Data Storage Dilemmas & Solutions
-
Upload
blancco -
Category
Technology
-
view
794 -
download
1
Transcript of Data Storage Dilemmas & Solutions
![Page 1: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/1.jpg)
DATA STORAGE DILEMMAS & SOLUTIONS
![Page 2: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/2.jpg)
2
MODERATOR
Marty Foltyn
SNIA Business Development Representative
Eric Hibbard
Chair, SNIA Security Technical Working Group and CTO, Privacy & Security, Hitachi Data Systems
Fredrik Forslund
Director, Cloud and Data Center Erasure Solutions, Blancco Technology Group
PRESENTERS
Meet the Panel
![Page 3: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/3.jpg)
We’ll Explore
Data Storage: Past & Present and current security challenges
Physical Drive Destruction: The Pros & Cons
Data Erasure: Assumptions vs. Realities
Making Sense of Cryptographic Erasure
Legal Requirements Imposed by ISO 27040, NIST 800-88 Rev-1 & More
3
![Page 4: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/4.jpg)
Punched Cards
Magnetic Tape
4
Data Storage: Past & Present
1940
1951
1956
1971
1985
1995
2000
2006
2013
Hard Drive
First computer sold for $750,000
Floppy Disks
CDRom
DVD
USBDrive
The Cloud
Removable & Rewritable
![Page 5: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/5.jpg)
*by sheer data volume
Peta Bytes
Tera Bytes
Giga Bytes
00s 000s 0000s
Data center & Cloud data
PCs & Office Servers
Smartphones Tablets, USB
sticks
# of dataper device
# of databearing devices
Security Riskper data storage device*
FIG.1 SECURITY RISK PER DEVICE CURVE
Data Security Challenges
5
![Page 6: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/6.jpg)
It falls to “…the provider to keep that data secure, and when it is deleted, the provider should ensure (or be able to prove) that it is permanently destroyed.”
Cloud Storage: Where Erasure Responsibility Lies
6
![Page 7: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/7.jpg)
7
Push SyncBack up all
files
Push SyncWork files
Smart SyncSelect files
Sync LocalStream the
rest
Sync a FewStream the
rest
Home PC Work Laptop
Netbook Tablet Mobile Device
ISO 27018: Protection of Privacy & Personal Data in Cloud
All of My Data
My Documents
My Photos My Music My Work Files Special Project
!! ! !
![Page 8: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/8.jpg)
When Do You Need to Consider Data Sanitization?
1. At Equipment End-of-Life
2. At defined Data End-of-Life “Regulatory compliance”
3. After Data Migration
4. By Customer Demand - “The right to be forgotten” “Data Exit Strategy”
8
![Page 9: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/9.jpg)
Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed
– ISO/IEC 27040:2015
A breach is the unauthorized acquisition, access, use, or disclosure of protected health information, which compromises the security or privacy of such information.
– U.S. HITECH (HIPAA) Act
A personal data breach “means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community”.
– EU ePrivacy Directive (EC Proposal)
What Is a Data Breach?
9
![Page 10: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/10.jpg)
Security threats Potential forms of data breachTheft of storage element or media Unlawful access, unlawful disclosure, unlawful
data loss, unlawful data destruction
Loss of storage element or media Unauthorized access, unauthorized disclosure, accidental data loss, accidental data destruction
Loss of data Unlawful, unauthorized, or accidental data destruction or corruption
Accidental configuration changes (e.g., storage management, storage/network resources, incorrect patch management, etc.) by authorized personnel
Accidental access, accidental disclosure, accidental data destruction, accidental data alteration
Malicious configuration changes (storage management, storage/network resources, application tampering, etc.) by external or internal adversaries
Unlawful access, unlawful disclosure, unlawful data destruction, unlawful data alteration
Privileged user abuses by authorized users (e.g., inappropriate data snooping) Unlawful/unauthorized access or disclosure
Malicious data tampering by external or internal adversaries Unlawful data destruction or alteration
Denial of service attacks Unauthorized data destruction, loss, or alteration
Malicious monitoring of network traffic Unlawful/unauthorized disclosure
ISO/IEC 27040 – Data Breaches
10
![Page 11: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/11.jpg)
76 Million People AffectedInformation Compromised: Names, addresses, phone numbers, email addresses
56 Million People AffectedInformation Compromised: Credit and debit card numbers
OCTOBER
SEPTEMBER
MAY
145 Million People AffectedInformation Compromised: Encrypted passwords, customer names, email addresses, mailing addresses, phone numbers, dates of birth
Data Breaches Are a Common Reality We Need to Fight!
11
![Page 12: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/12.jpg)
Proactive Approach
Unless you proactively sanitize data in your environment, external or internal attackers as well as malware can maliciously perform data recovery that lead to data leaks.
12
![Page 13: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/13.jpg)
Physical destruction
Software overwrite
Cryptographic erasure
Data Protection Methods
13
![Page 14: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/14.jpg)
Physical Drive Destruction: The Pros & Cons
14
![Page 15: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/15.jpg)
Data Erasure: Assumption vs. Realities
15
![Page 16: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/16.jpg)
Format or Delete Data Erasure
What Is Certified Data Erasure?
16
![Page 17: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/17.jpg)
Loose drive DISK Erasure
PC, SERVER and SAN Erasure
FILE ErasureLUN Erasure VIRTUAL Erasure
Total Erasure on physical level (HDD and SSD):
Erasure on File, Logical and Virtual Levels:
New volume platforms include smartphones, tablets and flash devices:
Data Erasure Today!
17
![Page 18: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/18.jpg)
University of California’s Department of Computer Science and Engineering uncovered a range of problems in secure SSD ‘sanitization’ of both whole drives and individual files
SSD Erasure Is Complicated, But Possible…
18
![Page 19: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/19.jpg)
Cryptographic erasure basically involves destroying the encryption key for the data and thus forcing an adversary to conduct an attack against the cryptologic implementation in order to gain access to the sanitized data.Cryptographic erase can be highly granular
Theoretically possible to cryptographically erase a single field in a databaseTypically targeted toward a single piece of media, but could be used for virtual storage (e.g., a LUN)
What Is Cryptographic Erasure?
19
![Page 20: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/20.jpg)
Encryption must be applied before any data is written to the drive High-pedigree encryption is requiredEffective key management is requiredProof of encryption is requiredVerification of the cryptographic erasure operation
Understanding Challenges of Cryptographic Erasure
20
![Page 21: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/21.jpg)
Typical media disposition involves physical destruction instead of sanitization (overwrites) resulting in:
Secure storage and destruction of storage mediaAdditional media cost because warranties cannot be exploitedRepurposing of storage is often limited
Both ISO/IEC 27040 and NIST SP 800-88r1 identify cryptographic erasure as an alternative form of sanitization
What One Financial Institution Has Done
21
![Page 22: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/22.jpg)
ISO, NIST, and Legislation
Multiple NYC-based financial institutions are working with auditors and regulators to
Get cryptographic erasure recognized as an accepted sanitization method for their sectorIdentify the associated key management requirements
22
![Page 23: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/23.jpg)
ISO 27001: Laying the Foundation
23
Should we be thinking about 27001?How bad is your pain?• We need to prove to many
of our clients that we are “secure”
• We need to prove that many of our service providers keep our data secure
• We need to prove we are compliant with a high number of standards
• We are struggling with regards to information security
![Page 24: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/24.jpg)
“Logical sanitization should be used to clear virtualized storage, especially when the actual storage devices and media cannot be determined.”
“Sanitization of media at end-of-use situations is recommended, even when using encryption methods.”
Organizations should maintain a record of sanitization activities Proof of sanitization takes on at least two forms: 1) an audit log trail and 2) a certificate of sanitization
ISO 27040: Erasing at Logical & Virtual Level
24
![Page 25: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/25.jpg)
More Legislation Paves Way for Tighter Security
25
![Page 26: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/26.jpg)
Compliance
Reporting
Erasure
Versatility
Automation
Implement the Right Process in Time!
26
The whole is greater than the sum of its parts”- Aristotle
‘‘
![Page 27: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/27.jpg)
ISO/IEC 27040:2015, Information technology – Security techniques – Storage security; Cost = CHF 198; http://www.iso.org/iso/catalogue_detail?csnumber=44404NIST Special Publication 800-88 Revision 1, Media Sanitization, http://dx.doi.org/10.6028/NIST.SP.800-88r1 SNIA Security Whitepapers:
SNIA Storage Security – SanitizationSNIA Storage Security – Encryption and Key Managementhttp://www.snia.org/securitytwg
Blancco Technology Group Materials:Cloud and Data Center Erasure: Why Delete Doesn’t Suffice
Related Resources
27
![Page 28: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/28.jpg)
Complimentary Registration at www.snia.org/dss-summit
28
![Page 29: Data Storage Dilemmas & Solutions](https://reader035.fdocuments.us/reader035/viewer/2022062902/58f011751a28aba50b8b457f/html5/thumbnails/29.jpg)
Thank You!Questions?
29