Subsystem Class: Opal, Version 2.0, February 2012
 * OASIS, Key Management Interoperability Protocol Specification (Version 1.2 or later)
 * OASIS, Key Management Interoperability Protocol Profiles (Version 1.2 or later)
 * Recommendation ITU-T X.1601 (2013), Security framework for cloud computing
 * Recommendation ITU-T Y.3500 | ISO/IEC 17788:2014, Information technology — Cloud computing — Overview and vocabulary